The right to data portability allows individuals (data subjects) to ask for their personal data that they have provided previously to the Organization (data controller) and to receive it in a structured, commonly used and machine-readable format.
This right allows individuals to transfer their data for their own purposes across different services.
The organization can send data directly to an individual or transfer the data to the recipient of the individuals’ choice, at their request.
The right to data portability can only be applied to the data that an individual has provided directly to the organization, and only if it is based on consent or it is related to the performance of a contract; and if the organization is carrying out the processing by automated means (excluding paper files).
The GDPR does not additionally explain what is a structured, commonly used and machine-readable format, which complicates the organizations’ effort to update their IT systems and procedures to be compliant.
However, Recital 68 of the GDPR explains that data controllers should be encouraged to develop interoperable formats that enable data portability.
This may help certain companies to attract customers who were reluctant to open new accounts in the past, due to complications with the transfer of their data.