GRCWatch
Sign inStart free trial

GDPR Article 20: Implementing the Right to Data Portability

Data portability is a cornerstone of GDPR rights—your organization must enable data subjects to receive and reuse their personal data across services. This control requires you to export data in structured, commonly used formats when processing is based on consent or contract. Non-compliance risks significant fines and erodes customer trust.

What this means

When a data subject requests their personal data, you must provide it in a structured, commonly used, machine-readable format (such as CSV or JSON) if the processing was based on their consent or a contractual relationship. You must also transmit that data directly to another controller if technically feasible. This right applies only to automated processing and gives individuals control over their information across different services.

How to comply

  1. 1.Identify all systems where you process personal data based on consent or contract
  2. 2.Design data export functionality that outputs in standard formats (CSV, JSON, XML)
  3. 3.Establish a process to respond to portability requests within 30 days
  4. 4.Implement technical controls to transmit data securely to third-party controllers when requested
  5. 5.Document your data portability procedures and train staff on handling requests
  6. 6.Test export functionality quarterly to ensure accuracy and completeness
  7. 7.Maintain audit logs of all portability requests and fulfillment dates

Evidence auditors look for

  • Data export logs showing structured format outputs (CSV/JSON) with timestamps
  • Documented standard operating procedures for data portability requests
  • API or technical infrastructure enabling third-party data transfers
  • Records of request fulfillment within 30-day SLA timeframes
  • Data mapping documentation showing all consent/contract-based processing
  • User-facing portability request mechanisms (forms, self-service portals)
  • Third-party data transfer logs with controller authentication

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates data portability workflows by mapping your consent and contract-based processing, generating structured exports on demand, and logging all requests for audit evidence—eliminating manual tracking and reducing compliance risk.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR Article 15 - Right of AccessGDPR Article 17 - Right to ErasureGDPR Article 5 - Data Subject RightsISO 27701:2019 Privacy Controls