Right to data portability
is entirely new to EU data protection law. It lets data subjects receive their own data, which they provided to a controller, in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance - or have it sent directly controller-to-controller where technically feasible. Unlike access, portability is about reuse and moving data to prevent lock-in, applies only to data the subject provided, and forces interoperable, non-proprietary formats.
Article 20 lets the data subject receive their provided data in a structured, commonly used, machine-readable format and transmit it without hindrance, or have it sent directly to another controller where technically feasible (Article 20(2)). WP 242 frames it as empowering subjects to move, copy or transmit their data between IT environments and preventing 'lock-in'.
| Right of access (Art 15) | Data portability (Art 20) | |
|---|---|---|
| Core purpose | Be told what is held and why | Receive/reuse and move data to another controller |
| Scope of data | All personal data concerning the subject | Only data the subject provided to the controller |
| Format | Generally a copy; format flexible | Structured, commonly used, machine-readable |
| Onward transfer | Not the focus | Transmit without hindrance; direct controller-to-controller where technically feasible |
'Commonly used' is taken to exclude proprietary formats (think CSV, XML, JSON). Watch out where ported data includes third parties' data - the disclosing controller can still be liable for wrongful disclosure even though it could not verify others' consents.