GDPR Requirements
If the data processing is automated based on a consent or a contract, the data subject has the right to obtain personal data concerning him/her in a structured, common and machine-readable format. The data subject may communicate this data to other data processors (Article 20 (1)).
Resulting Challenge
The following challenges can be derived from the four paragraphs of the article (Article 20).
- The requested data must be provided in a structured, common and machine-readable format. Ideally, a selection of common formats should be provided.
- Data query interfaces shall be provided to other responsible persons. These interfaces may only be opened for other responsible persons on behalf of the person concerned.
Technical Solution Approach
A download form with a selection of exchange formats (e.g. XML, CSV or JSON) is available. In addition, it is possible to open the data service in various formats for other data processors. This allows the data to be exchanged automatically on behalf of the data subject. For this purpose, a secure authorization procedure must be used (e.g. SAML, oAuth). For a successful exchange, the documentation of the interface must be provided.
Checklist
- Are the exchange formats used common and documented?
- Does the data service offer interfaces for automatic data exchange with other responsible parties and are these interfaces documented?
- Is the interface equipped with a suitable authorization?