Guide: Data Privacy

Rights to Data Portability

Anyone who pays for a service or product entrusts that business with their personal information. While this personal information includes standard sensitive PII such as credit card numbers and addresses; it also relates to customers’ preferences. 

There are plenty of security measures employed to keep data safe when it is stationary, but what happens when the data needs to be moved?

For the safety of everyone involved, it is vital to enact strict data portability rights when a party receives sensitive information about others, such as customers or clients.

To better understand the rights to data portability, this article discusses the following topics:

What is Data Portability?

Data portability refers to the right to have your data transferred safely and securely from one location to another. Individuals may have the right to obtain their personal information from a data-relevant authority in a way that allows them to reuse their data in another setting. Additionally, data holders may have the right to communicate this data to another data controller of their selection without being hindered. However, certain circumstances are necessary for the application of these rights.

What is the Right to Data Portability?

Individuals can have a legal right to collect and utilize their personal information to fulfill their goals across various organizations. This right is also known as the right to data portability. It enables them to transport, duplicate, or transmit personally identifiable information (PII) easily from one IT system to the next securely and confidentially, without impacting the usefulness of the data.

Consumers can take advantage of programs and services that utilize this information to get a better deal or comprehend their spending patterns. This right applies exclusively to an individual’s information voluntarily supplied to a processor.

GDPR Data Portability

One of the eight rights mandated by the GDPR, also known as the General Data Protection Regulation, is the right to have your data moved easily from one system to another.

When a subject in question exercises their right to have their data moved from one operator to another, this is known as data portability.

What is the Right to Data Portability in GDPR?

Subjects can have their personal data transported straight from one controller to another, provided this is technically possible, there are no adverse effects, and it does not harm the rights and freedoms of another person. This right does not apply to the treatment of personal data required to fulfill a task conducted in the public interest or the execution of official power conferred by the controller. 

Availability to Portably Store and Retrieve Data?

Data portability rights are only applicable where automated methods handle personal information provided by the data subject. Moreover, the data subject must have agreed before the processing is undertaken. This understanding must be settled in the form of an agreement between the person and the data controller. This right only applies to the degree that it does not infringe upon the rights or freedoms of other people. If this right is invoked, data controllers are obligated to reveal what information they have and how they transmit this information.

In situations where data portability rights are applicable, data controllers must disclose and communicate personal information in a widely used, organized format that is machine-readable. 

A data subject has the authority to request that a data controller communicate information to another data controller, provided that such communication is technically feasible.

Requirements When PII is the Result of a Request

When you receive personally identifiable information sent as part of a petition for data portability, you are obligated to process this information following the standards for data protection. 

When determining if it is appropriate to accept and keep personal data, consider whether you can defend the following conditions: 

  • the extent to which the data is pertinent to the objectives for which it will be treated 
  • if it is overly extensive concerning those objectives 
  • if the data incorporates any information from a third party


If you acquire personal information that does not meet the three requirements, then you should destroy it as quickly as possible. 

If instead you receive and keep the data, you must adhere to the General Data Protection Regulation (GDPR) regulations. This job typically falls to the controllers who are tasked with ascertaining if they have suitable and morally correct grounds for handling the data. Plus, it must be clear that such a production process does not compromise the rights and liberties of the third parties in question. 

The controller will need to ensure that the person who has asked for the portability of their data is the only one with access to any third-party information and that this data is only used for the person’s own needs.


Data portability has become more and more relevant in today’s modern world. The capacity to transfer data from one location to another is critical for businesses that must comply with legislation like the General Data Protection Regulation or GDPR. The right to data portability represents one of the General Data Protection Act principles that should have the most significant impact and bring about the most significant transformations in the industry.

Satori can ensure that all PII is secured and that you meet your data portability obligations through dynamic data masking and auditing and monitoring capabilities. To learn more about how Satori can help you secure data during processing schedule a demo with one of our experts.

Last updated on

November 13, 2022

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.