Context:
In order to further promote transparency and clarity the information which individuals can receive should be clearly explained. The Article 29 Working Party (European Data Protection Board) recommends in particular that the difference between the types of data that an individual can receive using the portability right or the access right be explained.
Considerations:
Think about how most clearly to display these differences. Placing both outputs in your privacy notice will help but be careful to place them in context such that the difference/comparison can be made.
How to:
Clearly describe the information that can be received via the right of access and the right of portability:
Right of Access
- confirmation that their personal data is being processed;
- access to their personal data; and
- other information including, for example, the purposes of processing, the categories of personal data, recipients of the personal data, retention periods and the right to request rectification or erasure and to complain to the ICO.
Right of Portability
- a copy of their personal data in a commonly used and machine-readable format;
- require the data controller to transmit the personal data to another data controller.
References:
- GDPR Recitals: 68, 73
- GDPR Articles 2, 15, 20
- Article 29 Working Party: Guidance on Data Portability
