GDPR : Article 20 - Right To Data Portability

by Avinash V


Article 20 of the General Data Protection Regulation (GDPR) is a significant provision that grants individuals the right to data portability. This article empowers data subjects with greater control over their personal data, fostering a more transparent and user-centric approach to data processing. Let's delve into the intricacies of Article 20 and its implications in the realm of data protection.

Key Elements of the Right to Data Portability

Understanding Article 20 GDPR

Article 20 of the GDPR states that data subjects have the right to receive their personal data, which they have provided to a data controller, in a structured, commonly used, and machine-readable format. This right applies when the data processing is based on consent or the necessity for the performance of a contract. Furthermore, data subjects have the right to transmit this data to another data controller without hindrance from the original data controller.

This provision represents a significant stride in data protection and privacy rights, offering individuals a pathway to exert greater control over their personal information in an increasingly digitized world. By granting data subjects the authority to access their own data, request its transmission, and potentially switch service providers, Article 20 aligns with the GDPR's overarching goal of empowering individuals while enhancing accountability and transparency within data processing practices.

The scope of application of Article 20, being contingent upon data processing based on consent or contractual necessity, underscores the GDPR's intention to strike a balance between individual rights and the legitimate interests of data controllers. While this ensures that the right to data portability is invoked in situations where individuals have actively engaged with a service or platform, it also recognizes the need to safeguard against misuse or frivolous requests.

Key Elements of the Right to Data Portability

  • Structured and Machine-Readable Format: Article 20 emphasizes that personal data should be provided in a format that allows for easy extraction, interpretation, and use. This format ensures that the data can be seamlessly processed by automated systems and applications.
  • Consent and Contractual Basis: The right to data portability is contingent upon the data processing is either based on the individual's explicit consent or the necessity for fulfilling a contractual obligation. This ensures that the right is invoked in situations where the individual has willingly shared their data or where the data is necessary for a specific service or agreement.
  • Transmitting Data to Another Controller: Data subjects can request their personal data to be transmitted directly to another data controller if they so choose. This facilitates seamless transitions between service providers while retaining control over one's personal data.
GDPR Implementation Toolkit

 Implications and Benefits

The introduction of the right to data portability brings several important implications and benefits for both data subjects and organizations:

  • Enhanced Control for Individuals: Article 20 places control back in the hands of data subjects, allowing them to access and manage their personal data more effectively. This empowers individuals to switch service providers or platforms without the hassle of starting anew with their data.
  • Facilitates Competition and Innovation: Data portability encourages healthy competition among service providers, as it becomes easier for individuals to switch between offerings. This dynamic fosters innovation and drives companies to enhance their services to retain customers.
  • Data Interoperability: By mandating machine-readable formats, Article 20 promotes data interoperability. This paves the way for seamless data sharing and integration between different platforms and systems.
  • Data Mobility: The right to data portability supports the concept of data mobility, where individuals have the flexibility to move their personal data across various digital environments while maintaining data integrity and consistency.

Challenges and Considerations

While the right to data portability holds great promise, its implementation is not without challenges:

  • Technical Compatibility: Ensuring that personal data is provided in a machine-readable format that is universally compatible can be complex, especially considering the diversity of data formats and systems.
  • Scope of Applicability: The right to data portability applies only to data processed based on consent or contractual necessity. This limitation excludes data processed for other legal bases, potentially leading to inconsistencies in its application.
  • Data Security: Transferring data from one controller to another requires robust security measures to prevent unauthorized access or breaches during the transfer process.
  • Clarity for Individuals: Organizations must provide clear guidance to data subjects about their right to data portability, ensuring individuals understand the implications and benefits of exercising this right.


Article 20 of the GDPR embodies the principle of data empowerment, granting individuals the ability to take charge of their personal data and transfer it seamlessly between service providers. This right not only bolsters individual control but also fosters healthy competition, data interoperability, and innovation in the digital landscape. As organizations adapt to the evolving data protection landscape, embracing the principles of data portability becomes not only a legal requirement but also a strategic imperative to building trust, ensuring transparency, and fostering a user-centric approach to data processing.

GDPR Implementation Toolkit