The classic trap
Article 20 is the DPO blind spot: organisations systematically confuse right of access (Article 15) with right to data portability (Article 20). The result sanctioned by CNIL and CNPD: a company responds to a portability request by sending an 80-page PDF, whereas the rule requires a structured, commonly used and machine-readable format (JSON, CSV, XML). Worse, the EDPB guidelines (formerly WP242) clarify that the scope covers data actively provided AND observed data (browsing history, geolocation, usage logs), which most exports forget.
The 4 operational traps that bring down portability exports
- Proprietary format: a PDF export, a screenshot or a locked Excel file do NOT meet the machine-readable requirement. The de facto standard is documented UTF-8 JSON or CSV.
- Truncated scope: forgetting observed data (usage logs, behavioural scoring, transaction history) whereas EDPB explicitly includes them when they result from the data subject activity.
- Legal basis confusion: applying Article 20 to processing based on legitimate interest or legal obligation. The right covers ONLY consent and contract.
- Undocumented technical infeasibility: refusing direct controller-to-controller transfer without written proof of infeasibility, whereas CNPD demands an opposable justification.
How Luxgap automates this risk
Our Luxgap Portability Export Engine turns every Article 20 request into a signed JSON archive, produced in under 15 minutes, opposable to CNPD. The tool plugs in read-only to your business systems (M365, Salesforce, Odoo, Sage BOB 50, Workday, Cegid, internal SQL databases) via native connectors, automatically identifies fields eligible for portability based on the legal basis recorded in your Article 30 register, and excludes derived or inferred data that fall outside the EDPB scope.
- Automatically detects the legal basis of each dataset by cross-referencing the processing register and consent policies, flagging fields as Article 20 eligible or excluded.
- Generates a documented UTF-8 JSON or CSV export with a self-describing schema, accompanied by a field dictionary readable by any receiving controller.
- Explicitly includes observed data (usage logs, transaction history, geolocation) in line with EDPB guidelines, without manual DPO intervention.
- Offers direct transmission via secure REST API or encrypted SFTP when the receiving controller is known, and cryptographically logs the event.
- Produces a timestamped PDF report, SHA-256 sealed, certifying the exact content transmitted, the date, the response delay (measured against the Article 12 one-month threshold) and excluded fields with legal justification.
- Detects misqualified requests (Article 15 disguised as Article 20) and automatically reroutes them to the appropriate workflow.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real systems, with a free blank audit within 48h to measure your exposure before any commitment.
