Module 5 · Data portability (Article 20)

Data portability (Article 20) extends the right of access: the data subject can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. It is triggered only when processing is based on consent OR contract AND is carried out by automated means - it does NOT apply to legitimate interests, legal obligation or public-task processing.

Data portability (Article 20) lets a person receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller, with interoperability as the goal. It is an extension of the right of access but is far narrower in scope.

Three cumulative conditions for data portability (WP29) - ALL must be met
#	Condition	Key point
1	Lawful basis	Processed by automated means on the basis of consent or contract (not legitimate interest, legal obligation or public task)
2	Source of data	Data must be provided by the data subject - given or observed, NOT derived or inferred
3	Third parties	Exercising it must not adversely affect others' rights and freedoms

Three cumulative conditions for data portability (WP29) - ALL must be met

Condition

Key point

Lawful basis

Processed by automated means on the basis of consent or contract (not legitimate interest, legal obligation or public task)

Source of data

Data must be provided by the data subject - given or observed, NOT derived or inferred

Third parties

Exercising it must not adversely affect others' rights and freedoms

Key terms - quick answers

What is “Data portability”?

Article 20: the right to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

What is “Provided by the data subject”?

Data the person actively gave or that was observed from their activity - not data the controller derived or inferred.

What is “Interoperability”?

The goal of portability: enabling data to move usefully between services and controllers.