Important Blogs

European Union Institutional body

Understanding Article 20 of EU GDPR: The right to Data Portability

Title: Understanding Article 20 of EU GDPR: The to Data Portability


The General Protection Regulation (#GDPR) is a landmark legislation that sets the framework for the protection of personal data of #European Union (EU) citizens. By enhancing individuals' privacy rights, the GDPR aims to give individuals greater control over their personal data. Article 20 of the GDPR introduces the right to data portability, which empowers individuals to request the transfer of their personal data from one data controller to another.

Understanding Article 20

Article 20 of the #GDPR grants individuals the right to receive and transfer their personal data in a structured, commonly used, and machine-readable format. This right applies when the data processing is based on consent or the performance of a contract, and the processing is automated. 

Furthermore, #Article 20 stipulates that individuals have the right to directly transmit their personal data from one data controller to another, where technically feasible. This provision aims to facilitate the seamless transition of personal data between service providers, thus enabling individuals to switch providers without the hassle of manually transferring their data.

Interpretation of Article 20 EU GDPR (Right to Portability)

Article 20(a) of the GDPR gives individuals the right to data portability, which means that they can request a copy of their personal data from one organization and transfer it to another organization, without any obstacles from the first organization. This right only applies when the following conditions are met:

The personal data concerns the individual and was provided by the individual to the first organization.

The personal data is processed by automated means, such as computers or software.
The processing is based on the individual’s consent or on a contract between the individual and the first organization.

When this right applies, the first organization must provide the personal data in a format that is structured, commonly used and machine-readable, such as CSV, JSON or XML. The individual can then transmit the data to another organization of their choice, or ask the first organization to do so directly, if it is technically possible.

The right to data portability aims to empower individuals to control their own data and to facilitate the free flow of data in the digital single market. It also encourages competition and innovation among organizations that offer similar services or products.

Article 20(b) of the GDPR is a condition that must be met for the right to data portability to apply. It means that the processing of personal data must be done by using computers or software, not by manual methods. For example, if a data controller stores your personal data in a spreadsheet or a database, the processing is carried out by automated means. But if a data controller keeps your personal data in paper files or handwritten notes, the processing is not automated.

The right to data portability under Article 20(b) only applies to processing that is conducted through automated means. This condition is generally met for internet service providers, but not for non-automated processing of personal data, such as data stored on structured index cards or in non-structured files.

Article 20(2) of the GDPR introduces the right for data subjects to request that their personal data be transmitted directly from the first controller to a second one. This request, in line with the principle of facilitation, spares the data subject the burden of receiving the data and then sending it on to the intended controller. This right only applies when the conditions of Article 20(1) are met, and when the transmission is technically feasible, meaning that the controllers have compatible systems and formats to exchange the data.

For example, suppose you have an account with an online music streaming service, and you want to switch to another service that offers better features or prices. You can ask the first service to send your personal data, such as your playlists, preferences, and listening history, directly to the second service, without having to download and upload the data yourself. The first service must comply with your request, unless it is impossible or too difficult to do so, for instance, if the second service uses a different data format or protocol that is not compatible with the first service. In that case, the first service must still provide you with your data in a portable format, and you can decide whether to transfer it manually or not.

Article 20(3) of EU GDPR states that the right to data portability, which allows data subjects to receive and transmit their personal data to another controller, does not affect the right to erasure, which allows data subjects to request the deletion of their personal data. It also states that the right to data portability does not apply when the processing of personal data is necessary for a public interest task or an official authority task carried out by the controller.
An example of when the right to data portability does not apply is when a tax authority processes personal data of taxpayers for the purpose of collecting taxes, which is a task carried out in the public interest and in the exercise of official authority. 

In this case, the taxpayers cannot request to receive and transmit their personal data to another controller, such as a private company, because the processing is necessary for the tax authority to fulfil its legal obligation. However, the taxpayers can still request the erasure of their personal data if the tax authority no longer needs them for its purpose or if the processing is unlawful.

Article 20(4) of EU GDPR is a safeguard that limits the right to data portability in order to protect the rights and freedoms of other data subjects or third parties. It means that the data controller can refuse to provide or transmit the personal data of one data subject to another data controller, if doing so would harm the interests or privacy of other individuals whose data are also involved.

