Right to Data Portability (Article 20)

Right to Data Portability (Article 20) – Complete Guide for CIPP/E Exam Preparation

Introduction

The Right to Data Portability under Article 20 of the General Data Protection Regulation (GDPR) is one of the most distinctive and innovative rights granted to data subjects. It empowers individuals to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. Understanding this right thoroughly is essential for anyone preparing for the CIPP/E certification exam, as it frequently appears in questions related to European data processing principles and data subject rights.

Why is the Right to Data Portability Important?

The Right to Data Portability is significant for several reasons:

1. Empowering Individuals: It gives data subjects greater control over their personal data by enabling them to move, copy, or transfer data easily from one service provider to another. This aligns with the GDPR's overarching goal of placing individuals at the center of data protection.

2. Promoting Competition: By reducing vendor lock-in, portability encourages competition among service providers. If a consumer is dissatisfied with one provider, they can seamlessly migrate their data to a competitor, fostering innovation and better services.

3. Enhancing Data Reuse: Individuals can reuse their personal data for their own purposes across different services, such as transferring financial data from one banking app to another or moving health records between healthcare providers.

4. Supporting the Digital Single Market: Data portability is a key enabler for the EU's digital economy strategy, making cross-border data flows smoother and more user-friendly.

5. Complementing Other Rights: While related to the right of access (Article 15), the right to data portability goes further by requiring data to be provided in a format that facilitates reuse and interoperability.

What is the Right to Data Portability?

Article 20 of the GDPR states that the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and has the right to transmit that data to another controller without hindrance from the original controller.

Key Elements of Article 20:

1. Scope of Data Covered
The right applies only to personal data that the data subject has provided to the controller. According to the Article 29 Working Party (now the European Data Protection Board, EDPB), this includes:

- Data actively and knowingly provided: Such as name, email address, age, or other information entered into forms or profiles.
- Observed data: Data generated by the data subject's activity, such as search history, location data, traffic data, or raw data collected from connected devices (e.g., heartbeat tracked by a fitness device).

It does not include:
- Inferred or derived data: Data created by the controller through analysis or profiling, such as credit scores, health assessments, or customer segmentation profiles. These are considered the controller's intellectual output, not data "provided by" the data subject.

2. Legal Bases Triggering the Right
The right to data portability applies only when the processing is based on:

- Consent (Article 6(1)(a) or Article 9(2)(a) for special categories of data), or
- Contract (Article 6(1)(b)) – i.e., processing necessary for the performance of a contract to which the data subject is a party.

Important: The right does not apply when processing is based on:
- Legitimate interests (Article 6(1)(f))
- Legal obligation (Article 6(1)(c))
- Public interest or official authority (Article 6(1)(e))
- Vital interests (Article 6(1)(d))

3. Processing Must Be Carried Out by Automated Means
The right applies only to processing carried out by automated means. This effectively excludes paper-based filing systems. The logic is that portability is a digital-era right designed to facilitate the electronic transfer of data between IT environments.

4. Format Requirements
Data must be provided in a:
- Structured format (organized and formatted)
- Commonly used format (widely recognized, such as CSV, XML, or JSON)
- Machine-readable format (can be automatically read and processed by software)

Note: Controllers are not required to adopt or maintain technically compatible processing systems. They are encouraged to develop interoperable formats, but there is no absolute obligation of system compatibility.

5. Direct Transmission Between Controllers
Article 20(2) specifies that the data subject has the right to have personal data transmitted directly from one controller to another, where technically feasible. This is an important qualification — the obligation exists only when direct transmission is technically possible.

6. Relationship with Other Rights

- Right of Access (Article 15): The right to portability is separate from and complements the right of access. Under Article 15, data subjects can receive a copy of all their personal data being processed, regardless of legal basis. Under Article 20, data subjects can receive a subset of that data in a portable format, but only under specific conditions.
- Right to Erasure (Article 17): Article 20(3) clarifies that exercising the right to portability does not automatically trigger the right to erasure. The data subject must separately invoke their right to erasure if they wish their data to be deleted.

7. Rights and Freedoms of Others
Article 20(4) states that the right to data portability shall not adversely affect the rights and freedoms of others. For example, if the data being ported contains personal data of third parties (e.g., an email conversation), the controller must ensure that transmitting this data does not infringe on the rights of those third parties. This requires a careful balancing exercise.

How Does the Right to Data Portability Work in Practice?

Step 1: Data Subject Makes a Request
The individual submits a request to the controller to receive their personal data or to have it transmitted to another controller. There is no prescribed format for the request — it can be made verbally or in writing.

Step 2: Controller Verifies the Request
The controller must verify the identity of the data subject. If there are reasonable doubts about the identity, additional information may be requested for verification purposes.

Step 3: Controller Assesses Applicability
The controller must determine whether:
- The data falls within the scope of Article 20 (provided by the data subject)
- The legal basis is consent or contract
- The processing is carried out by automated means
- Transmission is technically feasible (for direct transfer requests)
- The rights and freedoms of others are not adversely affected

Step 4: Controller Responds
The controller must respond without undue delay and at the latest within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. If extended, the controller must inform the data subject within the first month and explain the reasons for the delay.

Step 5: Data is Provided or Transmitted
The data is provided to the data subject in the required format, or transmitted directly to the new controller where technically feasible. The service must be provided free of charge for the first request. However, the controller may charge a reasonable fee based on administrative costs for further copies or manifestly unfounded or excessive requests.

