Data Portability

Data portability is the data subject's right to receive their personal data in a structured, machine-readable format and to transfer it to another service provider. The right follows from GDPR Article 20 and strengthens individual control over personal data.

Back to Dictionary

What is data portability?

Data portability is one of the rights the GDPR grants to the data subject. The right is set out in Article 20 and contains two elements:

The right to receive their personal data in a structured, commonly used and machine-readable format
The right to transfer that data to another data controller without hindrance

The purpose is to strengthen individual control over personal data and promote competition between service providers. If you are dissatisfied with your current provider, you should be able to take your data with you and switch.

The right applies only to data the data subject has provided themselves. This includes actively provided data (e.g. name and email in a form) and observed data (e.g. usage history), but not data that the data controller has created or derived.

When does the right apply?

The right to data portability applies only when two conditions are met simultaneously:

The legal basis is consent or contract: The right does not apply when processing is based on legitimate interest, legal obligation or other grounds in Article 6.
The processing is carried out by automated means: The right does not apply to manually processed data, such as paper archives.

This means in practice that the right is most relevant for digital services where the user has created an account and provided data as part of a contract or based on consent.

You must respond to a portability request within one month. In complex cases, the deadline may be extended by two months, but you must inform the data subject of the delay within the first month.

Data portability in practice

When a data subject requests portability, you must deliver the data in a format that is easy to reuse. The GDPR does not specify a particular format, but common choices are CSV, JSON or XML.

If technically feasible, the data subject may also ask you to transfer data directly to another data controller. You are not obliged to build compatible systems, but you must not create technical barriers that hinder the transfer.

Practical steps for handling portability requests:

Establish a procedure for receiving and processing requests
Ensure your systems can export data in a machine-readable format
Verify the identity of the requester (you must not disclose data to the wrong person)
Document requests and responses in your record

Bear in mind that data portability does not automatically delete data from your systems. If the data subject also wants data deleted, they must submit a separate request for the right to erasure.

Difference between data portability and the right of access

Data portability and the right of access resemble each other, but there are important differences:

Right of access (Article 15) gives the right to see all personal data, regardless of the legal basis. The format is human-readable.
Data portability (Article 20) applies only to consent- or contract-based automated processing. The format is machine-readable, designed for reuse.

The right of access is broader in scope (all legal bases), whilst data portability is more specific but provides a more usable output for transfer.

Frequently Asked Questions about Data Portability

What is data portability?

Data portability is the right to receive your personal data in a structured, commonly used and machine-readable format and to transfer it to another data controller. The right follows from GDPR Article 20 and applies when processing is based on consent or contract and is carried out by automated means.

When does the right to data portability apply?

The right applies when two conditions are met: the processing is based on consent or a contract, and the processing is carried out by automated means (i.e. not manually). The right does not apply to data processed under legitimate interest or legal obligation.

What data is covered by data portability?

The right covers personal data that the data subject has provided to the data controller. This includes actively provided data (e.g. form submissions) and observed data (e.g. usage history), but not derived data or analyses created by the data controller.

In what format must data be delivered?

The GDPR requires a structured, commonly used and machine-readable format. This can be CSV, JSON or XML, for example. There is no requirement for a specific format, but it must be easy to reuse in other systems.