Data Portability
The right of data subjects under GDPR (Article 20) to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
The right to data portability enables individuals to obtain and reuse their personal data across different services. Under GDPR Article 20, this right applies specifically to personal data that the individual has provided to a controller, where the processing is based on consent or a contract, and the processing is carried out by automated means. When exercised, the controller must provide the data in a structured, commonly used, and machine-readable format such as JSON, CSV, or XML. Where technically feasible, the individual can also request that the data be transmitted directly from one controller to another.
Data portability has both consumer empowerment and competitive implications for technology companies. For individuals, it reduces vendor lock-in and enables them to switch between services without losing their data history. For SaaS providers, it means building export functionality into their platforms and supporting standardized data formats. While GDPR is the primary framework that establishes this right, the principle of data portability is gaining traction globally as more jurisdictions adopt comprehensive data protection legislation. SOC 2's Privacy criteria also touch on data portability through requirements around providing individuals with access to their personal information.
Implementing data portability requires technical planning and investment. Organizations need to determine which data qualifies as 'provided by' the data subject (as opposed to derived or inferred data), design export APIs or self-service tools that generate compliant data packages, support machine-readable formats that balance usability with completeness, and handle the request within the 30-day GDPR response window. For complex platforms, creating a comprehensive data export that includes all relevant personal data across multiple services and subsystems can be a substantial engineering effort. Organizations should design data portability capabilities as part of their system architecture rather than treating them as an afterthought.
Related terms
Consent Management
The processes, tools, and policies an organization uses to collect, record, manage, and honor individuals' consent for the processing of their personal data, ensuring compliance with requirements for freely given, specific, informed, and unambiguous consent.
Data Controller
Under GDPR, the entity that determines the purposes and means of processing personal data. The data controller decides why personal data is collected and how it will be used, and bears primary responsibility for compliance with data protection obligations.
Privacy by Design
An approach to system engineering and business practices that embeds privacy protections into the design and architecture of IT systems, processes, and products from the outset, rather than adding them as an afterthought.
Right to Erasure
A data subject's right under GDPR (Article 17) to request the deletion of their personal data when it is no longer necessary, when consent is withdrawn, or when the data was unlawfully processed. Also commonly known as the 'right to be forgotten.'
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment