Share
Written By :
Law 25 on the protection of personal information has just been enhanced with the right to data portability. Is your organization in compliance?
Starting September 22, 2024, both private enterprises and organizations and public bodies must comply with the new provisions of Law 25 concerning the right to the portability of personal information kept in a computerized form, which are meant to give consumers more control over their personal data.
Private enterprises and organizations must implement procedures so they can respond to a person’s access request within 30 days and in a technological format that meets the legal requirements.
What is data portability?
The right to data portability represents a change in the right to access personal information. It allows a person to request the release of their personal computerized information in a structured and commonly used format, either directly to them or to another organization of their choosing.
In practice, this right will facilitate consumer mobility by making it easier to change service providers without worrying about losing their interaction history or needing to reconfigure their profile.
What type of information is affected?
Please note that only personal information collected in computerized form directly from the individual concerned can be subject to a portability request.
This does not include any information created or inferred from information collected by the organization.
Please note that the applicable laws set limits and exceptions to the information affected by such requests, notably in cases where transferring data could raise serious practical issues for the organization.
In what form should the information be transferred?
You must respect certain procedures when transferring data:
- In a written and intelligible format: The information must be presented in a clear and intelligible manner, so that a human can read and understand it without needing to decode it or use a specific software. The chosen format cannot contain encrypted or coded information, nor can the information be presented in a form requiring computer processing to be understood.
- In a structured and commonly used technological format: The chosen format must allow for a smooth transfer of information between different computer systems. It is therefore recommended that you use an open format, such as CSV, XML or JSON, to facilitate portability. Conversely, formats which are complex to process, such as images, PDFs or those needing specific software or licences are not considered as structured and commonly used formats.
What are the implications for businesses?
As mentioned previously, to comply with Law 25, organizations must implement procedures so that they can adequately respond to portability requests within 30 days.
How can you prepare for this change?
- Information audit: Conduct an exhaustive inventory of the information you have, so that you can identify the elements that could potentially be subject to portability requests.
- Clear processes: Put in place internal procedures to efficiently meet the required legal time frame for portability requests.
- Training your personnel: Make sure that your employees understand both the implications of Law 25 and the procedures that must be followed upon receiving a portability request.
- Adapting your systems: Adapt your organization’s computer systems to enable the extraction and transfer of information in one of the required formats. If your organization is planning to change its information or electronic delivery systems, it must ensure that the project allows for the disclosure of personal information collected from individuals in a structured and commonly used format, should they request it.
Ensuring that organizations comply with Law 25 and implementing an efficient data portability system can create challenges. Our legal team specializing in data governance and protection of personal information is always available to offer you support and guidance throughout the process.