Data Portability

The right of individuals to receive personal data they provided to a controller in a structured, commonly used, machine-readable format and transmit it to another controller. Data portability empowers individuals to move their data between services, promoting competition and user control. Under GDPR Article 20, portability applies to data the individual provided (not inferred data) and processing based on consent or contract (not other lawful bases). The data must be provided in formats like CSV, JSON, or XML that other systems can easily import. Organizations must implement capabilities to extract and deliver portable data, verify requester identity, ensure exports don't include others' data, and provide data without undue delay. Data portability differs from access rights, which provide broader data but not necessarily in portable formats. This right facilitates switching between services, using multiple services simultaneously, and backing up personal data.