The Data Subject Explored

What is a data subject?

Within the meaning of the GDPR, a Data Subject is any identified or identifiable natural person whose personal data concerning him or her is processed.

The General Data Protection Regulation (GDPR) has introduced many new concepts and definitions in order to categorize certain situations or actors that are involved in dealing with personal data.

One of these new actors is the “Data Subject”. While the term “data subject” is prominently featured in the GDPR, similar concepts and terminology are found in other data protection laws and regulation around the world. For example, the Brazilian General Data Protection Law (mainly inspired by the GDPR) refers to data subjects as “natural persons”. The California Consumer Privacy Act (CCPA) uses the term “consumers” to refer to the persons whose personal data are being processed. While the exact terminology may vary, the underlying concept of protecting the individuals’ rights and privacy with respect to their personal data is a common thread in many data protection and privacy laws across the globe.

Let’s break down this definition:

What is an "identified or identifiable natural person"?

  • “Identified”: Means a natural person whose identity is clearly known.
  • “Identifiable”: Means a natural person who can reasonably be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to specificities linked to his/her physical, physiological, genetic, mental, economic, cultural or social identity condition.

A natural person is a legal term that refers to an individual human being as opposed to a legal person. Natural persons are distinct from legal entities such as corporations or non-profit organizations. Any living human being, regardless of age, gender nationality, or other characteristics is considered a natural person.

Therefore, data subjects within the meaning of the GDPR do not include persons who are not or no longer identifiable: legal persons or deceased natural persons.

A natural person can be identified either:

  • directly (e.g. by first and last name, national registry number);
  • indirectly (e.g. by a telephone or license plate number, an identifier such as a social security number, a postal or e-mail address, but also by voice or image).

A natural person can be identified:

  • from a single piece of data (e.g. the person’s name, a picture);
  • from a combination of data (for example: a woman living in Brussels, working in restaurant A and who is 45 years old). Taking each piece of personal data would not allow you to identify anyone but taken together they can.

On the other hand, a company’s contact details (for example, “company A” with its postal address, telephone number and a generic contact e-mail “”) are not considered personal data.[1]

What is personal data?

Personal data can be defined as any information relating to an identified or identifiable person. But because it concerns individuals (data subjects), they must retain control over it.

Any information?

This component encompasses a lot of things, covering both “objective” details such as an individual’s weight or eye colour and “subjective” information like a personal scoring or a work evaluation. Moreover, it is not confined to any specific format, as personal data can be present in various forms (videos, audio, photographic data etc.).

To illustrate what we have just said, a patient’s drawing of their family created as part of a psychiatric evaluation to assess their feelings toward different family members could qualify as personal data[2]. In this context, the drawing unveils information about the child’s mental health, as assessed by a psychiatrist, and provides insights into their parents’ behaviour.

Related Article

Data Subject Rights Explained

Data subject's rights

The GDPR puts the data subject at the center of its philosophy and thus intends to limit the risks to his or her rights and freedoms as a result of the processing of personal data concerning him or her.

As such, the data subject has a certain number of rights over the data concerning him or her, which he or she may exercise against the data controller:

  • The right to be informed about the processing;
  • The right to access the data about him/her;
  • The right to delete (also known as the right to be forgotten) his/her personal data;
  • The right to object;
  • The right to restrict the processing of his/her personal data;
  • The right to data portability (i.e: being able to import his/her data from a service provider to go to another one).
  • The right to rectification, in the case that his/her personal data seems to be incorrect.
  • The right not to be subject to automated decision making.

For organizations handling personal data, compliance with GDPR is not just a legal obligation but a commitment to respecting individuals’ privacy. Data controllers (ex: a company) and processors (ex: a digital secretariat that pays employees’ salaries for the company) must implement robust data protection measures, provide clear privacy notices, and establish mechanisms to fulfil Data Subjects’ rights promptly. Find more information on Data Subject Rights in our blog article.


To sum everything up, the notion of “data subject” was introduced by the GDPR to refer to any natural person whose personal data is being processed. The GDPR is all about protecting these data subjects from abuses that might arise from the processing of their personal information. Being a data subject grants you a series of rights that can be exercised against the person that is using your data.

Handle Data Subject Rights Requests with ease

Manage your Data Subject Requests effortlessly with RESPONSUM’s, automated, and structured approach.

Frequently asked questions regarding the topic:

Can a non-EU citizen be considered a data subject?

Anyone can potentially be considered a data. This includes non-residents, tourists, refugees. The status of being an EU citizen does not determine whether someone qualifies as a data subject. If they are on the EEA territory, the GDPR applies.

For example, a Chinese family visiting Paris will be protected by the GDPR and will therefore be considered data subjects if they provide their personal information during their stay (ex:  the hotel using their personal data to make the reservation).

Can people outside Europe be data subjects?

Yes, article 3 of the GDPR states that it applies “to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU regardless of whether the processing takes place in the Union.”

For example, if your company is based in Belgium and your customers include US people, they will be considered data subject and will thus have the same protection and rights as your EU customers.

Are family members considered data subjects?

By definition if you are considered to be a data subject within the meaning of the GDPR means that the GDPR rules and principles apply to you (granting you specific rights).

Let’s take the scenario of a family that is planning a ski trip. The mother makes all the online reservations (hotel, transport, ski rental etc.). In order to do this she needs her family to provide her with the necessary information (Identification information). If we look at this situation with the GDPR in mind, she is processing her family’s personal data, and they should thus be considered data subjects.

In this case, family members will not be considered data subjects. Why? Because the GDPR does not apply when processing data solely for domestic purposes.

Can inaccurate information about someone fall under the definition of personal data?

Even if information relating to a specific individual is inaccurate—either due to factual errors or if it pertains to a different individual—it still qualifies as personal data because it relates (it is connected) to that individual.

If the information is so inaccurate that no individual can be identified from it either on its own or when combined with additional information, then, in such a case, the information may not be considered personal data. Accuracy and the potential for identification are key factors in determining whether data qualifies as personal data[3].

Let’s take an example to illustrate that situation. Two people living in the same building (person A and B), both are wearing glasses. The landlord received numerous complaints from other neighbours regarding the fact that a neighbour that wears glasses is causing troubles in the building (person A). The landlord records the information mistakenly relating it to person B. This incorrectly attributed information is still considered personal information even though it is inaccurate that might need to be corrected.

Furthermore, an opinion regarding an individual can also be classified as personal data, regardless of its accuracy. The subjective nature of opinions means that they can still be considered personal data if they relate to an identifiable individual, even if the opinion itself is not factually accurate[4].


Liked reading this article? Spread the word!

Get the inside scoop on simplified privacy management

Get exclusive tips ‘n tricks straight to your inbox. Join +1,100 privacy professionals already subscribed and stay ahead of the game!

Written by

Ted André

Consultant @ CRANIUM


Copyright © RESPONSUM BV

ISO certification logo