Privalexx Ukraine

DATA PRIVACY EXPERTS

📞
Call Support
+49 3843 229 133
✉️
Email Support
info(at)privalexx.com.ua
Make Appointment

GDPR data subject rights: information, erasure, portability

Betroffenenrechte

GDPR data subject rights are a key issue for Ukrainian companies offering products or services in the EU market or processing personal data of EU citizens. The General Data Protection Regulation (GDPR) obliges companies to provide data subjects with comprehensive control over their data. This often raises questions such as: What specific rights exist? How can the right to information, erasure or data portability be implemented? Who is responsible and what requirements must be met in order to be GDPR-compliant? Ukrainian companies are faced with the task of implementing suitable measures while at the same time complying with EU regulations. Mistakes, especially when dealing with data subject rights, can result in fines or liability risks. This page provides you with a compact and easy-to-understand overview of the most important aspects relating to access, erasure and portability as well as practical tips on how to comply with the GDPR.

Data portability explained simply: your benefits

Many companies underestimate the importance of data subject rights under the GDPR, especially the right to data portability. However, for Ukrainian companies operating in the EU, the correct implementation of these rights is essential. The challenge is to create the technical and organisational conditions so that users can receive their personal data smoothly or transfer it to another provider. At the same time, rights of access and erasure must be reliably taken into account and data protection processes updated. Companies should define clear processes at an early stage in order to respond to requests from data subjects effectively, securely and on time while complying with GDPR standards. This is the only way to minimise the risk of complaints and sanctions and strengthen the trust of European business partners and users in the long term.

General Data Protection Regulation: Legal basis at a glance

The General Data Protection Regulation (GDPR) has strengthened the rights of data subjects within the EU since 2018. One of the most important rights is data portability. It allows users to receive the personal data they have provided to a company in a structured, commonly used and machine-readable format and to transfer it to another provider. This regulation applies in particular if the processing is based on consent or a contract and is automated. Data portability only applies to personal data provided directly by the data subject. This does not include derived, estimated or anonymised data.

The most important regulations at a glance:

  • Comany Scope: Affects all companies that process the personal data of EU citizens – even without an EU location.
  • Data Scope: Only data provided by the company itself is covered by the right to data portability.
  • Transfer: Data controllers must enable secure and technically feasible data transfer.
  • Restrictions: The rights of third parties must not be impaired.

Violations of the GDPR, in particular failure to implement data portability, can result in severe fines. Data portability promotes European competition and gives users comprehensive control over their personal data.  

Personal data: Solutions for companies

Processing personal data in accordance with the GDPR requires Ukrainian companies to take specific measures, especially when dealing with data subject rights such as data portability, access and erasure. The following steps will support you in the practical implementation:

  1. Data inventory and system analysis: Check where and to what extent personal data is stored. An up-to-date overview is essential in order to process GDPR requests efficiently and completely.
  2. Clear process flows: Define internal responsibilities and processes for receiving and processing requests from data subjects. Fast response times (maximum one month) are required by law.
  3. Technical implementation of data portability: Ensure that personal data can be provided on request in a structured, commonly used and machine-readable format, for example as a CSV or XML file. The transfer to another provider should be secure and technically interoperable.
  4. Protection of third-party rights: Make sure that the rights and freedoms of other persons are not impaired during data transfer. This often requires careful examination of the requests and, if necessary, partial anonymisation.
  5. Communication with data subjects: Prepare clear information on the rights of data subjects and data protection processes (e.g. in your privacy policy). Transparent communication promotes trust and minimises queries.
  6. Cooperation with an EU representative: As a non-EU company, the appointment of an EU representative is mandatory in accordance with Art. 27 GDPR. The representative takes over communication with the supervisory authorities and supports you in complying with the General Data Protection Regulation, in particular in implementing the rights of data subjects.
  7. Training and regular audits: Train your employees regularly on data protection topics and carry out audits to check compliance with the legal requirements.

Practical example

A Ukrainian IT company offers software for healthcare providers in Germany. A user requests the transfer of her personal health data to another service provider. The company provides her with the data within four weeks in a standard data format and carefully documents the process. The support of a professional EU representative ensures compliance with the GDPR and strengthens trust in the target market.

Conclusion

Correct, technical implementation of data portability and systematic handling of data subject rights are key prerequisites for acting in compliance with the GDPR and avoiding liability risks. The early integration of efficient data protection processes helps companies to fulfil both the requirements of the General Data Protection Regulation and the expectations of European business partners and users.

Summary

The rights of data subjects under the GDPR – information, erasure and data portability – pose a particular challenge for companies without an EU location. A structured approach and cooperation with an EU representative help to ensure compliance with all the requirements of the General Data Protection Regulation. Ukrainian companies benefit from clear processes, transparent communication and technical solutions to provide, transfer or delete personal data in accordance with the GDPR. We are happy to support you in implementing suitable data protection measures and accompany you on your path to EU-compliant data protection.

The right to data portability is a central data subject right under the General Data Protection Regulation (GDPR). It enables data subjects to receive their personal data that they have provided to a company in a structured, commonly used, and machine-readable format. They can also request that the data be transferred directly to another controller. The goal is to strengthen users’ control over their data and enable easy switching between service providers.

Data portability is regulated in the General Data Protection Regulation, specifically in Article 20 GDPR. This right supplements and specifies data subject rights in European data protection law. The right exists whenever the processing of personal data is automated and is based either on consent or a contract. This is complemented by the general principles of the GDPR, such as lawfulness, transparency, and security in data transfer.

The conditions are that data processing has been automated and is based on the consent of the data subject or a contract. The right applies exclusively to personal data that the data subject has provided directly to the controller. Data transfer is excluded if it could impair the rights and freedoms of third parties. Only then can the right to data portability be fully exercised.

Only personal data that the data subject has “provided” to the controller is transferred. This includes information such as name, address, username, but also data from the use of services, such as transaction or communication data, provided it was actively made available by the user. Data derived from analysis, generated data, or anonymized data is not covered.

Excluded from the right to data portability is personal data created by the controller through its own evaluations or analyses (e.g., user profiles, ratings). Also excluded is anonymized data that no longer has a personal reference, as well as data that is absolutely necessary to safeguard the rights and freedoms of third parties. Only data provided by the individual falls under this right.

The data must be provided in a structured, commonly used, and machine-readable format, such as CSV or XML files. Companies subject to the General Data Protection Regulation are required to enable interoperability between systems, insofar as this is technically feasible. Additionally, appropriate technical and organizational measures for data protection and data security must be taken during data transfer.

The right to data portability gives data subjects the ability to directly transfer or have transferred their personal data. In contrast, the right of access merely allows inspection of stored data, and the right to erasure requires deletion of the data. Data portability therefore requires a transfer mechanism and serves competition as well as user autonomy.

Data subjects can exercise their right to data portability directly with the controller, for example by email or via the provided contact form, specifying which personal data should be transferred and where. The company must respond within one month and provide the data in the specified format or transfer it to a third party, provided there are no legal objections.

Data transfer is not permissible if it would impair the rights and freedoms of other persons. Particular attention must be paid to trade secrets as well as data protection and confidentiality of third parties. The right to data portability must not result in the violation of legitimate interests of companies or third parties. These protective mechanisms are expressly provided for in the GDPR.

Violations of the right to data portability can be penalized with significant fines under the GDPR. Depending on the severity of the violation, fines of up to 20 million euros or 4% of worldwide annual turnover are possible. Additionally, reputational damage and loss of customer and business partner trust may occur. Responsible handling of personal data is therefore essential.