How to Exercise Your Right to Data Portability
A practical guide to requesting your data from online services and moving it to new platforms. Your data belongs to you.
Under GDPR, you have the right to data portability – the ability to receive your personal data from a service provider in a usable format and transfer it elsewhere. This guide shows you how to exercise this right effectively.
Understanding Data Portability
Data portability isn’t just about downloading your data (that’s the right of access). Portability specifically means receiving your data in a structured, commonly used, and machine-readable format that you can then transfer to another service.
This right applies to:
- Data you actively provided (profile info, posts, messages)
- Data generated by your activity (usage history, location data)
It does not apply to:
- Inferences or analysis the company made about you
- Data that would reveal others’ personal information
Step-by-Step Guide
Step 1: Identify What You Want
Before making a request, consider:
- Which services hold significant amounts of your data?
- What do you want to do with the data?
- Are you switching to a competitor who can accept the data?
Step 2: Find the Right Channel
Most major services have dedicated data portability tools:
| Service | Where to Find It |
|---|---|
| takeout.google.com | |
| Settings > Your Information > Download | |
| Settings > Privacy > Download Data | |
| Twitter/X | Settings > Your Account > Download Archive |
| Spotify | Privacy Settings > Download Data |
| Settings > Get a copy of your data |
For services without automated tools, you’ll need to make a formal request.
Step 3: Making a Formal Request
If there’s no self-service option, email the company’s Data Protection Officer (DPO) or privacy team. Include:
Subject: Data Portability Request under GDPR Article 20
Dear Data Protection Officer,
I am writing to exercise my right to data portability under
Article 20 of the General Data Protection Regulation.
Please provide all personal data concerning me that I have
provided to your service, in a structured, commonly used,
and machine-readable format (such as JSON or CSV).
For identity verification: [Include relevant account details]
I look forward to your response within 30 days as required
by the GDPR.
[Your name]Step 4: What to Expect
The company must respond within 30 days (extendable to 90 for complex requests). You should receive:
- A downloadable file in formats like JSON, CSV, or XML
- Clear documentation of what’s included
- No charge for the first request
Step 5: Using Your Data
Once you have your data:
- Review it – You may be surprised what’s been collected
- Import it – Many services accept competitors’ data exports
- Store it safely – Your personal data needs protection
Common Challenges and Solutions
”We can’t verify your identity”
Provide additional verification like:
- Screenshot of your account settings
- Copy of ID (only if absolutely necessary)
- Verification from the email on file
”This would take too long”
Companies cannot refuse or delay without good reason. If they try:
- Ask for partial delivery within 30 days
- Remind them of their legal obligations
- Contact your national data protection authority
”The format isn’t usable”
If they provide data in an obscure format:
- Request re-delivery in a standard format
- Specify acceptable formats (JSON, CSV, XML)
Why This Matters
Data portability helps:
- Prevent lock-in – Switch services without losing your history
- Enable competition – New services can accept your existing data
- Empower you – Your data should work for you, not trap you
Pro Tips
- Regular exports – Don’t wait until you’re leaving a service
- Check completeness – Companies sometimes “forget” certain data
- Combine with erasure – Export first, then request deletion if leaving
- Document everything – Keep records of requests and responses
Questions about exercising your data rights? Let us know in the comments or on social media.