We use cookies to ensure that we give you the best experience on our website. Cookies enable us to provide you core functionalities such as security, network management and accessibility. They improve usability and performance through various features such as language recognition, search results and thereby improve what we offer to you.

For more information, please visit our Privacy Policy

DATA PORTABILITY AND ITS LIMITS

Data Portability And Its Limits
17 Jun

Data Portability And Its Limits

233 | CIPP-E Preparation | CIPP/E data-portability article-20 Data subject rights EDPB Guidelines

Data portability is the most over-claimed right in the GDPR. Candidates read Article 20, hear "get your data and move it", and assume it reaches everything a controller holds. It does not, and the CIPP/E exam earns its marks in the gap between what people assume and what the right delivers.

What data portability actually grants

Article 20 of the GDPR gives a data subject two things: a copy of certain personal data in a structured, commonly used and machine-readable format, and the right to send that data to another controller. Two conditions open the door. The processing must rest on consent or on a contract, and it must be carried out by automated means. Where it is technically feasible, the subject can ask for the transfer to run directly from one controller to the next. Format matters as much as content here. The data must arrive structured and machine-readable, so a flat PDF scan or a screenshot of records does not satisfy the right.

The exam ties this to the Body of Knowledge, the IAPP's official blueprint for what it can test; data portability sits at II.C.7, with its limits at II.C.8. Read the two together, because a question about the right is usually a question about its edges.

The data it covers, and the data it does not

The word that does the work in Article 20 is "provided". The EDPB guidelines on the right to data portability read it to include data the subject actively handed over, such as a form or an upload, and data observed from their use of a service, such as activity logs or location records. It does not include data the controller created about the subject. An inferred credit score, a risk segment, a recommendation profile: none of these are "provided", so none of them are portable. A stem that asks whether an algorithmic score must be ported is testing exactly this line, and the answer is no. Picture a music-streaming account. The playlists a user built and the history of tracks they played are provided or observed, so both travel with a portability request. The taste profile the service computed from that listening is inferred, so it stays behind.

Why the lawful basis gate matters

Article 20 is the only data subject right pinned to specific lawful bases. If the processing relies on legitimate interest, legal obligation, vital interests or a public task, portability simply does not apply. So before you reach for the right, check the basis. Candidates who skip that step answer confidently and wrongly. The lawful bases for processing are worth holding clearly in mind, because the gate closes on four of the six.

Where data portability stops

The limits are not footnotes; they are the substance of II.C.8. Article 20(3) removes processing carried out for a public task or in the exercise of official authority, which keeps much of the public sector outside the right. The same paragraph leaves the right to erasure untouched, so porting data does not settle what a controller must later delete; the right to erasure runs on its own conditions.

Article 20(4) adds a second brake. The right must not adversely affect the rights and freedoms of others. Where the subject's data is tangled up with third-party data, a controller cannot hand over the lot, and judgement is required about what to release. The direct controller-to-controller transfer in Article 20(2) carries its own limit too: it applies only where technically feasible, and no controller is obliged to build compatible systems it does not already have. The standard is genuine feasibility, not convenience; the limit excuses missing interoperability, not an unwillingness to use tools already in place.

Data portability versus the right of access

Most portability errors are really access errors wearing the wrong label. The right of access under Article 15 is broad. It covers all personal data a controller processes about the subject, on any lawful basis, and it produces a copy. Portability is narrower in reach but adds two features access lacks: a machine-readable format and the right to move the data onward. So when a stem offers access and portability as competing answers, sort them by scope and purpose. If the subject wants to see what is held, that is access. If the subject wants to take a defined, machine-readable set to a competitor, that is portability. The two can run together; one request may trigger both, and a careful answer keeps them separate rather than collapsing one into the other.

One line to carry into the exam

Portability covers provided data, on consent or contract, processed automatically, in a portable format, subject to the rights of others. Miss any clause and the right narrows or falls away.

If you want the qualifying conditions and the carve-outs on a single page, the study materials include a data portability checklist built for this exact distinction.

Share this Post

CIPP/E Prep Suite

CIPP/E Prep Suite

Study - Practice - Certify

GET CERTIFIED!

Ready to kick-start your career?

GET STARTED NOW

Categories

About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video

22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.