What is a Data Subject?

by Paul Davies

A Data Subject is an individual whose personal data is collected, processed, or stored by an organisation. Data subjects have specific rights regarding their personal information, such as the right to access, correct, or delete their data, as outlined in privacy regulations like the GDPR. Protecting the data subject’s privacy and ensuring their information is handled securely are fundamental aspects of compliance and data protection. Under the General Data Protection Regulation (GDPR), a data subject refers to any identifiable person within the European Union (EU) whose personal data is collected, processed, or stored by a company. Personal data includes a range of information, from names and addresses to digital identifiers like IP addresses, which can be linked to an individual. The GDPR grants data subjects several rights over their personal data to enhance privacy and control:

  1. Right to Access: Data subjects can request access to their personal data held by an organisation, allowing them to understand how their information is used and by whom.
  2. Right to Rectification: If a data subject finds that their personal data is inaccurate or incomplete, they can request corrections or updates.
  3. Right to Erasure (Right to Be Forgotten): Data subjects can request deletion of their data under certain circumstances, such as when the data is no longer necessary for the purpose it was collected.
  4. Right to Restrict Processing: Data subjects have the right to limit how their data is processed, for example, during disputes about data accuracy.
  5. Right to Data Portability: Data subjects can request that their data be transferred to another organisation in a commonly used, machine-readable format.
  6. Right to Object: Data subjects can object to specific types of processing, such as marketing or profiling, based on legitimate interest or public tasks.
  7. Rights in Relation to Automated Decision-Making and Profiling: Data subjects have protections when decisions are made about them solely by automated means without human involvement.

GDPR’s focus on the data subject’s rights emphasises transparency, control, and accountability, placing responsibility on organisations to implement secure data practices and uphold individual privacy.