Data Subject

The data subject is the natural person whose personal data is processed by an organisation. The GDPR grants the data subject a range of rights that ensure control over their own data, including the right of access, erasure and data portability.

Back to Dictionary

Who is the data subject?

The data subject is defined in GDPR Article 4(1). It is any identified or identifiable natural person whose personal data is processed.

In practice, the data subject is every person whose data your organisation processes:

Customers and prospective customers
Employees and job applicants
Contact persons at suppliers
Users of your website or app
Patients, students, citizens (depending on your sector)

Only natural persons are data subjects. Companies and legal entities are not covered. However, contact persons within a company are natural persons, and their personal information is protected by the GDPR.

As a data controller, you must respect data subjects' rights. Your duty to inform requires you to tell them how you process their data.

Data subject rights

The GDPR grants the data subject a range of rights described in Chapter III (Articles 12–22):

Right to information: You must inform the data subject about what data you process, why and on what basis (duty to inform).
Right of access (Article 15): The right to see all personal data you process about them.
Right to rectification (Article 16): The right to have incorrect data corrected.
Right to erasure (Article 17): The right to have data deleted under certain conditions.
Right to restriction (Article 18): The right to restrict processing temporarily.
Data portability (Article 20): The right to receive data in a machine-readable format.
Right to object (Article 21): The right to object to processing based on legitimate interest or profiling.
Right regarding automated decisions (Article 22): The right not to be subject to decisions made solely by automated means.

Handling requests

When a data subject exercises their rights, you must have procedures in place to handle the request:

Deadline: You must respond to requests within one month. In complex cases, the deadline may be extended by two months, but you must inform the data subject within the first month.
Identification: You must verify that the request actually comes from the data subject. You must not disclose data to the wrong person.
Free of charge: Responses are in principle free of charge. For manifestly unfounded or excessive requests, you may charge a reasonable fee or refuse.
Documentation: Record all requests and your responses in your record.

Your DPO should be involved in the procedures for handling data subject requests. Failure to respond or late responses may lead to complaints to the Danish Data Protection Agency.

The data subject in practice

For most organisations, the most common requests are access requests and requests for erasure. Prepare by:

Mapping where personal data is stored across systems
Establishing clear procedures for receiving and processing requests
Training staff who may receive requests (e.g. customer service)
Ensuring your data processors can assist in delivering data via the data processing agreement

Bear in mind that data subject rights are not absolute. There are exceptions, for example when you have a legal obligation to retain data (e.g. the five-year bookkeeping retention requirement). Always document the justification if you refuse a request.

Frequently Asked Questions about Data Subject

Who is the data subject under the GDPR?

The data subject is any identified or identifiable natural person whose personal data is processed. This can be a customer, employee, user, patient or any other person whose data an organisation holds or processes.

What rights does the data subject have under the GDPR?

The data subject has the right to access, rectification, erasure, restriction of processing, data portability, objection to processing and the right not to be subject to automated decisions. They also have the right to information about how their data is processed.

Are legal persons also data subjects?

No. The GDPR only protects natural persons (human beings). Companies, associations and other legal persons are not data subjects. However, contact persons within companies can be data subjects, as their personal contact information is personal data.

How quickly must you respond to a request from a data subject?

You must respond to requests within one month. In complex cases, the deadline may be extended by a further two months, but you must inform the data subject of the delay within the first month.