Why It Matters
The data subject is the person at the center of data protection law. Every GDPR obligation — from legal basis to breach notification — exists to protect the data subject. Understanding who qualifies, what rights they have, and how to handle their requests is fundamental to compliance. Failure to respond to data subject requests within deadlines is one of the most common reasons for regulatory complaints.
Who Is a Data Subject?
A data subject is any living natural person who can be identified directly or indirectly:
- Customers — anyone whose data you collect through purchases, inquiries, or accounts
- Employees — staff whose HR, payroll, and performance data you process
- Website visitors — anyone whose data is collected through cookies, forms, or analytics
- Job applicants — candidates whose CVs and interview data you hold
- Suppliers and contacts — business contacts whose personal (not company) data you process
- Members of the public — anyone captured by CCTV, public-facing services, etc.
Not data subjects: deceased persons (under GDPR; some national laws extend protection), legal entities (companies), anonymous individuals who cannot be re-identified.
Data Subject Rights Under GDPR
| Right | Article | What It Means | Deadline |
|---|---|---|---|
| Access | Art. 15 | Obtain a copy of all personal data held | 1 month |
| Rectification | Art. 16 | Correct inaccurate or incomplete data | 1 month |
| Erasure | Art. 17 | Request deletion ("right to be forgotten") | 1 month |
| Restrict processing | Art. 18 | Limit how data is used while issues are resolved | 1 month |
| Data portability | Art. 20 | Receive data in a machine-readable format | 1 month |
| Object | Art. 21 | Object to processing based on legitimate interest | Without undue delay |
| Automated decisions | Art. 22 | Not be subject to solely automated decisions with legal effects | 1 month |
| Withdraw consent | Art. 7(3) | Withdraw consent at any time | Without undue delay |
The one-month deadline can be extended by two additional months for complex or numerous requests, but you must inform the data subject within the first month.
Handling Requests
- Receive — accept requests through any channel (email, phone, form, verbal)
- Verify identity — confirm the requester is who they claim to be (but don't ask for excessive ID)
- Log — record the request, date received, and type of right exercised
- Assess — determine if the right applies and whether any exemptions exist
- Act — fulfill the request within the deadline
- Respond — communicate the outcome to the data subject
- Document — retain records of the request and your response
When Can You Refuse?
You can refuse requests that are:
- Manifestly unfounded — made with malicious intent or no legitimate purpose
- Excessive — repetitive requests for the same information
- Exempt — covered by legal exemptions (legal proceedings, freedom of expression, public interest)
Even when refusing, you must inform the data subject of the reasons and their right to complain to the supervisory authority.
Key Regulation
- GDPR Article 4(1) — definition of data subject
- GDPR Articles 12–22 — data subject rights
- GDPR Article 12 — transparent communication and response deadlines
- EDPB Guidelines on data subject rights — detailed interpretive guidance