Data Portability (Data Act)

Data portability under the Data Act gives you the right to move data from connected products and cloud services to alternative providers. The purpose is to break vendor lock-in and ensure that you always have control over your data.

Back to Dictionary

What is data portability under the Data Act?

Data portability under the Data Act is the right to move data from a connected product, a cloud service or another data processing service to an alternative provider. The aim is to ensure that you are not locked in with a particular supplier because your data are trapped in their systems.

The Data Act expands the concept of portability in two ways. Firstly, it covers data from connected products (IoT devices, smart machines, sensors). Secondly, it places concrete requirements on cloud providers to support cloud switching without unreasonable barriers.

Portability is a prerequisite for genuine competition. If you cannot move your data, you do not truly have freedom of choice. The Data Act makes portability a right supported by technical requirements and deadlines.

Data Act vs. GDPR portability

You are probably already familiar with the right to data portability from GDPR (Article 20). The two regulatory frameworks cover different things:

GDPR Article 20: Applies only to personal data. You may request the data controller to provide your data in a structured, machine-readable format. In practice, the right has proved limited because there are no interoperability requirements.
Data Act: Applies to both personal and non-personal data from connected products and cloud services. Places concrete requirements on interoperability, prohibits unreasonable switching fees and sets deadlines for switching.

The Data Act resolves several of the problems that GDPR portability never truly addressed. The right to receive data in a machine-readable format is only useful if you can actually use the data in a new system. The Data Act therefore requires formats to support interoperability and for the provider to actively facilitate the switch.

Cloud portability and provider switching

The Data Act places strict requirements on cloud providers to ensure genuine portability. The rules apply to IaaS, PaaS, SaaS and edge computing services.

**Switching fees.** Cloud providers must gradually reduce switching fees, and from 2027 they are completely prohibited. This applies regardless of the contract duration or data volume.

**Deadlines.** A cloud switch must not take longer than 30 days. The provider must actively support the process and ensure that your data and applications can be migrated within this period.

**Functional equivalence.** The provider must offer sufficient functional equivalence so that your data and applications work with the new provider. This does not mean the services must be identical, but that the core functions can be continued.

Technical requirements and formats

Data portability under the Data Act requires concrete technical preparation:

Standardised formats: Data must be delivered in open, machine-readable formats. The European Commission may adopt harmonised standards specifying precise format requirements.
APIs: Data holders and cloud providers must offer technical interfaces (APIs) that enable data to be exported and imported programmatically.
Security: Data must be protected throughout the transfer process with appropriate measures, including encryption in transit and access control to ensure only authorised parties gain access.
Documentation: The provider must document data formats, API specifications and data export procedures so the customer can plan their switch.

A well-functioning ISMS gives you a strong foundation for managing the security aspects of data portability. It ensures that data are systematically protected whether they are being moved between systems or shared with new parties.

Portability is not just about law. It is about technical maturity. Organisations that invest early in open standards and well-documented APIs will find it easier to comply with the Data Act whilst simultaneously creating a better experience for their customers.

Frequently Asked Questions about Data Portability (Data Act)

What is data portability under the Data Act?

Data portability under the Data Act is the right to move data from connected products and cloud services to alternative providers. This applies to both data generated by IoT devices and data stored with cloud, edge and SaaS providers.

What is the difference between data portability under the Data Act and GDPR?

GDPR data portability (Article 20) covers only personal data and gives you the right to receive your data in a machine-readable format. The Data Act goes further and also covers non-personal data, requires interoperability between services and regulates cloud switching with concrete deadlines and fee prohibitions.

What requirements does the Data Act place on data formats?

The Data Act requires data to be made available in standardised, machine-readable and interoperable formats. The aim is that the recipient can genuinely use the data without depending on the original provider's proprietary systems.

Can my cloud provider charge a fee for data portability?

The Data Act requires switching fees to be phased out. From 2027, cloud providers may no longer charge switching fees. During the transitional period, fees must be gradually reduced and be proportionate to actual costs.

How long may a cloud switch take?

Under the Data Act, the technical transitional period for a cloud switch must not exceed 30 days. The provider must actively support the process and ensure that data and applications can be moved within this timeframe.