Can a non-citizen be a data subject?

Yes—anyone can be a data subject, including residents, refugees, tourists, and even people outside of a country where the GDPR directly applies. Whether a person is a citizen of a European country is not relevant to whether they are a data subject.

Can people outside Europe be data subjects?

Yes, people outside of Europe can be data subjects. The GDPR applies to organisations that process personal data in the context of their activities in the EU (or the UK, or the wider European Economic Area). So if you're based in the UK (for example), and your customers include people in the UK and the US, they can all be data subjects with the same data subject rights.

Are US companies responsible for EU or UK data subjects?

Yes, the GDPR applies if you offer products or services in the EU or UK—or even if you use Europeans' data in your ad-targeting campaigns.

Can a child be a data subject?

Yes, a child can be a data subject. The GDPR has specific rules for personal data about children, but they can still be data subjects.

If someone from outside the EU travels into the EU, are they a data subject?

Yes. If your company is covered by the GDPR, the law applies to any processing of personal data in the context of your European operations. The nationality of data subjects isn't relevant.

What is a Data Subject?

Data subject references any living individual whose personal data is collected, stored, or processed by an organisation.

Under the UK and EU GDPR, the data subject can be identified through direct or indirect means, such as a name, ID number, location data, or other attributes linked to their identity.

A data subject has specific rights over how their personal information is handled, ensuring their privacy and control over their own data.

What are the Different Categories of Data Subjects?

Data subjects can be identified by:

Personal Identifiers: such as name, ID number, or location data.‍
Unique Attributes: like physical, genetic, economic, or social factors that help identify them.

Data Subject Rights

Data subjects have several rights under GDPR, designed to protect their personal data, including:

Right to Access: The right to request information about the data collected and how it is used.
Right to Rectification: The ability to correct inaccurate data.
Right to Erasure: The right to have personal data deleted under specific conditions.
Right to Data Portability: The ability to receive their data in a structured format and transfer it to another organisation.
Right to Object: The ability to object to data processing based on legitimate interests, direct marketing, or research purposes.

Why is the Data Subject Important in GDPR?

The data subject is at the heart of GDPR regulations, and organisations are legally obligated to ensure the privacy and protection of the individual's data. Without their explicit consent or legitimate grounds, businesses cannot process or share their personal information.

How Should Organisations Handle Data Subjects' Rights?

Organisations must implement systems that allow data subjects to exercise their rights easily. For example:

Data Subject Access Requests (DSARs): Companies must respond to requests for data access promptly.‍
Data Protection Impact Assessments (DPIAs): Organisations should assess risks when processing personal data to ensure data subjects' privacy is protected.

How Can You Protect Yourself From Violating Data Subject Rights?

Failing to fulfil a valid data subject rights request can be a serious GDPR violation.

Recent data from the UK regulator shows that it received over 1,300 complaints about the “right to access”—more than any other type of complaint. Failing to fulfil a data subject’s request can damage customer trust and harm a company’s reputation.

Organisations can violate data subject rights because they don’t have an accurate personal data inventory.

Consider this recent 3,700 euros GDPR fine about the “right to be informed”. The company’s privacy notice mischaracterised how data subjects’ information was processed and was not available in all the relevant languages. The penalty was relatively small, but the investigation took nearly two and a half years.

The GDPR’s requirements can seem overwhelming. But compliance is possible if you take data protection seriously, employ a systematic approach, and use the right tools.

Privasee provides the features you need to become GDPR compliant. With just a few questions and a scan of your website, Privasee can provide these GDPR compliance tools:

Personal data inventory: The backbone of GDPR compliance, helping you understand how personal data flows through your organisation.
Self-updating policies: Privasee uses AI to generate and maintain privacy policies and cookie banners in multiple languages.

Like your business, data protection regulation is constantly evolving. Privasee keeps your privacy policies up-to-date, helping you focus on growing your company and serving your customers.

Key Takeaways & Wrap Up

In this article, we have helped you understand the following information about data subjects:

Data subject is in reference to an “identified or identifiable natural person” - a living individual.
Personal data can take many forms, from names to IP addresses and device data.
The data subject has rights under the GDPR, and it’s your responsibility to fulfil them.

To learn how Privasee can help you meet your legal obligations to data subjects, book a demo today.

Data Subject - FAQs

What types of data fall under data subject rights?

‍Personal identifiers like names, contact details, IP addresses, and more are protected under GDPR.

How long does an organisation have to respond to a data subject’s request?

‍Under GDPR, organisations generally have one month to respond to a data subject’s request.

Can a data subject withdraw their consent for data processing?

‍Yes, data subjects have the right to withdraw their consent at any time, and organisations must cease processing the data unless they have other legal grounds.

What happens if an organisation breaches a data subject’s rights?

‍If an organisation fails to comply with GDPR, it could face penalties, including fines and legal action.

September 25, 2024

What is a Data Subject?