EU GDPR – Article 20 (Right to Data Portability)

Abstract

The General Data Protection Regulation (GDPR) strengthens individual control over personal data, and EU GDPR Article 20 – Right to Data Portability plays a key role in achieving this goal. This right allows data subjects to receive their personal data in a structured, commonly used, and machine-readable format and to transfer that data to another controller without hindrance. By enabling smoother data movement between service providers, Article 20 promotes transparency, user empowerment, and fair competition. This article explains the scope, conditions, practical application, and technical requirements of the right to data portability, along with real-world use cases and supporting tools.

Explanation

Article 20 of the GDPR grants individuals the right to obtain and reuse their personal data across different services. In simple terms, a data subject can ask a controller to provide their personal data or transfer it directly to another controller where technically feasible.

This right applies only when:

1. The processing is based on consent or a contract, and
2. The processing is carried out by automated means.

The data covered includes information provided by the data subject, such as account details, uploaded files, preferences, and activity logs generated through the use of a service. However, it does not include data derived or inferred by the controller, such as internal analytics or profiles created by the organisation.

The core purpose of Article 20 is to prevent vendor lock-in, encourage innovation, and allow individuals to switch service providers without losing their data history.

Key Points

1. User empowerment: Individuals have greater control over how their data moves between services.
2. Machine-readable format: Data must be provided in formats such as JSON, CSV, or XML.
3. Direct transfer option: Where feasible, data can be transferred directly from one controller to another.
4. Limited scope: Applies only to data provided by the user and processed automatically.
5. No adverse impact: Exercising this right must not negatively affect the rights and freedoms of others.
6. Free of charge: Controllers must generally comply without charging a fee.

These principles ensure that portability remains practical, secure, and respectful of third-party rights.

General Activation Steps

To exercise the right to data portability, a data subject typically follows these steps:

1. Submit a request: The individual submits a request to the controller, clearly stating that they are invoking their right under Article 20 GDPR.
2. Identity verification: The controller verifies the identity of the requester to prevent unauthorised data disclosure.
3. Data assessment: The controller determines whether the request meets Article 20 conditions, automated processing and lawful basis of consent or contract.
4. Data preparation: Relevant personal data is extracted and converted into a structured, commonly used, and machine-readable format.
5. Data delivery or transfer: The data is provided directly to the data subject or transferred to another controller, if technically feasible.
6. Timely response: The controller must respond within one month, with possible extensions for complex requests.

Use Cases

The right to data portability has many practical applications across industries:

1. Telecommunications: A user switches mobile providers and transfers call history, contacts, and account details.
2. Banking and FinTech: Customers move transaction histories and account data to a new financial service or budgeting app.
3. Healthcare platforms: Patients request digital health records to share with another healthcare provider.
4. Streaming services: Users export playlists, viewing history, or preferences to a competing platform.
5. Cloud and SaaS services: Businesses migrate user data between software vendors without disruption.

These use cases highlight how data portability enhances freedom of choice and market competition.

Dependencies

Article 20 does not operate in isolation and relies on several GDPR principles and articles:

1. Article 6 (Lawfulness of processing): Data portability applies only when processing is based on consent or contract.
2. Article 12 (Transparent communication): Controllers must clearly explain how users can exercise this right.
3. Article 15 (Right of access): Access rights often overlap with portability requests.
4. Article 32 (Security of processing): Secure data transfer methods must be in place.
5. Article 5 (Data protection principles): Accuracy, integrity, and confidentiality remain essential during transfers.

Without these foundational elements, implementing data portability effectively would be impossible.

Tools and Technologies

Organisations rely on various tools to support GDPR-compliant data portability:

1. Data Export Tools: Enable structured extraction of user data in formats like CSV or JSON.API Integrations: Allow secure and automated data transfers between controllers.
2. Identity & Access Management (IAM): Ensures only authorised individuals can request and receive data.
3. Encryption Technologies: Protect data during transmission and storage.
4. Consent Management Platforms: Track lawful bases for processing and portability eligibility.
5. Compliance Management Software: Documents requests, timelines, and responses for audit purposes.

These technologies help controllers meet Article 20 obligations efficiently and securely.

Let’s Wrap

EU GDPR Article 20 – Right to Data Portability is a powerful mechanism that shifts control of personal data back to individuals. By allowing users to obtain and transfer their data easily, the regulation promotes transparency, competition, and innovation while reducing dependency on single service providers.

For organisations, compliance with Article 20 requires clear processes, technical readiness, and secure data handling practices. When implemented correctly, data portability is not just a legal obligation, it becomes a trust-building feature that enhances customer confidence and long-term engagement.

In an increasingly data-driven digital economy, the right to data portability ensures that personal data remains a resource controlled by the individual, not a barrier to freedom of choice.

---

For further reading:

• EU GDPR – Article 19 (Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing)
• EU GDPR – Article 18 (Right to Restriction of Processing)
• EU GDPR – Article 17 (Right to Be Forgotten)
• EU GDPR – Article 16 (Right to Rectification)
• EU GDPR – Article 15 (Right of Access by the Data Subject)
• EU GDPR – Article 14 (Information to Provide When Personal Data Is Not Obtained from the Data Subject)
• EU GDPR – Article 13 (Information to Be Provided Where Personal Data Are Collected From the Data Subject)
• EU GDPR – Article 12 (Transparent Information, Communication, and Modalities for Exercising Data Subject Rights)
• EU GDPR – Article 11 (Processing Which Does Not Require Identification)
• EU GDPR – Article 10 (Processing Personal Data Related to Criminal Convictions and Offenses)
• EU GDPR – Article 9 (Processing Special Categories of Personal Data)
• EU GDPR – Article 8 (Conditions Applicable to Child’s Consent in Information Society Services)
• EU GDPR – Article 7 (Conditions for Consent)
• EU GDPR – Article 6 (Lawfulness of Processing)
• EU GDPR – Article 5 (Principles Relating to Processing of Personal Data)
• EU GDPR – Article 4 (Definitions)
• EU GDPR – Article 3 (Territorial Scope)