Data subject

What is a data subject?

A data subject is an identified or identifiable natural person to whom personal data relates. Personal data can include direct identifiers (such as a name or ID number) and indirect identifiers that can reasonably link data to a person (such as contact details, account records, location data, or online identifiers like IP addresses).

Under privacy laws such as the General Data Protection Regulation (GDPR), the data subject is the individual who holds specific legal rights concerning how personal data is collected, used, shared, and retained. These rights vary by law and context and are not always absolute.

How data subject rights and roles work

Personal data handling typically involves three roles:

Data subject: An identified or identifiable person whose personal data is processed (for example, a customer, employee, subscriber, or website visitor). Personal data is created, shared, or generated through activities such as account creation, purchases, service use, device usage, or online interactions. Privacy laws grant rights that apply across the full data lifecycle, including access, correction, erasure, objection, restriction, and, in some cases, data portability.
Controller: The organization that decides why personal data is processed and how processing is carried out. Controllers set the processing purpose, determine which data is collected, define retention periods, select the legal basis and safeguards, and manage data subject rights requests.
Processor: A party that processes personal data on behalf of the controller and under the controller’s instructions (often a service provider). Processors are expected to apply appropriate security measures, comply with applicable contractual and legal obligations, and assist the controller with certain compliance duties where required by law.

Why is a data subject important?

A data subject is important because privacy laws are designed to protect identifiable individuals and define whose rights must be considered in decisions about compliance, accountability, and lawful processing.

This framing also shapes how organizations and regulators assess risk and harm, including how incidents such as data breaches or unlawful transfers are evaluated and when notifications may be required. Centering the data subject supports practical controls such as clear disclosures, data minimization, and limits on profiling and monitoring.

Data subjects in the real world

Data subjects interact with organizations in many everyday contexts where personal data is created, shared, or generated. In some cases, organizations rely on consent obtained through mechanisms such as online forms, cookie banners, and tracking controls, where consent must be a clear affirmative choice. Privacy notices and tracking disclosures help inform that choice, but they're not themselves consent.

Typical examples include:

An employee with an HR file and premises access records.
An app user whose device information links to an account.
A website visitor is identified through online identifiers, such as IP addresses or cookies.
A customer whose support chat contains personal data.
A virtual private network (VPN) subscriber with an account and payment details.

Across these scenarios, consent, when used as the legal basis, may be requested for activities such as marketing preferences, some tracking activities, and some optional account features. Other processing activities, such as billing, identity verification, or core account administration, may rely on a different lawful basis depending on the context.

When personal data is transferred across borders, transfer rules and safeguards apply, and the goal remains ensuring enforceable protections for individuals.

Risks and privacy concerns

Organizations can face recurring risks when handling identifiable information. Data treated as anonymized can still be linkable to a person when combined with other data, particularly where identification remains reasonably likely.

Encryption reduces exposure risk, but encryption is not the same as anonymization. Encrypted datasets and related metadata can still fall within scope where individuals remain identifiable in practice, and security measures are expected to be risk-based.

Re-identification concerns often become more serious after data breaches. Exposed identifiers or account history can enable harms such as identity theft, fraud, financial loss, loss of confidentiality, and related downstream misuse, and breach assessments focus on the resulting risk to the rights and freedoms of individuals.

Large-scale data aggregation increases risk over time. Even when collection is otherwise lawful, combining datasets across systems can create more detailed profiles and increase the potential impact of misuse, insider access, or future breaches.

FAQ

Is a data subject the same as a user?

No. A user is someone who uses a service or system. A data subject is any identifiable person whose personal data is processed, including people who never actively use the service.

What rights do data subjects have?

Under the General Data Protection Regulation (GDPR), key rights include access, rectification, erasure, restriction, data portability, and objection. In some cases, individuals also have rights related to automated decision-making. These rights are not absolute and depend on the context.

More broadly, many privacy laws in other jurisdictions provide similar rights, such as access, correction, deletion in some circumstances, and control over certain data uses, but the exact scope and exceptions vary by law.

How do companies verify data subjects?

Identity is typically confirmed before fulfilling a request, especially where there is uncertainty about who is making it. Common methods include logging into an account, confirming control of an email address or phone number, matching recent account activity or known details, and using stronger checks when the request involves sensitive data or high risk.

When can a request be refused?

A request may be refused or limited when the organization is not in a position to identify the person, when the request is manifestly unfounded or excessive, when legal obligations require the retention of the data, or when fulfilling the request would adversely affect another person’s rights and freedoms

What counts as personal data?

Personal data means any information relating to an identified or identifiable natural person. This can include direct identifiers, such as a name or ID number, and indirect identifiers, such as online identifiers or location data, where they can be linked to a person.