Data portability

 Article 20 and Recital 68 of the Applied GDPR relate to this right.

This right is limited in its application and can only be exercised in respect of personal data:

Data 'provided' by the individual, is not limited to information that has been typed in, such as a username or email address. It may include data the controller has gathered from monitoring the individual's activities when a device or service has been used. This may include:

The right does not apply in circumstances where:

Action to be taken by controllers

The exercise of this right does not

Refusing a request

Controllers may refuse to comply with a data portability request, but must be able to justify its decision.

Requests may be refused in cases where:

Non-compliance with requests to exercise rights

If the controller is not taking action on the request of the individual to exercise any right, it must inform the individual “without delay” (and within ONE month of receipt of the request) about:

Further guidance

Guidance on the right to data portability has been endorsed by the European Data Protection Board, which should be referred to for further information.

This is available at: