0

I know one of the requirements of the GDPR is for data portability requests. On a website I have, it has users that includes their address, contact number etc but it also tracks what the user downloads and pages they visit, contact forms they submit.

If Joe blogs submits a request for their data, would I need to give them a copy of every single bit of information I have or just the information they signed up with?

Also one of the requirements is to be able to transmit such data directly from an existing data controller to a new controller without hindrance. How is something like that to work? If the user is on site A and B they should be able to copy their information from A to B or vice versa?

Markus
  • 9
  • 1
  • 3
    You have two questions: the first one is more a legal one and the second not very related to security. So both are offtopic I think. – Patrick Mevzek Apr 26 '18 at 20:57

1 Answers1

1

The whole point of GDPR is that the data subject can know what data is collected and what data is processed in order to provide services. So you have to give them all the data you have on the data subject. Why only give them back the data they gave you?

The wording on portability is about using a common data standard and not a proprietary data format that would impossible to use in any other system. You need to export the data in some commonly parseable standard (XML, CSV, SQL, etc.).

schroeder
  • 123,438
  • 55
  • 284
  • 319