What is the right to data portability?

The right to data portability under GDPR Article 20 allows individuals to receive their personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller without hindrance. This right applies when processing is based on consent or contract, and when processing is carried out by automated means. For email marketing, this means subscribers can request their data in a portable format and potentially transfer it to a competing service or use it for their own purposes.

Portability applies specifically to data the individual provided to you-both actively provided data (email address, name, preferences they entered) and observed data (engagement behavior, click history). It doesn't cover derived or inferred data (analysis results, scores, predictions you generated about them). The data must be provided in a commonly used format-typically structured formats like CSV, JSON, or XML. If technically feasible and requested by the individual, you should transmit the data directly to another controller.

For email marketers, portability requests are less common than access or erasure requests, but you should be prepared. Your systems should support exporting subscriber data in standard formats. Consider what data qualifies as "provided" versus "derived" and document this distinction. The one-month response deadline applies. Note that portability is distinct from access-portability focuses on machine-readable formats for reuse, while access is about understanding what's held. Data portability gives people ownership of their data by letting them take it with them-it's their information, and they can move it where they want.