GDPR Article 20 — Right to Data Portability
The GDPR right requiring controllers to provide personal data in a machine-readable format for transfer to another controller — creating meaningful interoperability obligations for engineering teams.
Article 20 of the GDPR grants data subjects the right to receive personal data they have provided to a controller "in a structured, commonly used and machine-readable format" and to transmit that data to another controller without hindrance, where: the processing is based on consent (Article 6(1)(a) or Article 9(2)(a)) or on a contract (Article 6(1)(b)); and the processing is carried out by automated means. The right applies only to data "provided by" the data subject — which the EDPB Guidelines WP242 rev 1 on Data Portability interpret broadly to include observed data (behavioral data, activity logs, sensor data, location history) in addition to explicitly submitted data. Inferred data (profiles, scores, segmentation labels derived from processing) is explicitly excluded. The controller must respond to portability requests within one month.
The engineering obligation is to design export APIs that can faithfully represent the data subject's portable data in a structured format. "Structured, commonly used and machine-readable" means formats such as JSON, XML, or CSV — not proprietary binary formats or scanned PDFs. For complex data models (social networks, multimedia libraries, multi-account structures), the EDPB encourages controllers to participate in industry-led data portability initiatives such as the Data Transfer Project (DTP), which provides open-source data portability adapters for common platform types (photos, mail, contacts, tasks). The EU Digital Markets Act (DMA, Regulation (EU) 2022/1925) imposes more specific data portability requirements on designated "gatekeeper" platforms, including real-time API access for portability and interoperability with competing services.
Article 20(2) additionally grants the right of direct controller-to-controller transmission "where technically feasible." This creates a push-portability obligation: upon request, the controller must transmit data directly to a designated recipient controller, not just provide a download to the data subject. Implementation requires authenticated API endpoints that accept a portability request with a destination controller identifier and an access token, securely transmit the data package to the destination, and provide a confirmation receipt. Security requirements for portability endpoints are significant: a portability endpoint is a high-value target because it provides bulk access to personal data; it requires strong authentication (OAuth 2.0 with PKCE, device binding), rate limiting, and anomaly detection to prevent unauthorized exfiltration disguised as legitimate portability requests.
We design data portability architectures that maintain a canonical data subject export model decoupled from internal storage schemas, implement secure OAuth 2.0 portability API endpoints with rate limiting and anomaly detection, and build direct controller-to-controller transmission capabilities for Article 20(2) compliance. We also participate in Data Transfer Project adapter development for clients operating platform-scale services.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.