For example, suppose you have a joint bank account with your spouse, and you want to transfer your personal data from one bank to another. The bank must provide you with your personal data, such as your name, address, and transaction history, in a portable format. However, the bank cannot provide or transmit your spouse’s personal data, such as their name, address, and transaction history, without their consent, because that would violate their right to data protection. Therefore, the bank must either obtain your spouse’s consent, or exclude their data from the portability request, in order to comply with Article 20(4) of EU GDPR.

Example Scenario

To illustrate the practical implications of Article 20, let's consider a scenario involving a hypothetical online bookstore, BookWorm. Alice, a frequent customer of BookWorm, has been accumulating a vast collection of e-books and personalized recommendations based on her reading history. However, Alice decides to switch to a different online bookstore, NovelEscape, for a variety of reasons.

In this scenario, Alice can exercise her right to data portability under Article 20 of the GDPR. She can request BookWorm to provide her personal data in a commonly used and machine-readable format (such as a structured database file or a CSV file). This format would allow her to seamlessly transfer her reading history, book preferences, and recommendations to NovelEscape.

BookWorm, as the data controller, has a responsibility to comply with Alice's request and ensure the secure and efficient transfer of her personal data to NovelEscape. This transfer should preserve the original data structure, enabling NovelEscape's systems to seamlessly import and utilize the data. Once received by the new provider, NovelEscape, Alice can immediately resume her reading journey with her custom preferences intact.

Benefits for Individuals

Article 20 of the #GDPR aims to empower individuals by enhancing their control over their personal data. The right to data portability can offer several benefits for individuals, including:

1. Ease of Switching Service Providers: Individuals can easily switch from one provider to another without the burden of manually recreating their personalized data or losing access to their past records.

2. Personalized Experience: By transferring their personal data, individuals can enjoy a seamless transition to a new service provider without losing their personalized settings, preferences, or recommendations.

3. Increased Competition and Innovation: Data portability fosters healthy competition among service providers, as individuals are more likely to explore alternative options without concerns about data loss or tedious migration processes. This competition encourages providers to offer better services and creates room for innovation in the industry.

Challenges and Limitations

While data portability has numerous advantages, certain challenges and limitations need to be addressed:

1. Technical Feasibility: The successful transfer of personal data between different service providers depends on the technical compatibility of their systems and data formats. If the existing systems of both providers cannot effectively communicate and transfer data, the process may be hindered.

2. Data Security and Integrity: The transfer of personal data raises concerns about data security and integrity. Providers must ensure that all necessary security measures are in place to protect the data during transit and that it remains accurate and complete upon arrival at the new destination.

3. Data Protection and Privacy Risks: Transferring personal data from one provider to another increases the potential risks of unauthorized access, data breaches, and privacy violations. Both providers must maintain robust data protection measures to minimize these risks.

Compliance and Implications for Data Controllers

For data controllers, compliance with Article 20 means recognizing individuals' right to data portability and implementing necessary mechanisms to facilitate the request. Data controllers must ensure the technical and organizational infrastructure to allow the transfer of personal data securely and efficiently.

Additionally, data controllers must provide individuals with transparent information on the data format options available for export, appropriate interfaces or tools for submission of data portability requests, and any constraints or limitations that could affect the transfer process.


Article 20 of the #GDPR highlights the importance of individuals' control over their personal data by granting them the right to data portability. This right allows individuals to seamlessly transfer their personal data between service providers, facilitating data-driven decision-making and fostering healthy competition in various industries.

While data portability brings advantages for individuals, it also poses challenges for service providers. Technical feasibility, data security, and privacy risks must be carefully addressed to ensure a smooth and secure transfer process.

By recognizing and complying with Article 20 of the GDPR, organizations can not only meet regulatory requirements but also build trust with individuals, boosting their confidence in sharing personal data in an increasingly data-centric world.

Searched by

#GDPR #dataprotection #privacy #dataprivacy #personaldata #compliance #EUlaw #datasecurity #cybersecurity #GDPRenEspaƱol, #GDPRaufDeutsch