Right to data portability (GDPR Art. 20)

The right to data portability (GDPR Art. 20) is designed for switching: bank, telco, energy, social network, fitness app. You get your data in a format you can import elsewhere. What do you get? A copy of personal data you provided yourself, in a structured, commonly used, machine-readable format (CSV, JSON, XML). Optionally direct transfer to another controller. Which data qualifies? Only data that: (a) you provided (forms, inputs, observed behaviour like clicks/searches), AND (b) is processed on the basis of consent OR contract, AND (c) is processed by automated means. NOT covered: data derived by the business itself (e.g. credit score, personality profile) — those fall under access rights, not portability. Also NOT: data processed for legal obligation or public interest (tax authority, employment authority). Practical examples: Spotify listening history, Strava activities, Gmail emails, Google Drive files, Bol.com order history, bank statements (PSD2 separate). How to request? Written request specifying what + where you want it sent (yourself or third party). 1-month response time. First copy free. Escalation example: Booking.com offers a Self-Service Data Download in account settings. If that fails? Email dpo@booking.com — clock runs from your request.