As you may already know, the new GDPR (General Data Protection Regulation) will be effective from May 2018, introducing a new framework for everyone who processes EU citizens' personal data.

In this article, we will provide a brief overlook on Data Portability, one of the most important principles introduced by the new Regulation, and explain why Digital Health businesses necessarily need to comply with it.

You can check the other GDPR security and legal requirements in our previous article "9 key things about GDPR that Health App Developers need to know").

"Data Portability" under GDPR

First thing first: a definition.
Data portability is an individual right which can be carried out by a data subject towards a data controller. According to art. 20 GDPR, it consists of two parts.

First: the data subject shall have the right to:

"[...] receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format" (see art. 20 GDPR).

Second: the data subject shall have the right to:

"[...] transmit those data to another controller without hindrance from the controller to which the personal data have been provided", only where "technically feasible" (See art. 20 (1-2) GDPR).

The right to data portability (request of data and request of transmission) shall be enacted only if the processing of personal data is based on at least one the following 3 conditions:

  1. The data subject has given its "consent" to the processing (as defined by art. 6(1) or 9(2) GDPR);
  2. There is a "contract" between the data subject and the data controller (as defined by art. 6(1)(b) GDPR);
  3. The processing is carried out by automated means.

The Ultimate Guide on GDPR and HIPAA compliance

Download our Free Ebook now

What does this mean in practice?

If you act as a Data Controller, you must permit data subjects to exercise their right of data portability: infringement of GDPR rules may result in big fines from Data Protection Authorities (although it's not defined how much for non-compliance with this particular rule).

The Art. 29 Working Party (a European Body deemed to give suggestions to the EU institutions on Data Protection matters) has just released its last opinion on Data Portability.
Business can clarify their doubts about data portability by answering some key questions such as:

  1. What prior information should be provided to the data subject?
  2. How can the data controller identify the data subject before answering his request?
  3. What is the time limit imposed to answer a portability request?
  4. In which cases can a data portability request be rejected or a fee charged?
  5. How must the portable data be provided?
  6. What are the expected means the data controller should implement for data
  7. What is the expected data format?
  8. How to deal with a large or complex personal data collection?
  9. How can portable data be secured?

For example, regarding data transmission the opinion clarifies that "the data shall be provided or transmitted “without undue delay” and in any event “within one month of receipt of the request”, that "transmission from one data controller to another should occur when communication between two systems is possible, in a secured way, and when the receiving system is technically in a position to receive the incoming data".

Regarding data formats, the Opinion also clarifies that "where no formats are in common use for a given industry or given context, data controllers should provide personal data using commonly used open formats (e.g. XML, JSON, CSV,...)".

How helps developers on the Data Portability rule?

At we constantly monitor GDPR updates to ensure compliance in our company and also to help you, the developers and innovators, to ensure compliance on your own when developing digital health applications and services.

Regarding the data portability rule, allows developers to securely store any personal and sensitive data using JSON format (via REST API), which is nowadays the most common format and that is also mentioned by the opinion on data portability.
In addition, the data on is organized around the users' identity, facilitating in such a way the download procedure and deletion of all data of a particular user (which is also mandated by the "right to be forgotten" rule).

More technical articles on this aspect will follow soon, so stay tuned.

Subscribe to newsletter

Keep up with the latest in eHealth

Photo credit: Created by Pressfoto -