Profiling and Data Portability – Rights – Part 2


Profiling and Data Portability – Rights – Part 2

We continue our series on data subjects’ rights under the GDPR with a post on data portability and profiling, a form of automated decision making. In case you missed it, you can find the first post in the series, discussing access and rectification, here.


Article 22 of the GDPR is dedicated to automated individual decision-making, including profiling. More specifically, it states that:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects… or similarly significant effects.

As with most laws, the prohibition on automated decision-making is stricter in the case of children.

But what exactly is profiling? We can define it as the automated processing of personal data for the purpose of evaluating, analyzing or predicting personal aspects of a natural person.

There are quite a few examples of behavioral profiling. Examples include web cookies, adware, web beacons and even digital fingerprints.

Like with any rule, there are exceptions even to the prohibition to use profiling. For example, when the data subject gives their explicit consent. Even with explicit consent however, the controller has to make sure the right to obtain human intervention is available at any time. Also, the data subject should have the right to express his/her point of view and to contest the decision.

Another exception is provided when the processing is necessary to perform a contract. Examples include evaluating insurance or credit risk. Again, the controller has to provide data subjects with the right to human intervention or to contest the decision. Also, decisions by the EU or member state law that authorize profiling or automated decision-making are another exception to the rule.

Data portability

The right to data portability is described in Article 20 of the GDPR. As such, we see in the first paragraph of the article that:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided […]

Paragraph 2 of the same article goes further to say the data subject has the right to have his data transmitted from one controller to another, where this is technically feasible. However, if the processing of the data is necessary for the performance of a task in the public interest, this right will not apply. Also, data portability shall not affect the rights and freedoms of others.

Article 29 Working Party Guidelines on Data Portability

On 5 April 2017 the Article 29 Working Party (WP29) adopted the final guidelines on data portability under the General Data Protection Regulation. They consider the right to data portability doesn’t only apply to data provided willingly to a controller but also the data generated by his/her activity. You may find yourself wondering what type of data is this and why is it important. The best example is that of data generated by wearable devices like heartbeat or step tracker. Other examples include your search history, traffic or location data.

The European Commission has expressed its disagreement with the WP29 views on data portability. We cannot deny however that WP29’s interpretation greatly benefits data subjects, giving them more power over their personal data. The confusion that exists at the moment around this right places organization at a greater risk of penalties. Like most violations of a data subject right under the GDPR failure to comply with data portability can attract a fine of up to 4% of the worldwide annual turnover or €20 million, whichever is greater.

To wrap up…

By now you probably got the idea that data subjects’ rights are crucial for GDPR compliance. Refusing to be subjected to automated decision-making, including profiling and the right to data portability make no exception. In the next blog posts of the series, we will continue exploring EU citizens’ rights according to the GDPR.

Photo credit:



About the author

Laura Vegh is the Chief Security Officer at, a passwordless security solution. She has a PhD in Systems Engineering, focused on cyber-physical systems security.