By
Robert Bateman
April 1, 2023
Under the General Data Protection Regulation (GDPR), personal data always relates to a data subject. Data subject rights and freedoms are at the heart of data protection law—but who is and who isn’t a data subject isn’t always clear.
Data subjects could include your customers, employees, contractors—or even just visitors to your website. All data subjects have rights, and it’s your job to fulfil them. Read on to learn more about data subjects and how to avoid violating data subjects’ rights.
In the EU and UK GDPR, a “data subject” is defined as an “identified or identifiable natural person”. But this definition might not be entirely clear.
A “natural person” is a human being—a living individual. This definition excludes:
So, a dead person is not a data subject. But as EU guidance notes, information about a dead person can relate to a living person.
To be a data subject, a natural person must be “identified or identifiable”, either “directly or indirectly”.
EU guidance provides a helpful explanation here:
You can directly identify a person via their name.
You could indirectly identify a person via all sorts of information, including their IP address, mobile ID, cookie data, etc.
If information can identify a natural person, it’s (normally) personal data.
Personal data is information relating to a data subject.
What information counts as “personal data”? There’s no exhaustive list. But GDPR provides some examples, including:
This shows that the concept of “personal data” is very broad. Besides customers, business partners, and employees, you also might collect personal data from people simply visiting your website or downloading your app.
The UK’s data regulator offers some guidance on how to tell whether information is personal data: Consider any “reasonably likely” way that you or another person could use the information to identify an individual.
How is a data subject defined in the California Consumer Privacy Act (CCPA), recently amended by the California Privacy Rights Act (CPRA)?
The CCPA uses the term “consumer” rather than “data subject”. Under the CCPA, a consumer is “a natural person who is a California resident”.
Other US state privacy laws, like the Virginia Consumer Data Protection Act (VCDPA) have similar definitions relative to their own states.
Data subjects have rights under the GDPR. Data subjects can exercise their rights directly against any data controller that processes personal data about them.
There are some exceptions to each of these rights. But if you decide to refuse a request, you must explain why.
Data subject rights requests can come in any format, but some companies set up an online portal to help streamline requests.
The data subject access request (“DSAR” or “SAR”) is the most common type of data subject rights request.
A data subject can use a DSAR to request a copy of any personal data about them that you control. A data subject can also request information about:
You must respond to a DSAR “without undue delay” and within one month. You can take an extra two months where necessary. You cannot normally charge a fee.
Failing to fulfil a valid data subject rights request can a serious GDPR violation.
Recent data from the UK regulator shows that it received over 1,300 complaints about the “right to access”—more than any other type of complaint. Failing to fulfil a data subject’s request can damage customer trust and harm a company’s reputation.
Organisations can violate data subject rights because they don’t have an accurate personal data inventory.
Consider this recent 3,700 euros GDPR fine about the “right to be informed”. The company’s privacy notice mischaracterised how data subjects’ information was processed and was not available in all the relevant languages. The penalty was relatively small, but the investigation took nearly two and a half years.
The GDPR’s requirements can seem overwhelming. But compliance is possible if you take data protection seriously, employ a systematic approach, and use the right tools.
Privasee provides the features you need to become GDPR compliant. With just a few questions and a scan of your website, Privasee can provide these GDPR compliance tools:
Like your business, data protection regulation is constantly evolving. Privasee keeps your privacy policies up-to-date, helping you focus on growing your company and serving your customers.
Respecting the rights of data subjects is a cornerstone of GDPR compliance.
Here some key takeaways:
To learn how Privasee can help you meet your legal obligations to data subjects, book a demo today.
And keep an eye on the Privasee blog for more resources on data protection and privacy compliance.
Yes—anyone can be a data subject, including residents, refugees, tourists, and even people outside of a country where the GDPR directly applies.
Whether a person is a citizen of a European country is not relevant to whether they are a data subject.
Yes, people outside of Europe can be data subjects.
The GDPR applies to organisations that process personal data in the context of their activities in the EU (or the UK, or the wider European Economic Area).
So if you’re based in the UK (for example), and your customers include people in the UK and the US, they can all be data subjects with the same data subject rights.
Yes, the GDPR applies if you offer products or services in the EU or UK—or even if you use Europeans’ data in your ad-targeting campaigns.
Yes, a child can be a data subject. The GDPR has specific rules for personal data about children, but they can still be data subjects.
Yes. If your company is covered by the GDPR, the law applies to any processing of personal data in the context of your European operations. The nationality of data subjects isn’t relevant.
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.