GDPR Article 20: portability is narrow — only user-provided data, only under consent/contract, excludes derived data

reference·Scope: business·Status: current

Created 2026-05-22

Claim: GDPR Article 20 grants a right to data portability in a "structured, commonly used and machine-readable format" — but only for data:

Processed by automated means
Under consent OR contract (not other lawful bases)
That the subject provided (not derived data)

Practical exclusions: SEO rankings, server logs, platform analytics, derived insights, and a website's own content/configuration are not legally portable under GDPR. The right covers personal data, not the website's business assets.

Sources: gdpr-info.eu; eur-lex.europa.eu (GDPR full text).

Confidence: Verified.

Implication: GDPR is often invoked rhetorically as "you have the right to your data" — but for the lock-in scenarios that matter most to SMB website owners (content, SEO rankings, plugin config, customer database structure), GDPR doesn't reach. The EU Data Act (see EU Data Act (Regulation 2023/2854): SaaS switching procedures effective Sept 2025; switching fees abolished by Sept 2027) goes further. Canadian Quebec Law 25 also covers more ground for personal data (Quebec Law 25: data portability effective Sept 22, 2024; penalties up to C$25M / 4% of worldwide turnover).

reference EU Data Act (Regulation 2023/2854): SaaS switching procedures effective Sept 2025; switching fees abolished by Sept 2027

GDPR Article 20: portability is narrow — only user-provided data, only under consent/contract, excludes derived data

Related

Referenced by (2)