Who is a Data Subject? - GDPR Terms You Should Know

Who is a Data Subject? - GDPR Terms You Should Know

Share this content

Under the General Data Protection Regulation (GDPR), personal data always relates to a data subject. Data subject rights and freedoms are at the heart of data protection law—but who is and who isn’t a data subject isn’t always clear.

Data subjects could include your customers, employees, contractors—or even just visitors to your website. All data subjects have rights, and it’s your job to fulfil them. Read on to learn more about data subjects and how to avoid violating data subjects’ rights.

Who is a data subject?

In the EU and UK GDPR, a “data subject” is defined as an “identified or identifiable natural person”. But this definition might not be entirely clear.

What is a ‘natural person’?

A “natural person” is a human being—a living individual. This definition excludes:

  • Dead people.
  • Legal persons (e.g. corporations, charities, and other non-humans with legal rights).

So, a dead person is not a data subject. But as EU guidance notes, information about a dead person can relate to a living person. 

What is an ‘identified or identifiable natural person’?

To be a data subject, a natural person must be “identified or identifiable”, either “directly or indirectly”.

EU guidance  provides a helpful explanation here:

  • A person is “identified” if “within a group of persons” they are “distinguished from all other members of the group”.
  • A person is “identifiable” if it is possible to identify them.

You can directly identify a person via their name. 

You could indirectly identify a person via all sorts of information, including their IP address, mobile ID, cookie data, etc.

If information can identify a natural person, it’s (normally) personal data.

What is personal data?

Personal data is information relating to a data subject.

What information counts as “personal data”? There’s no exhaustive list. But GDPR provides some examples, including:

  • A name
  • An identification number
  • Location data
  • An online identifier
  • Information about a person’s “physical, physiological, genetic, mental, economic, cultural or social identity”
  • An IP address
  • Cookie identifiers 
  • RFID tags

This shows that the concept of “personal data” is very broad. Besides customers, business partners, and employees, you also might collect personal data from people simply visiting your website or downloading your app.

The UK’s data regulator offers some guidance on how to tell whether information is personal data: Consider any “reasonably likely” way that you or another person could use the information to identify an individual.

GDPR data subject vs the CPPA/CPRA definition

How is a data subject defined in the California Consumer Privacy Act (CCPA), recently amended by the California Privacy Rights Act (CPRA)?

The CCPA uses the term “consumer” rather than “data subject”. Under the CCPA, a consumer is “a natural person who is a California resident”.

Other US state privacy laws, like the Virginia Consumer Data Protection Act (VCDPA) have similar definitions relative to their own states.

Data subject rights

Data subjects have rights under the GDPR. Data subjects can exercise their rights directly against any data controller that processes personal data about them.

  • The right to be informed: You must provide information about how you process personal data, whether a data subject requests it or not.
  • The right of access: A data subject can request information about how you use their data and request a copy of their data.
  • The right to rectification: A data subject can request that you correct false or out-of-date data about them.
  • The right to erasure: A data subject can request that you erase their data.
  • The right to restrict processing: A data subject can request that you stop processing their data in a particular way.
  • The right to data portability: A data subject can ask for a copy of their data in a “machine-readable format”.
  • The right to object: A data subject can object to you using their data in specific ways, for example for direct marketing.
  • Rights around automated individual decision-making: A data subject has the right to object to certain important automated decisions.

There are some exceptions to each of these rights. But if you decide to refuse a request, you must explain why. 

Data subject rights requests can come in any format, but some companies set up an online portal to help streamline requests.

Data subject access request

The data subject access request (“DSAR” or “SAR”) is the most common type of data subject rights request. 

A data subject can use a DSAR to request a copy of any personal data about them that you control.  A data subject can also request information about:

  • Why you process their personal data
  • Who else might receive their personal data.
  • How long you will store their personal data.
  • Their data subject rights.
  • Where you obtained their personal data.
  • Whether they will be subject to automated individual decision-making or profiling.
  • Whether their personal data will be transferred to a non-EU country, and if so, what safeguards are in place to protect it.

You must respond to a DSAR “without undue delay” and within one month. You can take an extra two months where necessary. You cannot normally charge a fee.

How can companies protect themselves from violating data subject rights?

Failing to fulfil a valid data subject rights request can a serious GDPR violation.

Recent data from the UK regulator shows that it received over 1,300 complaints about the “right to access”—more than any other type of complaint. Failing to fulfil a data subject’s request can damage customer trust and harm a company’s reputation.

Organisations can violate data subject rights because they don’t have an accurate personal data inventory.

Consider this recent 3,700 euros GDPR fine about the “right to be informed”. The company’s privacy notice mischaracterised how data subjects’ information was processed and was not available in all the relevant languages. The penalty was relatively small, but the investigation took nearly two and a half years.

The GDPR’s requirements can seem overwhelming. But compliance is possible if you take data protection seriously, employ a systematic approach, and use the right tools.

Privasee provides the features you need to become GDPR compliant. With just a few questions and a scan of your website, Privasee can provide these GDPR compliance tools:

  • Personal data inventory: The backbone of GDPR compliance, helping you understand how personal data flows through your organisation.
  • Self-updating policies: Privasee uses AI to generate and maintain privacy policies and cookie banners in multiple languages.

Like your business, data protection regulation is constantly evolving. Privasee keeps your privacy policies up-to-date, helping you focus on growing your company and serving your customers. 


Respecting the rights of data subjects is a cornerstone of GDPR compliance. 

Here some key takeaways:

  • A data subject is an “identified or identifiable natural person”—a living individual.
  • Personal data can take many forms, from names to IP addresses and device data.
  • Data subjects have rights under the GDPR, and it’s your responsibility to fulfil them.

To learn how Privasee can help you meet your legal obligations to data subjects, book a demo today. 

And keep an eye on the Privasee blog for more resources on data protection and privacy compliance.


Can a non-citizen be a data subject?

Yes—anyone can be a data subject, including residents, refugees, tourists, and even people outside of a country where the GDPR directly applies. 

Whether a person is a citizen of a European country is not relevant to whether they are a data subject.

Can people outside Europe be data subjects?

Yes, people outside of Europe can be data subjects. 

The GDPR applies to organisations that process personal data in the context of their activities in the EU (or the UK, or the wider European Economic Area).

So if you’re based in the UK (for example), and your customers include people in the UK and the US, they can all be data subjects with the same data subject rights.

But we’re a US company: Are we responsible for EU or UK data subjects?

Yes, the GDPR applies if you offer products or services in the EU or UK—or even if you use Europeans’ data in your ad-targeting campaigns.

Can a child be a data subject?

Yes, a child can be a data subject. The GDPR has specific rules for personal data about children, but they can still be data subjects.

If someone from outside the EU travels into the EU, are they a data subject?

Yes. If your company is covered by the GDPR, the law applies to any processing of personal data in the context of your European operations. The nationality of data subjects isn’t relevant.

March 30, 2023

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

We are here to help