European citizens have a catalogue of rights against the processing of their personal data that goes far beyond the classic right of access or rectification. The right to data portability (art. 20 of Regulation (EU) 2016/679) and the right to object (art. 21 of the same Regulation) are two of the most relevant and, at the same time, two of those that generate the most uncertainty in organisations when handling requests. When can portability be exercised? What is the difference from the right of access? In which cases is objection to direct marketing non-deniable? This article answers those questions with normative rigour and provides an operational guide for organisations that must respond to this type of request.
The right to data portability (art. 20 GDPR): what it is and when it applies
The right to data portability is governed by Article 20 of Regulation (EU) 2016/679 (GDPR). It enables the data subject to receive the personal data concerning them that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data directly to another controller where technically feasible.
Its purpose is to promote data mobility and reduce users' dependency on a specific platform or company. If a customer wants to take their data from one digital health service provider to another, or a user wishes to migrate their transaction history from a financial application, the right to data portability is the legal instrument that makes this possible.
Cumulative conditions that must be met
Article 20(1) GDPR establishes that the right to data portability is only exercisable when two cumulative conditions are met:
- The processing is based on the data subject's consent (art. 6(1)(a) or art. 9(2)(a) GDPR) or on the performance of a contract to which the data subject is party (art. 6(1)(b) GDPR).
- The processing is carried out by automated means.
If the processing is based on a legal obligation, the exercise of public authority or the controller's legitimate interests, the right to data portability cannot be exercised. It also does not apply when processing is carried out in a purely manual manner or on paper records.
This means that portability is particularly relevant for: online service platforms where the user is a contractual customer, health, wellness or sports applications that process data on the basis of consent, and digital financial or telecommunications services.
What data does portability cover?
The right to data portability only covers data that the data subject has provided to the controller. This encompasses data actively provided (name, email address, purchase history, declared preferences) and data generated by the data subject's activity on the service (browsing history, location records, transactions). It does not cover inferred or derived data that the controller has generated internally from processing: risk scores, segmentation profiles, predictive analyses or any intellectual elaboration produced by the controller itself.
Portability versus the right of access: key differences
A common source of confusion among organisations is treating portability as equivalent to the right of access under Article 15 GDPR. These are distinct rights with different purposes. A clear understanding of this distinction is essential for giving the correct response to each request.
| Feature | Right of access (art. 15 GDPR) | Right to data portability (art. 20 GDPR) |
|---|---|---|
| Purpose | To know what data are processed and how | To obtain data in a reusable format and transfer them |
| Required legal basis | Any legal basis under art. 6 GDPR | Only consent (art. 6(1)(a)) or contract (art. 6(1)(b)) |
| Response format | Readable copy; paper format also permitted | Structured, commonly used and machine-readable format (CSV, JSON, XML…) |
| Direct transmission to another controller | Not provided for | Yes: direct transmission may be requested where technically feasible |
| Data covered | All personal data of the data subject held by the controller | Only data provided by the data subject (not inferred data) |
| Automated processing | Not required | Yes, mandatory condition |
From an operational standpoint, when an organisation receives a request that the data subject describes as a "portability" request, it must verify before responding whether the legal basis for the processing is consent or contract. If it is not, the organisation must inform the data subject accordingly and let them know that the right of access may be exercised instead, where applicable.
The data subject rights management service at Summum Consultoría includes the design of internal procedures to identify the legal basis applicable to each category of processing and to issue correct, complete and documented responses within the statutory deadline.
The right to object (art. 21 GDPR): basis and modalities
The right to object enables the data subject to object, at any time, to the processing of their personal data. It is governed by Article 21 GDPR and has two modalities with substantially different legal regimes.
Objection to processing based on legitimate interests or the exercise of public authority
Where processing is based on Article 6(1)(e) GDPR (a task carried out in the public interest or in the exercise of official authority) or Article 6(1)(f) (the legitimate interests of the controller), the data subject may object to processing on grounds relating to their particular situation. Once the request is received, the controller must stop processing the data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing is necessary for the establishment, exercise or defence of legal claims.
In practice, this scenario is the most complex, because it requires the controller to carry out a specific balancing assessment for each request: the objection cannot be denied generically, nor can standard templates be applied without analysing the particular circumstances put forward by the data subject.
Objection to direct marketing: absolute regime
Article 21(2) and (3) GDPR establishes a specific and far more protective regime for direct marketing. Where processing is carried out for the purposes of direct marketing — including profiling to the extent that it is related to such direct marketing — the data subject has the right to object at any time to processing of personal data concerning them for such marketing. In this case, the controller must cease processing immediately, with no possibility of refusal and without the data subject needing to provide reasons for their request.
This is especially relevant for companies that send commercial communications by email, SMS, push notifications or any other channel. If the recipient objects, the cessation must be complete for that purpose: it is not sufficient to unsubscribe them from one type of communication if other communications of a commercial nature continue to be sent.
Article 21(4) GDPR also requires that the data subject be explicitly informed of this right to object to direct marketing, at the latest at the time of the first communication with them, and in a clearly visible manner and separately from any other information.
Operational procedure in the organisation: a step-by-step guide
Correctly handling portability and objection requests requires a documented procedure applied uniformly by all staff who may receive them. The following describes a recommended workflow applicable to organisations of any size and sector.
