A picture of a moving truck full of furniture

What is GDPR? Part 2 - Right to data portability

← Back to Blog
FAQ

GDPR has many parts. As a business, you need to comply with all of them as long as you have customers in the EU. However, some parts are more important than others.

In the previous blog post, we talked about the right of access. This allows people to ask if you have data about them. It's the starting point for everything else. Let's look at some other GDPR basics.

Right to data portability

Data portability is the right of individuals to request a copy of their data in an open format.

It is sometimes confused with the right to access. But they are not the same. The right to access is about knowing if you have data about someone. The right to data portability is about getting a copy of that data. Because once you have proof a company has data about them, you are now allowed to request a copy of it.

It is important to note that this only applies to information that is processed automatically. So if you have a paper file on someone, you do not have to provide a copy of it.

What format should I provide the data in?

You are required to provide this information. However, there are no requirements as to the format. As long as it is in an open, common, machine-readable format. So you can provide it in a format that is easy for you to export.

Most organizations will choose an open, familiar format such as CSV, Excel, JSON, or XML. This makes it easy for the user to import into other applications.

It is also possible to provide a way for users to access their own data. This is often done by providing a way to download their data. This way you don't have to process the request manually. For example, in WhatsApp, you can download your chat history.

Do I have to send it to another company?

Yes, but only if it is technically feasible for you to send the information directly to another company.

Any other requirements?

The right of access has explicit cost and speed requirements. The right to data portability does not. There is no mention in the GDPR laws about what you can ask for, in terms of fees or time. It is up to you.

Recap

  • Right to get a copy of their data
  • Only if the data is processed automatically
  • If possible, you should directly send it to another company
  • In an open machine-readable format
  • No requirements on costs or time

GDPR rights

Check out the other GDPR rights: