Data Portability
/ˈdeɪtə ˌpɔːtəˈbɪlɪti/
Data portability is a GDPR right that allows individuals to receive their personal data in a structured, machine-readable format and transfer it to another service provider.
Data portability is a GDPR right that allows individuals to receive their personal data in a structured, machine-readable format and transfer it to another service provider.
Data portability is one of the individual rights granted under the GDPR, specifically set out in Article 20. It gives individuals the right to receive a copy of the personal data they have provided to an organisation in a structured, commonly used, and machine-readable format. The individual can then transmit that data to another controller, or request that the original controller transmit it directly. For Irish businesses, understanding this right is essential because failing to comply with a valid data portability request can result in enforcement action from the Data Protection Commission.
The right is designed to promote competition and reduce the switching costs that arise when a person's data is locked into a single provider's systems. In practice, it allows a customer who wants to move from one service to another to take their data with them without needing to re-enter it manually. For technology companies, social platforms, financial services providers, and any other business where customers accumulate significant amounts of personal data over time, portability requests are becoming an increasingly common part of customer service operations.
Data portability differs from the right of access, which simply requires you to provide a copy of the data you hold. Portability goes further by requiring the data to be in a format that is technically interoperable, meaning another system can readily import and use it. This technical requirement means businesses need to think carefully about their data formats and export capabilities when designing their systems, rather than leaving it as an afterthought.
The right to data portability applies in two specific circumstances: when the processing is based on the individual's consent, or when it is necessary for the performance of a contract with the individual. It does not apply to processing carried out under legal obligation, in the public interest, or on the basis of legitimate interest. This distinction is important because it means many categories of business data do not fall within the scope of the portability right even if they contain personal information.
Additionally, the right applies only to data that the individual has actively provided to the organisation, whether directly (such as by filling in a profile) or through their use of a service (such as activity logs or transaction history). It does not extend to derived data or inferences that the organisation has created from the individual's data, such as credit scores or behavioural profiles generated through analytics. Understanding this boundary helps businesses accurately scope their response to portability requests.
When you receive a valid data portability request from an individual, you must respond within one month. The response must include the personal data in a structured, commonly used, and machine-readable format such as JSON, CSV, or XML. The format you choose should allow the data to be imported into another system without significant technical effort by the recipient or the receiving organisation.
If the individual requests direct transmission to another controller, you must carry this out where technically feasible. This is a higher obligation than simply providing a download link, as it requires you to establish a secure transmission channel between your systems and those of the receiving organisation. For most startups, responding to direct transmission requests will require technical planning and may involve API development or integration work.
Requests that are manifestly unfounded or excessive can be refused or subject to a reasonable fee, but these exceptions are interpreted narrowly by the Data Protection Commission. It is safer to treat most requests as valid and respond within the deadline than to risk a finding of non-compliance by incorrectly applying an exemption. Logging all data subject requests, including portability requests, and the actions taken in response is good practice for demonstrating accountability.
The most effective way to manage portability obligations is to design your systems with data export in mind from the start. For SaaS products and platforms, this means building a data export function that allows users to download their data in a standard format directly from their account settings. A self-service export function reduces the operational burden on your team and allows you to respond to portability requests immediately without manual intervention.
If your product stores data in a proprietary format, you will need to build a translation layer that converts it to an interoperable format for export. Document the format you use and ensure the exported data is accompanied by sufficient metadata to make it meaningful to a receiving system. This documentation is also useful when you receive requests from individuals who want to understand what data you hold about them, complementing your response to data controller obligations under the right of access.
For Irish startups, the portability right cuts both ways. As a provider, you must facilitate customers leaving and taking their data. As a challenger to established players, you can use portability to make it easier for customers to migrate to your platform. Building a seamless import flow that accepts common export formats from competitor platforms reduces friction for new customers and can be a meaningful product differentiator in competitive markets.
The broader GDPR compliance and corporate compliance obligations around data portability should be documented in your privacy policy and communicated clearly to users. Explaining how to make a portability request, what format the data will be provided in, and how long a response will take builds trust and demonstrates that your business takes individual rights seriously. This transparency is increasingly valued by enterprise customers and investors carrying out data processing due diligence on your platform.