Step 1: receipt channel and acknowledgement
The organisation must have a clear and accessible channel for receiving requests to exercise rights: a dedicated web form, a dedicated email address or a physical counter. An acknowledgement must be sent to the data subject stating the date of receipt, since the response deadline — one month from that date, pursuant to Article 12(3) GDPR — begins to run from that moment. The deadline may be extended by a further two months where requests are complex, but the extension must be communicated to the data subject within the first month.
Step 2: verification of the requester's identity
Before providing any data or taking any measure, the controller must verify the identity of the requester. Article 12(6) GDPR allows additional information to be requested where there are reasonable doubts about the identity of the data subject. This verification must be proportionate to the risk: it is not appropriate to require extensive documentation for low-risk requests, but it is legitimate to request it where the data concerned are sensitive or the volume is high.
Step 3: analysis and classification of the request
For portability requests: verify that the processing affected is based on consent or contract and that it is carried out by automated means. Identify the data provided by the data subject that are eligible for portability, distinguishing them from inferred data that fall outside the scope of the right.
For objection requests: determine whether the purpose affected is direct marketing — in which case the objection is absolute and immediate — or whether it is another purpose based on legitimate interests or public interest, which requires the balancing exercise described in Article 21(1) GDPR. If the data subject puts forward a particular situation, the controller must assess it individually and document the reasoning.
Step 4: response and implementation of the measure
For portability: provide the data in a structured, commonly used and machine-readable format (CSV, JSON, XML or another open and interoperable format), or transmit them directly to the new controller if the data subject so requests and it is technically feasible. It is not valid to deliver data in a proprietary format that only the company's own software can process.
For objection to direct marketing: execute removal immediately across all affected channels and record the date of the objection. For objection on grounds of legitimate interests: communicate the reasoned decision — granting or refusing the objection — to the data subject within the legal deadline, together with information about their right to lodge a complaint with the AEPD (Agencia Española de Protección de Datos — the Spanish Data Protection Authority).
Step 5: internal documentation of the case file
Record the request received, the identity verification carried out, the legal analysis performed, the decision taken and the date on which it was communicated to the data subject. This documentation is essential to demonstrate compliance to the AEPD should the data subject subsequently lodge a complaint. The LOPDGDD (Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales — Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights) does not modify this procedural regime, but its Article 74 classifies as a minor infringement the mere failure to respond to requests to exercise the rights under Articles 15 to 22 GDPR, whereas impeding, obstructing or repeatedly failing to address those rights is a serious infringement (Art. 73 LOPDGDD).
If your organisation needs to design or review these procedures, the team at Summum Consultoría can support you in adapting to the GDPR on data subject rights, with protocols tailored to your sector and to the volume of requests typical in organisations in Castilla y León and the Canary Islands.
Applicable penalty regime
Failure to comply with obligations relating to the rights of portability and objection may be sanctioned under Article 83 of Regulation (EU) 2016/679. Infringement of the data subjects' rights regulated in Articles 12 to 22 GDPR falls within Article 83(5)(b), which provides for fines of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The AEPD is the competent authority in Spain for supervising compliance with the GDPR and the LOPDGDD, and may act on its own initiative, at the request of a data subject or following its own detection of signs of non-compliance. The correct handling of requests to exercise rights — with a timely response, documented case file and effective implementation of the measure — is one of the factors the AEPD considers when determining liability and the proportionality of the sanction.
Frequently asked questions
Can an organisation charge a fee for handling a portability request?
As a general rule, no. Article 12(5) GDPR establishes that requests to exercise rights are free of charge. Only where requests are manifestly unfounded or excessive — in particular because of their repetitive character — may the controller charge a reasonable fee based on administrative costs, or refuse to act. In both cases, the controller must demonstrate the manifestly unfounded or excessive character of the request; the burden of proof lies with the controller, not with the data subject.
What format should I use to deliver data in response to a portability request?
The GDPR does not prescribe a specific format, but requires that it be structured, commonly used and machine-readable. The most common formats are CSV, JSON and XML. The AEPD recommends using open and interoperable standards. It is not valid to deliver data in a proprietary format that only the company's own software can read, because that would deprive the right to data portability of any practical effect: the data subject would not be able to reuse them or transmit them to a new controller.
Does objection to direct marketing also cover profiling?
Yes. Article 21(2) GDPR is explicit: the right to object to direct marketing also covers profiling to the extent that it is related to direct marketing. Therefore, if a company creates profiles to segment advertising campaigns and the data subject objects, the company cannot retain the profile even if it stops sending communications: it must cease both the sending and the profiling for that purpose. This interpretation is reinforced by the guidelines of the European Data Protection Board.
What happens if the data subject objects on grounds of legitimate interests and the organisation considers that their grounds do not prevail?
The controller may refuse the objection if it can demonstrate compelling legitimate grounds that override the interests of the data subject, or if the processing is necessary for the establishment, exercise or defence of legal claims (art. 21(1) GDPR). It must communicate the reasoned refusal to the data subject within the legal deadline, including information about their right to lodge a complaint with the AEPD or to bring judicial proceedings. The burden of proof regarding the prevalence of the grounds lies with the controller: it is not sufficient to invoke legitimate interests in a generic way; the balancing exercise must be specific and documented.