The right to data portability is one of eight basic rights enforced by the GDPR.

It allows us to request data that the controller holds about us and to reuse it for our own purposes.

The data must be received “in a structured, commonly used and machine-readable format”. The actual format is not specified, but we can assume that standard formats, such as XML, may apply/

The right to data portability applies:

• To personal data that an individual has provided to a data controller;

• When the processing is carried out by automated means; and

• Where the processing is based on the individual’s consent or for the performance or a contract.

However, it doesn’t include any additional information that the organization has created based on the information provided – such as a user profile.

Note that the right to data portability doesn’t apply if the organization uses legitimate interests or public interest to process personal data – or if the data is pseudonymized.