Q: How do I process a data portability request from a data subject? Can I choose the format I provide their data file in (eg PDF)? Or do I have to provide the format that they request?

A: As a data controller, you need to comply with a “data portability” request made by one of your data subjects – unless you can demonstrate beyond question that the request itself is excessive or unfair.

You must complete the request by providing data in an open and machine-readable format. That means .CSV is acceptable, but .pdf is definitely not.

In fact, even if the data subject asks for a .pdf, you are not permitted to provide one.

The data subject is also allowed to ask you to transfer their data to a third party data controller. You cannot block this type of request without legitimate grounds.

References:

Article 20, GDPR
Recital 68, GDPR

Additional Information:

The new right to data portability requires data controllers supply a data subject with a portable copy of their data. However, there are limitations to this:

You must supply the file in an open and machine-readable format. So .CSV would be acceptable. But .PDF would not be.

In fact, even if the data subject requests a .pdf, you should not provide this: it is not a compliant format.

There are other limitations as to what types of data need to be provided. Not all information is covered by a portability request.

To learn more, contact us or attend one of our live GDPR webinars.

Did this answer your question?