Step 6: Original Controller Retains the Data
Exercising data portability does not automatically result in the deletion of the data from the original controller's systems. The data subject must separately exercise their right to erasure under Article 17 if they wish the data to be deleted.

Practical Examples

- A user of a music streaming service requests all their playlist data and listening history to transfer to a competing service.
- A customer of an online retailer requests their purchase history and saved preferences in a machine-readable format to import into another shopping platform.
- A patient requests their health data from a wearable device provider to share with a new healthcare provider.
- A social media user requests all the photos, posts, and profile information they have uploaded to transfer to another social media platform.

Limitations and Exceptions

- The right does not apply to processing necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 20(3)).
- It does not require controllers to maintain technically compatible systems.
- The right must not adversely affect the rights and freedoms of others (Article 20(4)).
- It applies only to data provided by the data subject, not to inferred or derived data.
- It only applies to automated processing, not to paper files.

Key Guidance from the Article 29 Working Party / EDPB

The Article 29 Working Party issued specific guidelines on data portability (WP242 rev.01), which provide important clarifications frequently tested in the CIPP/E exam:

- The concept of data "provided by" the data subject should be interpreted broadly to include observed data, not just actively submitted data.
- Controllers should provide data portability tools proactively (e.g., download tools, APIs).
- Controllers are encouraged to develop interoperable formats and standards, though this is not mandatory.
- Trade secrets and intellectual property should not be used as a blanket excuse to refuse portability requests.
- The right to portability should not be confused with the right of access — they have different scopes, formats, and conditions.

Exam Tips: Answering Questions on Right to Data Portability (Article 20)

Tip 1: Know the Triggering Legal Bases
One of the most commonly tested aspects is which legal bases trigger the right to portability. Remember: only consent (Article 6(1)(a) or Article 9(2)(a)) and contract (Article 6(1)(b)). If a question presents a scenario where processing is based on legitimate interests or legal obligation, the right to data portability does not apply.

Tip 2: Distinguish Between "Provided By" and "Derived/Inferred" Data
Exam questions frequently test whether you understand the distinction between data provided by the data subject (actively or through observation) and data derived or inferred by the controller. Remember: credit scores, algorithmic assessments, and profiling results are not portable under Article 20.

Tip 3: Remember "Observed Data" is Included
A common trick question involves whether data such as location data, search history, or heart rate data from a wearable device qualifies. The answer is yes — observed data is considered data "provided by" the data subject for the purposes of Article 20.

Tip 4: Automated Means Only
If a question mentions paper files or manual processing, the right to data portability does not apply. It is limited to processing carried out by automated means.

Tip 5: Portability Does Not Equal Erasure
Be alert to questions suggesting that exercising portability automatically triggers deletion. It does not. The data subject must separately request erasure under Article 17.

Tip 6: "Where Technically Feasible" for Direct Transfers
The obligation to transmit data directly from one controller to another exists only where it is technically feasible. Controllers are not required to build new technical infrastructure to accommodate this.

Tip 7: Know the Timeline
Response time is one month, extendable by two further months for complex or numerous requests. The data subject must be informed of any extension within the first month.

Tip 8: Free of Charge
The first response must be free of charge. A reasonable fee may be charged only for manifestly unfounded or excessive requests, or for further copies (though the GDPR's approach to charging under portability is more restrictive than under access rights).

Tip 9: Rights of Third Parties
If a question involves ported data that contains personal data of third parties, remember Article 20(4) — the right to portability must not adversely affect the rights and freedoms of others. This is a legitimate ground for the controller to impose restrictions on the ported data.

Tip 10: Compare with Article 15 (Right of Access)
Exam questions may ask you to compare Article 15 and Article 20. Key differences:
- Article 15 covers all personal data being processed, regardless of legal basis; Article 20 is limited to data provided by the data subject under consent or contract.
- Article 15 requires a copy of the data; Article 20 requires it in a structured, commonly used, machine-readable format.
- Article 15 applies to all types of processing; Article 20 applies only to automated processing.

Tip 11: Public Interest Exception
Processing carried out in the public interest or in the exercise of official authority is explicitly excluded from the right to data portability under Article 20(3). Watch for questions involving government agencies or public bodies.

Tip 12: Read the Scenario Carefully
Many exam questions present multi-layered scenarios. Identify: (1) the legal basis for processing, (2) whether the data was provided by the data subject or derived by the controller, (3) whether processing is automated, and (4) whether third-party rights are implicated. Answering these four sub-questions will guide you to the correct answer.

Summary Table for Quick Revision

Applies when: Consent or contract + automated processing + data provided by the data subject
Does not apply when: Legitimate interests, legal obligation, public interest, vital interests, or official authority as legal basis; inferred/derived data; manual/paper processing
Format: Structured, commonly used, machine-readable
Direct transfer: Only where technically feasible
Timeline: One month, extendable by two months
Cost: Free of charge (first request)
Erasure: Not automatic — must be separately requested
Third parties: Must not adversely affect their rights and freedoms

Conclusion

The Right to Data Portability under Article 20 is a forward-looking provision of the GDPR that reflects the digital nature of modern data processing. For the CIPP/E exam, it is essential to understand not only what this right entails but also its precise conditions, limitations, and how it interacts with other data subject rights. By mastering the nuances outlined in this guide — particularly the triggering legal bases, the scope of "provided" data, and the exceptions — you will be well-prepared to tackle any exam question on this topic with confidence.