Log in

← Back to Glossary

Data subject: Understanding individual rights under GDPR

A data subject is any identified or identifiable natural person whose personal data is processed. Under the General Data Protection Regulation (GDPR), data subjects have specific privacy rights, and organizations processing their data must ensure transparency, security, and compliance.

A person becomes a data subject when their information—such as name, email, IP address, or biometric data—is collected, stored, or used by a company, government, or other entity. GDPR grants them the right to control, access, and protect their personal data.

Who is considered a data subject under GDPR?

A data subject is:

  • Any living individual whose personal data is collected or processed.
  • A customer, employee, or user interacting with a business or public authority.
  • A resident of the European Economic Area (EEA) or anyone whose data is processed by an EEA-based organization.

Key rights of a data subject under GDPR

  • Right to access – Individuals can request a copy of their personal data.
  • Right to rectification – Inaccurate data must be corrected upon request.
  • Right to erasure (right to be forgotten) – Individuals can ask for their data to be deleted.
  • Right to restrict processing – Individuals can limit how their data is used.
  • Right to data portability – Personal data must be transferable to another service provider.
  • Right to object – Individuals can object to processing based on legitimate interests or direct marketing.

Try RESPONSUM for free

Set up your personalized environment and see how RESPONSUM’s powerful features simplify your compliance workflows. Our experts are here to guide you every step of the way.

Try for free
G2 badge fall 2024 easiest to do business with
G2 badge fall 2024 best support
G2 badge fall 2024 high performer
G2 badge fall 2024 high performer Europe
G2 badge fall 2024 high performer EMEA

How organizations must handle data subject rights requests

Businesses and public authorities must respond to data subject rights requests (DSARs) promptly and securely.

1. Verify and process DSARs correctly

  • Confirm the identity of the requester before sharing personal data.
  • Respond within one month, as required by Article 12 of GDPR.
  • Provide information in a structured, commonly used format if requested.

2. Implement secure and transparent data handling practices

  • Inform individuals why and how their data is processed.
  • Maintain detailed records of requests and responses.
  • Encrypt and limit access to personal data to prevent unauthorized use.

3. Ensure compliance with GDPR obligations

  • Conduct privacy impact assessments (PIAs) for high-risk processing.
  • Regularly update privacy policies and terms of service.
  • Train employees on data subject rights and GDPR best practices.

Book a demo to see RESPONSUM in action

Book your free demo and discover how RESPONSUM fits your needs. Get expert insights, a live platform walkthrough, and personalized tips to boost your compliance strategy.

Book a demo

Why data subject rights are essential for GDPR compliance

Understanding and protecting DSRs helps organizations:

  • Avoid GDPR fines by fulfilling legal obligations.
  • Build customer trust through transparency and accountability.
  • Reduce compliance risks by handling requests efficiently.
  • Improve data security by implementing privacy-first practices.

By respecting data subject rights, businesses can create a privacy-focused culture, ensuring long-term compliance and trust with customers and stakeholders.

Try for free