Data Subject
Definition
A data subject is the natural person to whom personal data relates. This is the individual whose data is being collected, stored, processed, or transferred by an organization acting as the data controller. Privacy regulations universally recognize the data subject as the primary rights-holder, granting them specific rights including the right to access their data, request corrections to inaccurate records, and demand erasure of their personal information under certain conditions. The concept of a data subject is foundational to all modern data protection frameworks, establishing that individuals retain ownership and control over their personal data even when it is processed by third parties.
Real-World Examples
E-commerce Customer
When a customer creates an account on an e-commerce platform, they become the data subject for all personal data collected during registration, browsing, and transactions. This includes name, email, payment details, and purchase history that the retailer holds and processes.
Employee Records
An employee whose HR records such as salary, home address, and government identification numbers are maintained by their employer is the data subject of that employment data. The employer, as data controller, must process this information lawfully and protect it against unauthorized access.
App User
A user who installs a mobile application and grants permissions for location tracking, camera access, or contacts becomes the data subject for all data the app collects. The app developer must inform the user about what data is collected and obtain proper consent before processing.
References & Resources
Crafting & Implementing A Data Management Policy
WatchDog Security
Creating an Information Security Policy
WatchDog Security
NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0
National Institute of Standards and Technology (NIST)
Key Terms and Definitions (Data Protection)
Data Protection Commission (Ireland)
Subject Access Request (SAR): What are they and how can I make one?
Data Protection Commission (Ireland)
The Digital Personal Data Protection Act, 2023 — Section 2(j) (Definition of Data Principal) and Section 11 (Duties of Data Principal)
Ministry of Electronics and Information Technology (MeitY), Government of India
Data Principal vs Data Subject: Understanding the Terminology (IAPP)
International Association of Privacy Professionals (IAPP)
Regulation (EU) 2016/679 (GDPR) — Chapter III: Rights of the data subject
EUR-Lex (European Union)
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
