Q: How do I process a data portability request from a data subject? Can I choose the format I provide their data file in (eg PDF)? Or do I have to provide the format that they request?
A: As a data controller, you need to comply with a “data portability” request made by one of your data subjects – unless you can demonstrate beyond question that the request itself is excessive or unfair.
You must complete the request by providing data in an open and machine-readable format. That means .CSV is acceptable, but .pdf is definitely not.
In fact, even if the data subject asks for a .pdf, you are not permitted to provide one.
The data subject is also allowed to ask you to transfer their data to a third party data controller. You cannot block this type of request without legitimate grounds.
References:
Article 20, GDPR
Recital 68, GDPR
Additional Information:
The new right to data portability requires data controllers supply a data subject with a portable copy of their data. However, there are limitations to this:
You must supply the file in an open and machine-readable format. So .CSV would be acceptable. But .PDF would not be.
In fact, even if the data subject requests a .pdf, you should not provide this: it is not a compliant format.
There are other limitations as to what types of data need to be provided. Not all information is covered by a portability request.
To learn more, contact us or attend one of our live GDPR webinars.