The Right to Portability, codified in Article 20 of the GDPR, is the right of a data subject to receive their personal data from a data controller in a structured, commonly used, and machine-readable format (such as CSV or JSON). This right strictly applies to data provided by the individual and processed by automated means based on consent or a contract, enabling seamless transmission to another controller without hindrance.
Glossary
Right to Portability

What is Right to Portability?
The Right to Portability is a statutory data subject right empowering individuals to obtain and reuse their personal data across different services in a secure, structured format.
Technically fulfilling this right requires privacy request orchestration to extract data from disparate silos while excluding inferred or derived data. The process must ensure interoperability between competing platforms, distinguishing raw provided data from corporate assets, and often leverages secure API-based direct transfer mechanisms to prevent data exposure during transit.
Key Characteristics of Data Portability
The right to data portability empowers data subjects to obtain and reuse their personal data across different services. It mandates that data be provided in a structured, commonly used, and machine-readable format, enabling seamless transfer from one data controller to another without hindrance.
Structured & Machine-Readable Format
The core technical requirement of the right to portability is the format of the data export. Data must be provided in a format that is structured (organized in a predefined way), commonly used (not proprietary or obscure), and machine-readable (easily parsed by software).
- Recommended formats: JSON, CSV, XML, and Parquet for tabular data.
- Unacceptable formats: Scanned PDFs, image files of text, or proprietary binary blobs.
- Goal: Enable direct, automated ingestion by another data controller's systems without manual reformatting.
Scope: Data 'Provided By' the Subject
The right is not a blanket export of all data an organization holds. It applies specifically to personal data provided by the data subject to a controller, and processed by automated means based on consent or a contract.
- Included: Actively submitted data (e.g., name, email, uploaded photos) and passively observed data (e.g., raw search history, location logs, heart rate telemetry).
- Excluded: Inferred data and derived data created by the controller's proprietary algorithms (e.g., a user's credit score, a health risk profile, or a churn prediction).
- Legal Basis: Article 20 of the GDPR and Section 1798.100 of the CCPA/CPRA.
Direct Transmission Between Controllers
Where technically feasible, the data subject has the right to request the direct transmission of their personal data from one controller to another, bypassing the subject entirely. This creates a technical mandate for interoperability.
- Mechanism: Requires secure, authenticated APIs for controller-to-controller data transfer.
- Standardization: Industry efforts like the Data Transfer Project (DTP)—founded by Google, Meta, Microsoft, and Twitter—provide open-source frameworks for this direct transfer.
- Constraint: The sending controller is not obligated to adopt a specific technical system but must implement a reasonable, secure method for direct transfer when requested.
Technical Interoperability & API Design
Fulfilling portability requests at scale demands a robust Privacy Request Orchestration layer and well-designed APIs. The export must be a complete, faithful representation of the data, not a summary.
- API Design: RESTful endpoints that authenticate the subject, query all relevant data stores (via Data Lineage for PII), and package the response in a standardized schema.
- Security: Strong identity verification is critical before executing a transfer to prevent unauthorized data exfiltration.
- Volume Handling: Systems must handle large exports (e.g., years of location history) without timing out, often using asynchronous jobs with a status-check endpoint.
Distinction from the Right of Access
Data portability is a distinct and supplementary right, not a replacement for the general Right of Access. They serve different purposes and have different technical requirements.
- Right of Access (Art. 15): Provides a human-readable copy of all personal data and metadata (purposes, recipients, retention periods). The goal is transparency.
- Right to Portability (Art. 20): Provides a machine-readable subset of data for reuse. The goal is interoperability and user control.
- Key Difference: An access request might yield a PDF report, which is insufficient for portability. A portability request must yield raw, structured data.
Limitations & Third-Party Rights
The right to portability is not absolute. It is constrained by the rights and freedoms of others, which creates complex technical challenges in multi-user datasets.
- Third-Party Data: Exports must not adversely affect the rights of other individuals. Data containing joint personal information (e.g., a messaging thread) requires technical filtering or consent from the third party before inclusion.
- Security Risk: Portability hubs become high-value targets for attackers. A compromised portability API can lead to mass data exfiltration.
- Trade Secrets: The right does not compel a controller to reveal proprietary algorithms or trade secrets, which is why inferred data is explicitly excluded from the scope.
Frequently Asked Questions
Clear, technical answers to the most common questions about the data subject's right to receive and transmit their personal data in a structured, machine-readable format under global privacy regulations.
The right to data portability is a statutory entitlement under Article 20 of the GDPR and similar global privacy frameworks that empowers a data subject to receive their personal data from a controller in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance. The right applies exclusively to data processed by automated means and is contingent on the processing being based on consent or a contract. Technically, fulfillment requires the controller to extract all relevant PII from source systems, serialize it into interoperable formats such as JSON, CSV, or XML, and deliver it via a secure channel—either directly to the data subject or, where technically feasible, through a direct controller-to-controller transfer. The right is distinct from the right of access under Article 15; portability focuses on data reuse and interoperability, not merely transparency. Controllers must respond within one month, with the possibility of a two-month extension for complex requests, and cannot charge a fee unless the request is manifestly unfounded or excessive.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
GDPR vs. CCPA: Right to Portability
A technical comparison of data portability requirements under the European Union's General Data Protection Regulation and the California Consumer Privacy Act.
| Feature | GDPR (Art. 20) | CCPA/CPRA (§ 1798.105) |
|---|---|---|
Legal basis for portability | Data subject right; applies when processing is based on consent or contract | Consumer right; applies to personal information collected directly from the consumer |
Scope of data covered | Personal data provided by the data subject and observed data generated by their activity | Personal information collected from the consumer, excluding inferred or derived data |
Required format | Structured, commonly used, and machine-readable format (e.g., JSON, CSV, XML) | Portable and readily usable format to the extent technically feasible |
Direct transfer to another controller | ||
Timeframe for response | 1 month (extendable by 2 months for complex requests) | 45 days (extendable by 45 days if reasonably necessary) |
Verification requirement | Reasonable measures to verify identity; no disproportionate effort standard | Verifiable consumer request; must match data already maintained |
Exemptions | Does not apply to processing necessary for public interest or official authority | Does not require retention of data beyond business purposes or re-identification of de-identified data |
Penalty for non-compliance | Up to €20 million or 4% of global annual turnover | Up to $7,500 per intentional violation; $2,500 per unintentional violation |
Related Terms
The right to portability is one of several interconnected data subject rights. Understanding the broader privacy engineering landscape is essential for building compliant, automated fulfillment systems.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us