Right to Data Portability under GDPR Article 20
The right to data portability under GDPR Article 20 allows individuals to obtain personal data they have provided to data controllers in a structured, commonly used and machine-readable format, allowing them to transmit data between different services without hindrance. This data subject right requires technical infrastructure and compliance procedures that businesses need to be aware of.
This guide addresses the legal frameworks, technical requirements, and practical implementation challenges that organisations face when responding to data portability requests from EU citizens and other data subjects within the European Union’s jurisdiction.
Key Takeaways
• Data portability applies only to automated processing based on consent or contract, covering data provided by data subjects but excluding inferred or derived data generated by controllers.
• Organisations must provide personal data in structured, commonly used, and machine-readable formats such as CSV, JSON, or XML within one month of receiving a valid request.
• Technical feasibility requirements mean controllers should facilitate direct data transmission between services while implementing appropriate security considerations to protect user privacy.
Understanding Data Portability Rights
Data portability is the ability of data subjects to receive their personal data from one controller and reuse it with other services or platforms. This right allows individuals to easily transfer information they have provided to organisations, promoting competition in the digital economy while reducing vendor lock-in effects that traditionally limited consumer choice.
The concept empowers users to maintain control over their personal data across different platforms, supporting interoperability between systems and services. Data portability facilitates consumer protection by ensuring individuals can access their information in formats that software applications can process automatically.
Data Portability vs. Right of Access
The right to data portability differs significantly from subject access rights under Article 15, though both involve providing personal data to individuals.
Data portability enables explicit reuse of data, requiring structured formats that other systems can process without human intervention. While access requests may include inferred data and processing explanations, portability covers only data provided by data subjects in a machine-readable format suitable for automated processing.
Relationship to Other GDPR Rights
Data portability complements other data subject rights, including rectification, erasure, and the right to withdraw consent. When individuals exercise their portability rights, they do not automatically trigger erasure from the original controller; these remain separate processes that data subjects must request independently.
Building on consent pursuant to Article 6(1)(a) or contract in accordance with Article 6(1)(b), data portability supports data protection by design principles by requiring organisations to implement technical measures that allow data movement between different services from the outset.
Legal Framework and Scope
The legal framework for data portability stems from GDPR Article 20 and the European Data Protection Board’s supporting guidance, which establishes specific conditions for when organisations must respond to portability requests and what personal data they must provide.
When the Right Applies
Data portability applies when processing is based on consent pursuant to Article 6(1)(a) or contract in accordance with Article 6(1)(b), and when personal data processing occurs by automated means. Organisations processing sensitive data for legal obligations or public-interest tasks are not required to provide data portability for those specific processing activities.
The right must not adversely affect the rights and freedoms of others, meaning controllers should assess whether transmitting personal data would compromise third-party privacy or security. Technical feasibility considerations allow organisations to document legitimate limitations while still facilitating data transmission where possible.
Scope of Data Covered
Personal data subject to portability includes information directly provided by data subjects, such as account details, preferences, and uploaded content. The scope also includes observed data generated through user interactions with systems, including location histories, search queries, and automatically recorded behavioural patterns.
Controllers must exclude inferred or derived data created through analysis, profiling, or algorithmic processing of the original information provided by data subjects. Raw data generated by users through device interactions qualifies for portability, whereas predictive scores or recommendations created by organisations do not.
Technical Requirements
Structured format requirements ensure that personal data can be easily organised and accessed by both human users and software applications. Data must be presented in commonly used formats that are widely recognised and supported across platforms and systems.
Machine-readable capability means that receiving systems can process the transmitted data automatically without requiring manual intervention or format conversion. Organisations should prioritise selecting an interoperable format that facilitates seamless data exchange while maintaining data integrity and security throughout transmission.
Compliance Process
Organisations must establish systematic procedures for handling data portability requests that ensure compliance with a 1-month response time while maintaining appropriate security throughout the process.
Step-by-Step Compliance Process
When to use this: Responding to individual data portability requests under GDPR Article 20 from data subjects seeking to transmit personal data to other services or obtain their information for reuse.
1. Verify Identity and Request Scope: Confirm the requesting individual’s identity using established authentication methods, and clarify which personal data and processing activities fall within the scope of the portability request.
2. Assess Legal Conditions: Evaluate whether processing is based on consent or contract and whether automated means are involved, documenting any limitations where data portability rights do not apply.
3. Extract Relevant Data: Identify and retrieve personal data provided by the data subject from relevant systems, excluding inferred data, while ensuring exhaustive coverage of portable information.
4. Format Data Appropriately: Convert personal data into a structured, commonly used, and machine-readable format, such as CSV for simple datasets, JSON for complex nested data, or XML for enterprise systems requiring metadata.
5. Transmit Securely: Deliver formatted data to the data subject or to another controller, if technically feasible, while implementing encryption and secure authentication to protect personal data during transmission.
Data Format Comparison
| Feature | CSV | JSON | XML |
| Ease of Use | Simple tabular structure, widely supported by spreadsheet software | Modern web standard with intuitive key-value pairs | Complex hierarchical structure requiring technical expertise |
| Technical Compatibility | Universal support across platforms and applications | High compatibility with web services and APIs | Strong enterprise system integration and metadata support |
| Data Complexity Support | Limited to flat, tabular data structures | Supports nested objects and complex relationships | Handles highly structured data with extensive validation capabilities |
| Industry Adoption | Ubiquitous for basic data exchange and analysis | Preferred for modern web applications and mobile services | Standard for enterprise document management and data interchange |
Organisations should select CSV for straightforward tabular data that users can easily view and analyse, JSON for complex user-generated content that requires preservation of relationships, and XML for enterprise environments where strict data validation and extensive metadata are essential.
Conclusion
Data portability represents both a fundamental legal obligation under the General Data Protection Regulation and an opportunity for organisations to demonstrate commitment to user privacy and data protection in the digital space. Effective implementation requires coordinated technical infrastructure, clear compliance procedures, and ongoing investment in systems that enable secure data transmission across services and platforms.
Organisations that proactively enable data portability position themselves advantageously in markets where consumers increasingly value data control and the ability to transfer information between competing services easily. This strategic approach to compliance transforms regulatory requirements into a source of competitive differentiation by improving user trust and platform interoperability.
FAQs
Q: Does data portability apply to all personal data an organisation holds about an individual?
A: No, data portability applies only to personal data provided by the data subject through direct input or observed interactions with automated systems. Organisations must exclude inferred data generated through profiling, analysis, or algorithmic processing when responding to portability requests.
Q: Can organisations charge fees for providing data in portable formats?
A: Organisations cannot charge fees for initial data portability requests. However, controllers may impose reasonable administrative fees for additional copies or excessive requests that place undue burden on processing resources, provided these charges are transparent and proportionate.
Q: What happens if technical feasibility prevents direct data transmission between controllers?
A: When technical feasibility limitations prevent direct transmission, organisations must provide personal data to the data subject in a structured, commonly used and machine-readable format, allowing individuals to manually transfer their information to other services while documenting the specific technical constraints encountered.