Drawing a clear distinction between portability and the right of access under GDPR has proved to be an outstanding and unresolved issue.
In a nutshell, Article 15 GDPR grants data subjects the right to obtain from the controller access to the personal data collected by it and information on the relevant processing, whereas Article 20 GDPR grants data subjects the right to receive their personal data in a structured, commonly used and machine-readable format and to have such data directly transmitted to another controller, where technically feasible. Thus, portability is not only aimed at making the data subjects aware of the processing of their personal data, but rather at enabling them to make economic use of such data, by re-using it or making it available to service providers other than the data controller.
Judgment no. 211 of 25 February 2022 issued by the Court of Monza provides fertile ground for some reflections on the distinction between the right of access and the right to data portability.
Ahead of seeking compensation in Court for damages suffered as a result of defects in the installation of furniture, two consumers (acting as data subjects) requested to the furniture store (as data controller) for both:
- access to their processed personal data under Article 15 GDPR; and
- portability of the recordings of the telephone conversations with the data controller’s call center service, together with the data generated by the workers in charge of the installation of the relevant furniture, under Article 20 GDPR, by providing the relevant data “in a structured format”.
As the data controller did not respond to the request within the 30-day deadline set forth by Article 12(3) GDPR, the data subjects filed a complaint with the Italian Data Protection Authority.
The Italian Data Protection Authority declared the personal data processing carried out by the data controller unlawful, in breach of Articles 12 et seq. GDPR and ordered the data controller to pay a fine. The Italian DPA grounded such sanction only on the breach of the right of access and instead disregarded the data subjects’ request for portability, as such a request “was included in the request pursuant to Article 15 of the GDPR”. The furniture store, as the data controller, challenged the DPA’s decision before the Court of Monza, which upheld the DPA’s decision.
Although neither the DPA, nor the Court of Monza expressly conveyed the legal reasoning behind the assimilation between the portability request and the access request, both decisions are arguably consistent with a purposive interpretation of the portability obligation under Article 20 GDPR.
The Court of Monza assumed that the labelling of the request made by the complaining data subject is not binding on the judge, who may treat it as the exercise of a different right than the one claimed by the data subject. In the present case, the fact that the data subjects referred to their request to be provided "in a structured format" with the recordings of the telephone conversations with the call centre as “portability” was examined by the Court, which considered that the notion of portability did not apply to the request at stake.
Indeed, as clarified above, the objective of the portability obligation is not limited to providing the data subject with "access to the personal data" processed (as set out in Article 15 GDPR), but rather aims at enabling the data subject to re-use those data, either by importing them into another storage system or by having them transferred to a third party. To this end, strict format requirements are imposed on the data to be transferred, such as being structured, commonly used and machine-readable.
The request to provide the recordings of telephone conversations with the call centre in which the data subjects complained about the installation of furniture in order to bring a lawsuit against the furniture store is not genuinely aimed at the economic re-use of the data and therefore – according to the Court of Monza - such a request had to be dissolved into the request for access to personal data under Article 15 GDPR made by the data subjects alongside the improper “portability request”.
Understanding portability is increasingly important as it becomes more regulated, including by the DMA and the Data Act.