Guidelines on the right to data portability

April 5th, 2017 | Posted by Claude-Etienne Armingaud in Europe | Guidelines | Privacy

Adopted on 13 December 2016 – As last Revised and adopted on 5 April 2017

Executive summary

Article 20 of the GDPR creates a new right to data portability, which is closely related to the right of access but differs from it in many ways. It allows for data subjects to receive the personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over the personal data concerning him or her.

Since it allows the direct transmission of personal data from one data controller to another, the right to data portability is also an important tool that will support the free flow of personal data in the EU and foster competition between controllers. It will facilitate switching between different service providers, and will therefore foster the development of new services in the context of the digital single market strategy.

This opinion provides guidance on the way to interpret and implement the right to data portability as introduced by the GDPR. It aims at discussing the right to data portability and its scope. It clarifies the conditions under which this new right applies taking into account the legal basis of the data processing (either the data subject’s consent or the necessity to perform a contract) and the fact that this right is limited to personal data provided by the data subject. The opinion also provides concrete examples and criteria to explain the circumstances in which this right applies. In this regard, WP29 considers that the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity. This new right cannot be undermined and limited to the personal information directly communicated by the data subject, for example, on an online form.

As a good practice, data controllers should start developing the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The opinion also helps data controllers to clearly understand their respective obligations and recommends best practices and tools that support compliance with the right to data portability. Finally, the opinion recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.

Go to the full Guidelines.

To Go Further:

  1. Guidelines 02/2024 on Article 48 GDPR Adopted on 02 December 2024 – For public consultation EXECUTIVE SUMMARY Article 48 GDPR provides that: “Any judgment of a...
  2. Globalization of Connected and Autonomous Cars – A Long and Winding Road? The advent of autonomous cars represents a unique opportunity to rethink urbanism globally. Indeed, such a technological evolution will undoubtedly...
  3. The advent of big data – The State’s little sister stands on the look-out. “Big data.” For nearly a year, marketers and CRM specialists have been more than fond of this new expression to...
  4. Guidelines 03/2021 on the application of Article 65(1)(a) GDPR Version 2.1 – Adopted on 24 May 2023 Version history Version 1.0 13 April 2021 Adoption of the Guidelines for...

You can follow any responses to this entry through the RSS 2.0 Responses are currently closed, but you can trackback.