Right to data portability

The right to data portability is a novelty introduced in Article 20 of the GDPR, that gives the data subjects the right to ask for personal data they have provided previously to the data controller and to receive it in a structured, commonly used and machine-readable format.

The data subject also has a right to ask for their data to be transmitted to another data controller.

A data controller needs to provide data subjects with their data or transfer the data directly to the recipient of the data subject’s choice, at their request.

The GDPR does not additionally explain what is a structured, commonly used and machine-readable format, which complicates the organizations’ effort to update their IT systems and procedures to be compliant.

However, Recital 68 of the GDPR explains:

(68) To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller.
Data controllers should be encouraged to develop interoperable formats that enable data portability.

This may help certain companies to attract customers who were reluctant to open new accounts in the past, due to complications with the transfer of their data.

The data subject can exercise this right only if the processing is based on the consent or for the performance of a contract or if the processing is done by automated means. Recital 68 further explains:

Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract.