Data Portability
Plain English Translation
Data subjects have the right to receive a copy of their personal data in a structured, commonly used, and machine-readable electronic format when processing is carried out by electronic means. This right to portability enables individuals to reuse their data with other services and fosters transparency about how their information is handled. The right does not apply where data is used solely for scientific or statistical research or in investigations related to criminal or tax matters.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Provide a manual, authenticated process where support staff securely export the user's data from the primary database into a CSV file upon verified request.
- Ensure all data exports are delivered via secure, encrypted channels rather than standard email.
Required Actions (scaleup)
- Develop basic self-service export scripts triggered via the user account dashboard, utilizing standard formats like JSON or XML for the output.
- Implement rate limiting and automated identity verification on all data export endpoints to prevent abuse.
Required Actions (enterprise)
- Deploy comprehensive automated data portability APIs that securely compile user data across multiple microservices and databases.
- Package data into an encrypted, standardized download container that automatically alerts the security operations center upon anomalous bulk export behaviors.
It is the right of a data subject to obtain a copy of their personal data in an electronic or structured format that is commonly used and allows for further independent use.
Data portability is required when personal data is processed by electronic means and is kept in a structured and commonly used format, particularly for commercial purposes.
Personal data must be provided in an electronic or structured format that is commonly used, such as CSV, JSON, or XML, enabling the data subject to easily reuse or transfer it.
Any data subject whose personal data is actively being processed electronically by a personal information controller can invoke this right, provided exceptions do not apply.
Yes, the right to data portability explicitly applies in scenarios where personal data is processed by electronic means and not exclusively via manual filing systems.
The organization must verify the requestor's identity, extract their personal data securely, and provide it in a machine-readable format without undue delay.
It refers to standardized, machine-readable file formats—such as CSV, XML, or JSON—that software applications and databases can easily parse, read, and process.
The right to access entitles a user to view their data and understand processing details, whereas portability requires providing the raw data in a format suitable for transfer to another system.
CISOs should include robust identity verification, secure data extraction tools, encryption during the transfer phase, and strict logging mechanisms to prevent unauthorized exfiltration. Tools like WatchDog Security's Secure File Sharing can support controlled delivery of exported data with verification and audit trails.
Organizations must maintain a Data Subject Request Log detailing the request date, identity verification steps, the specific data format provided, and the completion timeline. Tools like WatchDog Security's Compliance Center can help organize this evidence and connect it to the relevant RA 10173 control requirements.
Data portability requests create evidence that must be tracked consistently, including request intake, identity verification, export format, approval, delivery, and completion timelines. Tools like WatchDog Security's Compliance Center can centralize this evidence, map it to RA 10173 control requirements, and help teams demonstrate that portability workflows are operating as designed.
Exported personal data can create breach risk if it is sent through ordinary email or unmanaged file transfer channels. Tools like WatchDog Security's Secure File Sharing can support encrypted delivery, TOTP verification, and audit logs so teams can prove who accessed the export and when.
"The data subject shall have the right, where personal data is processed by electronic means and in a structured and commonly used format, to obtain from the personal information/data controller a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use by the data subject."
"The immediately preceding sections on the transmissibility of the rights of data subjects and the right to data portability shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research... Likewise, the said sections are not applicable to processing of personal data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Team | Initial publication |
