What is a data subject under GDPR?
Who is and who is not a data subject?
What are some examples of data subjects or categories of data subjects?
In this article, we will break down the notion of data subjects so you know all there is to know about it.
We will look at how data subject is legally defined under the EU data protection laws, who can be considered a data subject, who may not be a data subject and even interpretation challenges with regards to the notion of data subject.
Are you ready?
Let’s get started!
Table of Contents
What is a data subject?
In the context of data privacy and data protection laws of Europe, namely the General Data Protection Regulation (GDPR), a data subject is a person who can be identified directly or indirectly using different identifiers.
The data subject is intended to be a physical person who shares his or her personal data with others, particularly organizations.
The legal definition of the data subject
Interestingly, GDPR does not specifically define data subject.
The legal definition of the data subject is outlined parenthetically in the definition of ‘personal data’.
Article 4(1) GDPR defines personal data as:
“any information relating to an identified or identifiable natural person (‘data subject’)”
We can extract from this that the legal definition of a data subject is “an identified or identifiable natural person”.
So a data subject is:
- An identified or identifiable
- Natural person
Identified natural person
An identified natural person is simple to understand.
It’s pretty much when we are able to directly pinpoint a specific person, an identified person.
An example is when you have the name, address, unique national identification numbers, age, birth date and so on.
The personal data allows the direct identification of a natural person.
Identifiable natural person
The definition of personal data under GDPR gives us more details as to what is an identifiable natural person, it states:
“an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
An identifiable natural person is one who can be identified either directly or indirectly by using data points such as:
- Identification number
- Location data
- Online identifier
- Physical factors
- Physiological factors
- Genetic factors
- Mental factors
- Economic factors
- Cultural factors
- Social identity factors
Recital 30 GDPR provides additional context with respect to online identifiers:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Based on the above, GDPR expands the notion of personal data thus protecting data subjects even further.
GDPR outlines the following online identifiers:
- Devices
- Online applications
- Online tools
- Online protocols such as IP
- Cookies
- Radiofrequency tags
Natural person
A natural person means an individual, a physical person.
This is in contrast to a legal person, a corporation or a legal entity.
GDPR applies to physical beings or individuals and not to companies and organizations.
Who is a data subject under GDPR?
Any person using his or her personal information for reasons other than purely personal reasons or for household activities may be considered a data subject under GDPR.
To better understand whose personal data can be protected under GDPR, we must look at GDPR’s territorial scope or application.
Article 3 GDPR gives us the information needed, it states:
“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”
Essentially, GDPR applies to any person located in the European Union and:
- They deal with a company established in the European Union
- They deal with a foreign company who is selling them goods and services whether any payment required or not
- They deal with a foreign company subject to the laws of the European Union
- Their behaviour was monitored provided their behaviour took place in the European Union
Who is not a data subject in GDPR?
To understand who is not a data subject under GDPR, we’ll need to look at the material scope of GDPR and combine that with the knowledge we acquired based on who ‘is’ a data subject.
Article 2 GDPR states:
“This Regulation does not apply to the processing of personal data: (a) in the course of an activity which falls outside the scope of Union law; (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; (c) by a natural person in the course of a purely personal or household activity; (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
As a result, the following are not data subjects:
- A person outside of the European Union
- A person carrying out purely personal activities
- A person carrying out activities purely for their household
- A person carrying out activities falling outside of the scope of the European Union law
- A corporation
- A partnership
- A legal entity
Categories of data subjects
Categories of data subjects as notion is referred to in Recital 81, Article 28 and Article 30 GDPR.
Categories of data subjects is another way of classifying data subjects into groups or logical categories.
A data subject is someone who can be identified or is identifiable.
To categorize data subjects, a company may group data subjects as follows:
- Employee
- Director
- Officer
- Shareholder
- Contractors
- Volunteers
- Student
- Consumers
- Customers
- Prospects
- Suppliers
- Website users
- Software users
- Public officers
And the list can go on.
The categorization is what makes the most sense to the organization to better understand the data it possesses.
Data subject examples
What are some data subject examples?
A data subject can be any natural or physical person.
It can be:
- A person using a software
- A person navigating the web
- A client
- A prospect
- An employee
- A person whose behaviour is analyzed
- A person who has bought goods or services
There are as many examples as ways individuals can transact with another within the economy.
What’s important is that the data subject falls within one of the following criteria:
- A person outside of the European Union
- A person carrying out purely personal activities
- A person carrying out activities purely for their household
- A person carrying out activities falling outside of the scope of the European Union law
Confusion about the legal definition of data subjects
At first glance, the concept of data subject under GDPR may sound simple to comprehend.
However, in practice, it may be a little more confusing than that!
Let’s see why and how.
No specific definition of data subject in GDPR
GDPR does not specifically define the term ‘data subjects’.
Instead, GDPR uses different qualifiers to define what is a data subject.
However, the qualifiers used can lead to confusion and in some cases are inconsistent.
For example, you have the challenge of determining whether a person travelling to Europe can be a data subject.
What about temporary students or tourists?
Are they data subjects?
Let’s see what we can extract from the working of GDPR.
GDPR identifiers of data subjects
Here is a break down of different identifiers found in GDPR:
“This Regulation applies to the processing of personal data of data subjects who are in the Union”
“The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
“The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.”
Interpreting GDPR
Based on the GDPR identifiers, we can interpret that the regulation intends to have GDPR apply to:
- Individuals located in the European Union
- Residents of the European Union
- Citizens of the European Union
- Residents and Citizens of EU located anywhere in the world
- Any person having personal data located in the European Union
Takeaway
The data subject is intended to be a physical person who shares his or her personal data with others, particularly organizations.
The definition of GDPR is pretty broad with respect to data subjects.
It can be a person who is:
- Directly identified
- Indirectly identified
- Directly identifiable
- Indirectly identifiable
With this type of definition, data can be considered the personal data of a data subject in more instances than companies may have been accustomed to see in the past.
An identifiable natural person is one who can be identified either directly or indirectly by using data points such as:
- Identification number
- Location data
- Online identifier
- Physical factors
- Physiological factors
- Genetic factors
- Mental factors
- Economic factors
- Cultural factors
- Social identity factors
- Devices
- Online applications
- Online tools
- Online protocols such as IP
- Cookies
- Radiofrequency tags
Companies should be mindful of whether or not they are dealing with the personal data of a data subject to ensure compliance with GDPR.
Case of infringement can result in nasty GDPR fines making it that much more important to ensure you don’t get caught off guard.
