Right to data portability process

right-to-portability-processDomain: data-privacyType: process

Description

Right-to-portability (GDPR Article 20, with analogues in CCPA, LGPD, and most second-generation privacy laws) gives a data subject the ability to receive their personal data in a structured, commonly used, machine-readable format and, where technically feasible, to have it transmitted directly from one controller to another. The portability right is narrower than the access right: it covers data the subject provided plus data observed during the use of the service, processed on the lawful basis of consent or contract, and excludes derived or inferred data. The operational pieces are the export pipeline (CSV, JSON, or a domain-specific schema where one exists), the format documentation that explains what fields the export contains and how they map to the data subject's product experience, and the controller-to-controller transmission path for the cases where the subject names a destination provider rather than asking for a download. Most platforms run this against the same intake and verification flow as DSARs; the divergence is in the export format itself, which often surfaces inconsistencies in how the product has been recording observed data over the years.

Required by (13 regulations)

CCPA/CPRA
CCPA §1798.100(d) — receive data in portable + machine-readable format.
Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102
CPA
Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3
CTDPA
Conn. Gen. Stat. §§42-515 to 42-525
GDPR
Article 20 — right to data portability.
Regulation (EU) 2016/679 of the European Parliament and of the Council
Indiana CDPA
Iowa CDPA
LGPD
Article 18 § V — data portability.
Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)
PIPA
Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)
Tennessee IPA
TDPSA
Tex. Bus. & Com. Code §§541.001-541.205
Thailand PDPA
VCDPA
Va. Code §§59.1-575 to 59.1-585
EU DMA
DMA Article 6(9) — effective end-user portability of data, free of charge, including continuous, real-time access. Goes beyond GDPR Article 20 reactive-export obligation.
Regulation (EU) 2022/1925

Fulfilled by (3)

transcend · full · medium effort · $$
onetrust · partial · medium effort · $$
In-house build · medium effort

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

export endpoint
portability format spec
portability log

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Description

Required by (13 regulations)

CCPA/CPRA

CCPA §1798.100(d) — receive data in portable + machine-readable format.

Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

CPA

Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

CTDPA

Conn. Gen. Stat. §§42-515 to 42-525

GDPR

Article 20 — right to data portability.

Regulation (EU) 2016/679 of the European Parliament and of the Council

Indiana CDPA

Iowa CDPA

LGPD

Article 18 § V — data portability.

Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

PIPA

Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

Tennessee IPA

TDPSA

Tex. Bus. & Com. Code §§541.001-541.205

Thailand PDPA

VCDPA

Va. Code §§59.1-575 to 59.1-585

EU DMA

DMA Article 6(9) — effective end-user portability of data, free of charge, including continuous, real-time access. Goes beyond GDPR Article 20 reactive-export obligation.

Regulation (EU) 2022/1925