Under the General Data Protection Regulation (GDPR), personal data always relates to a data subject. Data subject rights and freedoms are at the heart of data protection law—but who is and who isn’t a data subject isn’t always clear.
Data subjects could include your customers, employees, contractors—or even just visitors to your website. All data subjects have rights, and it’s your job to fulfil them. Read on to learn more about data subjects and how to avoid violating data subjects’ rights.
Who is a data subject?
In the EU and UK GDPR, a “data subject” is defined as an “identified or identifiable natural person”. But this definition might not be entirely clear.
What is a ‘natural person’?
A “natural person” is a human being—a living individual. This definition excludes:
- Dead people.
- Legal persons (e.g. corporations, charities, and other non-humans with legal rights).
So, a dead person is not a data subject. But as EU guidance notes, information about a dead person can relate to a living person.
What is an ‘identified or identifiable natural person’?
To be a data subject, a natural person must be “identified or identifiable”, either “directly or indirectly”.
EU guidance provides a helpful explanation here:
- A person is “identified” if “within a group of persons” they are “distinguished from all other members of the group”.
- A person is “identifiable” if it is possible to identify them.
You can directly identify a person via their name.
You could indirectly identify a person via all sorts of information, including their IP address, mobile ID, cookie data, etc.
If information can identify a natural person, it’s (normally) personal data.
What is personal data?
Personal data is information relating to a data subject.
What information counts as “personal data”? There’s no exhaustive list. But GDPR provides some examples, including:
- A name
- An identification number
- Location data
- An online identifier
- Information about a person’s “physical, physiological, genetic, mental, economic, cultural or social identity”
- An IP address
- Cookie identifiers
- RFID tags
This shows that the concept of “personal data” is very broad. Besides customers, business partners, and employees, you also might collect personal data from people simply visiting your website or downloading your app.
The UK’s data regulator offers some guidance on how to tell whether information is personal data: Consider any “reasonably likely” way that you or another person could use the information to identify an individual.
GDPR data subject vs the CPPA/CPRA definition
How is a data subject defined in the California Consumer Privacy Act (CCPA), recently amended by the California Privacy Rights Act (CPRA)?
The CCPA uses the term “consumer” rather than “data subject”. Under the CCPA, a consumer is “a natural person who is a California resident”.
Other US state privacy laws, like the Virginia Consumer Data Protection Act (VCDPA) have similar definitions relative to their own states.
Data subject rights
Data subjects have rights under the GDPR. Data subjects can exercise their rights directly against any data controller that processes personal data about them.
- The right to be informed: You must provide information about how you process personal data, whether a data subject requests it or not.
- The right of access: A data subject can request information about how you use their data and request a copy of their data.
- The right to rectification: A data subject can request that you correct false or out-of-date data about them.
- The right to erasure: A data subject can request that you erase their data.
- The right to restrict processing: A data subject can request that you stop processing their data in a particular way.
- The right to data portability: A data subject can ask for a copy of their data in a “machine-readable format”.
- The right to object: A data subject can object to you using their data in specific ways, for example for direct marketing.
- Rights around automated individual decision-making: A data subject has the right to object to certain important automated decisions.
There are some exceptions to each of these rights. But if you decide to refuse a request, you must explain why.
Data subject rights requests can come in any format, but some companies set up an online portal to help streamline requests.
Data subject access request
The data subject access request (“DSAR” or “SAR”) is the most common type of data subject rights request.
A data subject can use a DSAR to request a copy of any personal data about them that you control. A data subject can also request information about:
- Why you process their personal data
- Who else might receive their personal data.
- How long you will store their personal data.
- Their data subject rights.
- Where you obtained their personal data.
- Whether they will be subject to automated individual decision-making or profiling.
- Whether their personal data will be transferred to a non-EU country, and if so, what safeguards are in place to protect it.
You must respond to a DSAR “without undue delay” and within one month. You can take an extra two months where necessary. You cannot normally charge a fee.
How can companies protect themselves from violating data subject rights?
Failing to fulfil a valid data subject rights request can a serious GDPR violation.
Recent data from the UK regulator shows that it received over 1,300 complaints about the “right to access”—more than any other type of complaint. Failing to fulfil a data subject’s request can damage customer trust and harm a company’s reputation.
Organisations can violate data subject rights because they don’t have an accurate personal data inventory.
Consider this recent 3,700 euros GDPR fine about the “right to be informed”. The company’s privacy notice mischaracterised how data subjects’ information was processed and was not available in all the relevant languages. The penalty was relatively small, but the investigation took nearly two and a half years.
The GDPR’s requirements can seem overwhelming. But compliance is possible if you take data protection seriously, employ a systematic approach, and use the right tools.
Privasee provides the features you need to become GDPR compliant. With just a few questions and a scan of your website, Privasee can provide these GDPR compliance tools:
- Personal data inventory: The backbone of GDPR compliance, helping you understand how personal data flows through your organisation.
- Self-updating policies: Privasee uses AI to generate and maintain privacy policies and cookie banners in multiple languages.
Like your business, data protection regulation is constantly evolving. Privasee keeps your privacy policies up-to-date, helping you focus on growing your company and serving your customers.
Respecting the rights of data subjects is a cornerstone of GDPR compliance.
Here some key takeaways:
- A data subject is an “identified or identifiable natural person”—a living individual.
- Personal data can take many forms, from names to IP addresses and device data.
- Data subjects have rights under the GDPR, and it’s your responsibility to fulfil them.
To learn how Privasee can help you meet your legal obligations to data subjects, book a demo today.
And keep an eye on the Privasee blog for more resources on data protection and privacy compliance.
Can a non-citizen be a data subject?
Yes—anyone can be a data subject, including residents, refugees, tourists, and even people outside of a country where the GDPR directly applies.
Whether a person is a citizen of a European country is not relevant to whether they are a data subject.
Can people outside Europe be data subjects?
Yes, people outside of Europe can be data subjects.
The GDPR applies to organisations that process personal data in the context of their activities in the EU (or the UK, or the wider European Economic Area).
So if you’re based in the UK (for example), and your customers include people in the UK and the US, they can all be data subjects with the same data subject rights.
But we’re a US company: Are we responsible for EU or UK data subjects?
Yes, the GDPR applies if you offer products or services in the EU or UK—or even if you use Europeans’ data in your ad-targeting campaigns.
Can a child be a data subject?
Yes, a child can be a data subject. The GDPR has specific rules for personal data about children, but they can still be data subjects.
If someone from outside the EU travels into the EU, are they a data subject?
Yes. If your company is covered by the GDPR, the law applies to any processing of personal data in the context of your European operations. The nationality of data subjects isn’t relevant.