Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

Right to data portability process

right-to-portability-processDomain: data-privacyType: process

Description

A working data-portability process produces the subject's personal data in a structured, commonly used, machine-readable format on request, and, where technically feasible, transmits it directly from one controller to another at the subject's instruction. The components are an export pipeline (CSV, JSON, or a domain-specific schema where one exists), a format specification that documents what fields the export contains and how they map to the data subject's product experience, an intake and verification flow shared with the DSAR access right, and a controller-to-controller transmission path for the cases where the subject names a destination provider rather than asking for a download. The scope of the right is narrower than access, and the line matters. Portability covers data the subject provided plus data observed during the use of the service, processed on the lawful basis of consent or contract; it excludes derived or inferred data (the model output, the segment label, the risk score). Most platforms run portability against the same intake as access and then filter on lawful basis at export time. The divergence is in the export format itself, which usually surfaces inconsistencies in how the product has been recording observed data over the years (timestamp inconsistencies, field renames that were never backfilled, columns that read one way in the database and another way in the UI). The Digital Markets Act sits above the reactive-export baseline. DMA Article 6(9) requires designated gatekeepers to offer effective end-user portability free of charge, including continuous, real-time access via APIs rather than one-off file downloads, which is a meaningful step up from the GDPR Article 20 model. The US state portfolio (Colorado, Connecticut, Virginia, Texas, Tennessee, and the rest of the second-wave statutes) tracks the GDPR Article 20 contour with statute-specific response windows and verification standards. Evidence formats that hold up include the published export endpoint, the portability format specification keyed to the data inventory, and the per-request portability log showing request, verification, export production, and (where applicable) destination-controller transmission timestamps.

Required by (13 regulations)

  • CCPA/CPRA

    CCPA §1798.100(d) — receive data in portable + machine-readable format.

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

  • CPA

    Colo. Rev. Stat. §§6-1-1301 to 6-1-1313; 4 CCR 904-3

  • CTDPA

    Conn. Gen. Stat. §§42-515 to 42-525

  • GDPR

    Article 20 — right to data portability.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • Indiana CDPA
  • Iowa CDPA
  • LGPD

    Article 18 § V — data portability.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

  • PIPA

    Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

  • Tennessee IPA
  • TDPSA

    Tex. Bus. & Com. Code §§541.001-541.205

  • Thailand PDPA
  • VCDPA

    Va. Code §§59.1-575 to 59.1-585

  • EU DMA

    DMA Article 6(9) — effective end-user portability of data, free of charge, including continuous, real-time access. Goes beyond GDPR Article 20 reactive-export obligation.

    Regulation (EU) 2022/1925

    Source →

Fulfilled by (3)

  • transcend · full · medium effort · $$
  • onetrust · partial · medium effort · $$
  • In-house build · medium effort

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • export endpoint
  • portability format spec
  • portability log

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn