Portability of the data: one of the rights introduced by the GDPR

Portability of the data: one of the rights

The new General Data Protection Regulation (GDPR), other than data portability, confirms several rights of the data subject. Data subjects have the:

  1. Right to be informed;
  2. Right of access;
  3. Right to rectification;
  4. Right to restriction of processing;
  5. Right to erasure (right to be forgotten);
  6. Right to object;
  7. Rights related to automated individual decision-making, including profiling;

Last but not least, the right to data portability introduced by article 20 of the Regulation.


GDPR introduces as a key point of the Regulation, side by side with the accountability principle, the control of the data subject on its data.


Right to portability

As previously said, article 20 of the Regulation describes this right. On this purpose, the Regulation says:


  1. “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
    2. the processing is carried out by automated means.
  2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

  3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others

Data portability: conditions

As we just said, there are a few conditions that qualify data as “portable”. Data must:

  • come from a processing carried out by automated means;
  • be related to the data subject;
  • not be anonymous.

How can we define “portable” data? The data subject must provide an:

  • explicit;
  • informed;
  • unambiguous;

consent. As a consequence, none of the data created by the data controller related to another processing can be considered as “portable”. For the same reasons, none of the data derived from consent-given-data can be considere “portable” as well.

Data portability: duties of the data controller

Data controllers have some reponsabilities concerning this right:

  • informative duties;
  • risk analysis related to portability process;
  • the implementation of the adequate measures both on a technical and organizational level to ensure the right to portability.

To this end, Swascan developed a concrete approach to face these requirements. Clicking on the button below you can start a free trial of our cloud solution to run a GDPR Assessment:


As far as the data controller who tranfers the data is concerned, he will not be responsible for any additional processing carried out by other data controllers or by the data subject himself.

Swascan for Compliance

Swascan allows companies to face the upcoming legislative requirements through different tools:

  • dedicated cybersecurity services that lead companies to Security Management;
  • a specific GDPR consultancy conducted by professionals in the field;
  • a GDPR Assessment service that allows companies to test their GDPR compliance level and provides an action plan to bridge the gap.


In order to assure to your business the best tool available, Swascan together with Raoul Chiesa ( Raoul Chiesa interview ) developed a special cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our four services cover all the governance needs in terms of risk management and periodic assessment. Basically, the right tools to understand your focus areas are Vulnerability Assessment, Network Scan, Code Review and GDPR Assessment. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ) and to provide a full documentation here you can find some information about the new figure introduced by this law: DPO .


Network scan: introduction and summary
OWASP Top 10: which are the main threats?

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.