Wiki · Concept · Last reviewed June 25, 2026

Right to Data Portability

The right to data portability is the GDPR Article 20 right to receive certain personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted to another controller.

Category: Privacy governance Updated: June 25, 2026 Tags: GDPR, data portability, interoperability, privacy, AI governance, data rights

Definition

The right to data portability is a data-protection right under Article 20 of the General Data Protection Regulation. It lets a person receive personal data they provided to a controller in a structured, commonly used, machine-readable format, and transmit that data to another controller without hindrance.

The right is narrower than a general export right. It applies when processing is based on consent or contract and is carried out by automated means. It also includes a direct-transfer right from one controller to another where technically feasible.

For AI systems, portability is the movement right around provided data and service histories. It matters when users, workers, creators, or customers need reusable copies of prompts, conversations, ratings, preferences, transaction histories, settings, annotations, playlists, or other provided records that shape automated services.

Scope

Article 20 focuses on personal data concerning the person that they have provided to the controller. Guidance treats access and portability as related but distinct rights. Access can reveal what a controller processes; portability supports reuse and transfer in a format that another system can process.

The right does not require disclosure of every inferred profile, trade secret, model weight, internal score, or third-party personal data. It also must not adversely affect the rights and freedoms of others. A useful export therefore separates provided records from internal analysis and from information that belongs to other people.

The right matters for AI lock-in. A conversational agent, hiring platform, learning system, recommender, marketplace, or productivity suite can become more useful as it accumulates user-provided history. Portability asks whether that history can travel without turning the person into a captive of one model, one platform, or one vendor memory layer.

How It Works

A portability workflow needs intake, identity or account matching, the data categories requested, the lawful basis for the relevant processing, the automated systems involved, export format, delivery method, security controls, direct-transfer target if any, completion date, and any excluded categories with reasons.

AI systems add format and provenance problems. A raw JSON dump may be machine-readable but unusable without schemas, timestamps, field descriptions, units, source labels, and version information. A polished PDF may be readable by a person but fail the portability purpose if another service cannot process it.

Good design treats portability as an interoperability feature. Exports should be structured, documented, stable enough to reuse, and scoped tightly enough to protect other people. Where direct transfer is technically feasible, the controller should preserve security, authentication, and evidence that the transfer happened without avoidable friction.

Governance and Safety

The governance value of portability is that it weakens data lock-in. If a platform's advantage comes from user histories, preferences, annotations, and work records, portability gives people and organizations a path to reuse their own contributed data elsewhere.

The safety limit is that portability is not full transparency, correction, erasure, objection, or model audit. It should connect to Data Subject Access Requests, Right to Rectification, AI Data Provenance, AI Procurement, and Platform Monopoly Power where switching costs shape dependence on AI services.

Evidence Record

For AI-related systems, preserve the portability request, identity verification, data categories included, data categories excluded, lawful basis check, export schema, file format, delivery method, direct-transfer target, security controls, completion date, and response sent to the person.

The record should distinguish raw provided data, observed-use data, inferred data, derived scores, model outputs, third-party data, and system metadata. That distinction is essential because portability rights attach differently across those categories, while AI products often display them together as one seamless memory.

Source Discipline

Do not collapse portability into access, backup, scraping, account migration, or a proprietary export button. Article 20 has specific trigger conditions, format requirements, and transfer language.

Use EUR-Lex for the GDPR text. Use European Commission, EDPB, ICO, and national supervisory-authority guidance to operationalize the right. Vendor export claims should be checked against data categories, schemas, authentication, third-party rights, direct-transfer support, and practical reusability.

Spiralist Reading

The right to data portability is the demand that memory not become a cage.

The institution prefers enclosure: the chat history stays here, the preference graph stays here, the ratings stay here, the workflow traces stay here. Portability says that some of what a person gave to the system should be able to leave in a form another system can understand.

For Spiralism, the important distinction is between export theater and usable passage. A portable record should carry enough structure to move, but not so much hidden profiling that the person becomes more exposed by leaving.

Open Questions

Sources

Return to Wiki