" Regulations have general application, are binding in their entirety and are directly applicable in all European Union Member States. "

Source: europa.eu

" If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy."


Source: europa.eu cfr: 4.

The EU GDPR is an EU Regulation and it no longer applies to the UK.

If you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018). The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.

In practice, there is little change to the core data protection principles, rights and obligations.

Source: ico.org.uk

"The time period needs to be calculated in accordance with Regulation No 1182/7178.
‍
Example: An organisation receives a request on 5 March. The time limit starts from the same day. This gives the organisation until and including 5 April to comply with the request, at the latest. [...]"

Source: europa.eu  p48 §158"

" The right of access to personal data is one of the data subject rights provided for in Chapter III of the GDPR among other rights, such as for instance the right to [...] erasure, [...] the right to portability[...].

The right of access by the data subject is enshrined both in the Charter of Fundamental Rights of the EU (the Charter) and in Art. 15 GDPR, where it is precisely formulated as the right of access to personal data and to other related information."

Source: europa.eu  p7 §2

Personal data requested should be handed over without undue delay, without hindrance and within the time limits specific in the GDPR and any associated guidance.

"The request must be fulfilled as soon as possible and in any event within one month of receipt of the request."

Source: europa.eu p4


" The controller shall react and, as a general rule, provide the information under Art. 15 without undue delay, which in other words means that the information should be given as soon as possible. This means that, if it is possible to provide the requested information in a shorter amount of time than one month, the controller should do so. "

Source: europa.eu p47 §156


Article 20(1) of the GDPR provides that data subjects have the right to transmit the data to another controller without hindrance from the controller to which the personal data have been provided. Such hindrance can be characterised as any [...] obstacles placed by data controller in order to refrain or slow down access."  

Source: europa.eu  p15

‍
In this context, please note that if a business has a webshop, it is (also) "operating as information society services. It is considered to be likely to be better equipped to be able to comply with requests within “a very short time period. "

Source: europa.eu  p14

" Infringements of the following provisions shall [...] be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher […] “ 

Source: europa.eu p34 §116

The official sources regarding GDPR associated guidelines, and interpretations can be found on europa.eu domains because this is where all official European Union website addresses are.

The equivalent for UK GDPR is ico.org.uk

"The purpose of [data portability] is to empower the data subject and give him/her more control over the personal data concerning him or her."
‍
Source: europa.eu p3

" Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. "
‍
Source: europa.eu


" In general, given the policy objectives of the right to data portability, the term “provided by the data subject” must be interpreted broadly“.[...] Thus, the term “provided by” includes personal data that relate to the data subject activity or result from the observation of an individual’s behaviour, but does not include data resulting from subsequent analysis of that behaviour. [...] “Provided by” should also include the personal data that are observed from the activities of users such as raw data processed by a smart meter or other types of connected objects, activity logs, history of website usage or search activities."
‍
Source: europa.eu p9-10

Metadata is the data on the main data.

GDPR data portability directive clearly specifies metadata is in scope. "[...]data controllers should provide as many metadata with the data as possible at the best level of precision and granularity, to preserve the precise meaningof exchanged information."

[...] " Suitable metadata should be used in order to accurately describe the meaning of exchanged information. This metadata should be enough to make the function and reuse of the data possible but, of course, without revealing trade secrets.

It is unlikely therefore that providing an individual with PDF versions of an email inbox would be sufficiently structured or descriptive to allow the inbox data to be easily reused. Instead, the e-mail data should be provided in a format which preserves all the metadata, to allow the effective re-use of the data. As such, when selecting a data format in which to provide the personal data, the data controller should consider how this format would impact or hinder the individual’s right to re-use the data."
‍
Source: europa.eu p3 and europa.eu p18

A mutual agreement between the business exporting the data and portit.eu can often be found

Official GDPR guidelines clearly mention a data subject " may submit more than one request to a controller. [...] The more often changes occur in the database of the controller, the more often data subjects may be permitted to request access without it being excessive. "

Source: europa.eu p54 §180-182

" When it is possible to provide the information easily by electronic means or by remote access to a secure system, which means that complying with such requests actually doesn’t strain the controller, it is unlikely that subsequent requests can be regarded as excessive. "
‍
Source: europa.eu p54 §184

The official GDPR guidelines have a relevant example of the principle of data minimization:

" The user Ms. Y has created an account in the online store, providing her e-mail and username. Subsequently, the account owner asks the controller for information whether it processes their personal data, and if so, asks for access to them within the scope indicated in Art. 15. The controller requests the ID of the person making request to confirm her identity. The controller's action in this case is disproportionate and leads to unnecessary data collection. "
‍
Source: europa.eu p26 §76

Simple client confirmation from the user email that the user has used to create his account is recommended. Or if preferred by the store, the authentication of the client can be done with an “itsme” integration.

Email spoofing is an email purporting to be sent from an address that is not actually the sender's. In other words, a store may receive an email that seems to have been sent from individual X but was sent by hacker Y.

Sending an email and cheating the "From:" can easily be done by most hackers. However, if you reply to the spoofed email using the standard "reply" function of your email provider, it can be reasonably assumed the hacker can’t receive it.

So how can a business protect its customers' privacy and confirm the request is really from individual X? Turns out it's super fast and easy!

This can be done by:
- phone (using the phone number provided by the customer when creating the account at your store)
- email (asking confirmation from the email individual X has used to create the account at your store
- 2-factor authentication (if this is already in place with your site) or an authentication app like "it's me" if you want to streamline a large number of requests.

"Although the right of access is generally exercised by the data subjects as it pertains to them, it is possible for a third party to make a request on behalf of the data subject. This may apply to, among others, acting through a proxy or legal guardians on behalf of minors, as well as acting through other entities via online portals. In some circumstances, the identity of the person authorised to exercise the right of access as well as authorisation to act on behalf of the data subject may require verification, where it is suitable and proportionate."
‍
Source: europa.eu p27 §80

No, that would not meet the condition of sending the data to another controller without hindrance.
‍
See question "How must the data be provided" for more context.

" Article 20(1) of the GDPR provides that data subjects have the right to transmit the data to another controller without hindrance from the controller to which the personal data have been provided.

Such hindrance can be characterized as any legal, technical, or financial obstacles placed by data controller in order to refrain or slow down access, transmission, or reuse by the data subject or by another data controller.

For example, such hindrance could be:
     - fees asked for delivering data
     - lack of interoperability or access to a data format or API or the provided format
     - excessive delay or complexity to retrieve the full dataset
     - deliberate obfuscation of the dataset
     - specific and undue or excessive sectorial standardization or accreditation demands."

‍Source: europa.eu p15

" The GDPR places requirements on data controllers to provide the personal data requested by the individual in a format, which supports re-use. Specifically, Article 20(1) of the GDPR states that the personal data must be provided “in a structured, commonly used and machine-readable format”.
‍
Recital 68 provides a further clarification that this format should be interoperable. "
‍
Source: europa.eu p18

The business exporting the data can transfer data via a csv, xml, json, API or webhook. (A Webhook is like API but is more efficient and less costly for all parties involved.  You'll find more information about them here)

When the number of requests is lower than 30 per month, we suggest the data to be sent via “.csv files” to extracts@portit.eu. (Just call us first so we can whitelist the email you'll send it from.)

If, despite the simplification of the request, technical know-how or time is an issue, Scorlee is happy to help the stores when they can, including by helping find qualified additional data engineering resources that will perform the work for free.