Skip to main content
Data Protection / GDPR

Right to data portability

The right to data portability under Art. 20 GDPR allows data subjects to receive the data they have provided in a structured, commonly used and machine-readable format and to transmit it to another controller.

The right to data portability (Art. 20 GDPR) enables data subjects to receive the personal data concerning them that they have provided to a controller in a structured, commonly used and machine-readable format. They may pass this data on to another controller without hindrance. The right strengthens individual self-determination and is also intended to make switching between service providers easier and to prevent lock-in effects.

Its scope is narrower than that of the right of access: it applies only where processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a) GDPR) or on a contract (Art. 6(1)(b) GDPR) and is additionally carried out by automated means. Only data that the data subject has actively provided or generated through their use of the service is covered. Data derived or created by the controller, such as scores or analytics results, is not included.

Where technically feasible, the data subject also has the right to have the data transmitted directly from one controller to another (Art. 20(2) GDPR). However, there is no obligation to create technically compatible systems. Exercising the right must not adversely affect the rights and freedoms of others and is without prejudice to the right to erasure. Controllers must generally comply free of charge and within one month of receiving the request.

Legal Basis

Art. 20 GDPR; Recital 68; Art. 12 GDPR (modalities and time limits)

Practical Example

A customer of an online accounting service wants to switch to a competitor and requests the release of their master data, receipts and transaction history. The data protection officer confirms that processing is based on the service contract and carried out by automated means, and provides the customer-supplied data as a structured CSV and JSON export. Because the competitor offers an open interface, direct transmission is additionally assessed and the export is made available free of charge within one month.

FAQ

Only personal data that the data subject has provided themselves and that is processed by automated means on the basis of consent or a contract is covered. Data derived or generated by the controller, such as analytics results or credit scores, is excluded.
The data must be provided in a structured, commonly used and machine-readable format such as CSV, XML or JSON. A plain PDF or an image scan is usually not sufficient, because such formats make automated further processing difficult.
The right of access aims at transparency and covers all processed data together with accompanying information. Data portability is narrower, covers only provided and automatically processed data, and serves to pass it on in a machine-readable format, where appropriate as a direct transmission to another controller.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Data Subject Rights Right of access Consent Personal Data Legal basis
Back to Glossary