In one sentence. GDPR Article 20 gives data subjects the right to receive their personal data in a structured, commonly used and machine-readable format and to transmit it to another controller without hindrance — but only for data they provided themselves, processed by automated means based on consent (Article 6(1)(a) or 9(2)(a)) or contract (Article 6(1)(b)). The official EUR-Lex source is Regulation (EU) 2016/679, Article 20.
The right complements the broader right of access (Article 15) by adding a machine-readable + interoperability dimension. EDPB Guidelines on portability (WP242 rev.01) remain the authoritative interpretation.
Key takeaways
- Right covers only data provided by the data subject (not inferred or derived).
- Triggers only when processing is based on consent or contract.
- Format must be structured, commonly used, machine-readable (CSV, JSON, XML).
- Direct controller-to-controller transmission required where technically feasible.
- Deadline: one month (Article 12(3)), extendable to three months.
- Sanctions: Article 83(5)(b) — up to €20M or 4% of global turnover.
1. Article 20 official text
Article 20 — Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and (b) the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
2. Scope: what data is portable?
EDPB WP242 splits personal data into three buckets:
| Bucket | Portable? |
|---|---|
| Data provided (account fields, uploads, search history, contacts uploaded) | Yes |
| Observed data (location traces, device data, transaction logs from use of the service) | Yes |
| Inferred/derived data (credit score, user profile, recommendations) | No |
The distinction matters: a music platform must export your playlists (provided) and listening history (observed) but not the algorithmic profile.
3. Legal basis triggers
Article 20 applies only when the legal basis is:
- Consent (Article 6(1)(a) or special category 9(2)(a))
- Contract (Article 6(1)(b))
It does not apply to processing based on:
- Legal obligation (Article 6(1)©) — e.g. tax records
- Public interest (Article 6(1)(e))
- Legitimate interest (Article 6(1)(f)) — see our LIA guide
4. Format requirements
“Structured, commonly used, machine-readable” per EDPB:
- CSV for tabular data
- JSON for nested structures
- XML for documents
- vCard for contacts
- iCal for calendar data
- PDF is not machine-readable for portability purposes
5. Direct transmission (Article 20(2))
“Where technically feasible” — EDPB clarifies this is not absolute. Controllers should:
- Implement APIs where realistic
- Use interoperable formats
- Adopt industry standards (e.g. Data Transfer Initiative, Solid)
The Digital Markets Act (DMA, Regulation (EU) 2022/1925) imposes stronger interoperability obligations on gatekeepers — going beyond Article 20.
6. Relationship with right of access (Article 15)
| Right | Format | Scope | Trigger |
|---|---|---|---|
| Article 15 access | Any (often PDF) | All personal data | Any legal basis |
| Article 20 portability | Machine-readable | Provided + observed | Consent / contract only |
A DSAR request often combines both. See DSAR playbook.
7. Deadlines and procedure
Article 12(3):
- One month to respond
- Extendable by two months for complex/numerous requests
- Free of charge unless manifestly unfounded or excessive
- Identity verification permitted but proportionate
8. Exclusions and limits
- Article 20(3): excludes public interest / official authority processing
- Article 20(4): cannot adversely affect rights of others — e.g. third-party data in email exports must be assessed
- Trade secrets / IP can be protected (Recital 63)
- Backup and archive systems may have legitimate technical limits
9. Sanctions and enforcement
Article 83(5)(b) tier: up to €20M or 4% of global turnover.
Notable cases:
- Spotify (Swedish IMY 2023): €5M for inadequate portability response
- Multiple platforms (CNIL 2024): structured fines for non-machine-readable PDFs
- Meta (Irish DPC 2022, transparency context): €405M including portability issues
10. Implementation checklist
- Identify all processing activities based on consent or contract (ROPA cross-reference)
- Map “data provided” vs “data observed” vs “data inferred”
- Build export jobs in CSV/JSON
- Add API for direct transmission where feasible
- Document one-month SLA with timer
- Train DSAR team on portability vs access distinction
- Audit annually
11. Tooling
Legiscope ships an Article 20 export module with CSV/JSON/XML output, automated SLA timer, ROPA-linked scope determination, and audit trail. Integrates with the DSAR workflow.
FAQ
What is the text of GDPR Article 20?
The official text grants the right to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller without hindrance, when processing is based on consent or contract and carried out by automated means. Full text on EUR-Lex.
What data does Article 20 cover?
Data provided by the data subject (account fields, uploads) and observed data (logs from service use). It does NOT cover inferred or derived data such as profiles or scores.
Is portability required for all processing?
No — only when the legal basis is consent (Article 6(1)(a) / 9(2)(a)) or contract (Article 6(1)(b)). Legitimate interest, legal obligation, and public interest processing are excluded.
What format is required?
Structured, commonly used, and machine-readable: CSV, JSON, XML, vCard, iCal. PDF does not qualify.
What’s the deadline to respond to a portability request?
One month under Article 12(3), extendable by two months for complex requests.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
