Data Subject
Definition
A data subject is an identifiable natural person whose personal data is collected, stored, or processed by an organization. The data subject meaning is foundational to privacy compliance, as privacy requirements are designed to protect the rights and freedoms of these individuals regarding their personal information. When an individual can be identified, directly or indirectly, through identifiers like names, ID numbers, or digital footprints, they qualify as a data subject. Privacy frameworks grant extensive data subject rights, empowering these individuals to control how their information is used, including the right to access, correct, and request the deletion of their data. In specific scenarios involving minors or persons with disabilities, the scope of a data subject often includes parents or lawful guardians acting on their behalf to provide valid consent and exercise rights.
Real-World Examples
E-commerce Customer
An individual purchases a laptop from an online retailer and provides their shipping address and credit card details. In this transaction, the customer is the data subject because the personal data relates to them. The retailer, acting as the organization or data controller, must respect the customer's data subject rights regarding this information.
Employee Records
An organization maintains a database of its workforce, including salaries, tax IDs, and performance reviews. Each employee is a data subject in relation to their personnel file. They have the right to submit a data subject request to access this internal record or correct outdated information.
A data subject is the individual to whom personal data relates. This includes any natural person who can be identified by the data being processed. In cases involving children or persons with disabilities, the term often encompasses their parents or lawful guardians who act on their behalf regarding consent and the exercise of rights.
Data subject rights typically include the right to access information about their data processing, the right to correction of inaccurate data, the right to erasure, the right to withdraw consent, and the right to complain through an organization's grievance or complaint process. Some frameworks also provide the right to appoint a representative in case of incapacity.
To submit a data subject access request, an individual should use the contact channels published by the organization or data controller, such as a dedicated privacy email or an online request form. The request should clearly specify the information sought, and the controller may require identity verification before releasing the data.
The main difference lies in their relationship to the data. The data subject is the individual whom the data is about. The data controller is the organization that determines the purpose and means of processing that data. The controller bears the obligation to protect the rights of the data subject.
Rights are enforced primarily through the organization or data controller's grievance or complaint mechanism. If the controller fails to respond satisfactorily or within a reasonable timeline, the data subject can escalate the complaint to the supervisory authority for investigation and potential enforcement action.
Data subject categories can include customers, employees, website visitors, patients, and minors. Special protections often apply to vulnerable categories, such as children, where verifying age and obtaining parental consent may be required to ensure appropriate protection and prevent harmful processing.
Organizations must process data lawfully, provide clear privacy notices, obtain valid consent where required, ensure data accuracy, and implement security safeguards to prevent breaches. They are obligated to facilitate the exercise of individual rights and respond to complaints within reasonable timelines.
Organizations should respond to a data subject request by first verifying the requester's identity. They must then provide the requested information (such as a summary of processing) or perform the requested action (such as correction or erasure) within the applicable timeframe, typically without undue delay. Many teams use WatchDog Security's Secure File Sharing to deliver copies securely using expiring access, role-based permissions, and audit logs.
References & Resources
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
