Who Is A Data Subject Under GDPR?

Alex Franch
February 1, 2023

Who is a Data Subject under GDPR?

The concept of Data Subject is pivotal to the functioning of GDPR. All the rights and responsibilities laid down by the law revolve around the data subject. Simply stated, a data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity.

The articles and recitals of the GDPR point towards five aspects of the definition of ‘Data Subject’. The definition covers the following aspects of a data subject:

Located in the EU

Resident of EU

Citizen of the EU

An EU Resident/citizen located anywhere

Personal Data in the EU

1. Located in the EU

An individual can be termed as Data Subject when he is physically present within the borders of the European Union. Article 3(2) of the regulation clearly specifies that the data subjects should be present in the Union. For example, a Citizen of Eu who is physically located in the EU and provides personal information while purchasing insurance.

2. Resident of EU  

An individual can be considered a data subject irrespective of citizenship if she is physically present in the EU and formally resides in any part. Recital 2 of GDPR makes the applicability of the law clear by specifying that nationality should not be a barrier while respecting fundamental rights and freedom. For example, students who are non- EU  citizens and residing in the EU for educational purposes enjoy the protection of GDPR.  

3. Citizen of the EU

The citizens of the EU will be considered data subjects if they possess formal citizenship of the EU and are physically present within the Union.

4. An EU Resident/Citizen Located Anywhere

Any resident or citizen of the EU will be considered a data subject with regard to the processing of their personal information irrespective of their physical location at the time of processing. For example, an Eu citizen who is located in the US and provides personal information during booking of the hotel will be considered a data subject un GDPR.

5. Personal Data in the EU

A data subject is any living individual whose data is being processed in the EU. Irrespective of the residence, citizenship or physical location of the data subject. For example, the data of a non-EU citizen when processed in the EU will be considered personal data of a data subject under GDPR.


The GDPR provides inconsistent explanations while referring to the term data subject. It often leads to the assumption that a data subject is an EU citizen as there is no formal description of who exactly is a data subject. The concept of the data subject is much more than citizens and encompasses students, tourists, residents and much more within its ambit. An analysis of articles 3(2) and recitals 2,14,24 provides a clear picture and in-depth understanding of the same.


This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.

Share this post
Alex Franch
Co-Founder & CEO
Get Compliant in <1 Hour

Are you Fully GDPR Compliant?

Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.