Overview
This article grants data subjects the right to receive their personal data in a structured, commonly used, and machine-readable format. Individuals can request to transfer their data to another controller when processing is based on consent or a contract and is carried out by automated means.
Key Principles
Structured and Machine-Readable: Data must be provided in a format that enables easy transfer and use.
Lawful Basis: Right applies only when processing is based on consent or a contract.
Facilitates Transfer: Enables data subjects to move their personal data between service providers.
Accountability: Organizations must implement secure processes to support data portability requests.
Organizational Applicability
This article applies to all organizations processing personal data within the EU:
Controllers managing personal data of EU/EEA data subjects.
Public and private sector entities offering services that involve automated processing based on consent or contractual obligations.
Teams responsible for IT systems, data management, and compliance with GDPR requests.
Implementation Requirements
Establish procedures to respond to data portability requests.
Ensure personal data is exported in a structured, commonly used, and machine-readable format.
Verify the requester’s identity before providing data.
Document requests and data transfers for accountability and compliance.
Implementation Guidance
Use secure, standardized formats such as CSV, JSON, or XML for data export.
Train staff to handle portability requests efficiently and securely.
Ensure internal systems can generate machine-readable data in a timely manner.
Coordinate with other controllers if data is being transferred externally.
Periodic Review
Frequency: Annually or when systems handling personal data are updated.
Responsible Role: Data Protection Officer (DPO) or Compliance Team.
Outcome: Confirm that data portability requests are fulfilled correctly, securely, and within required timelines.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Enforcement actions or complaints for failing to provide portable data.
Reputational Damage: Loss of trust from data subjects and regulatory authorities.
Operational Risk: Inability to provide data in a machine-readable format may disrupt customer service or legal compliance.