What's A Data Subject Anyway?

You’re a data subject. The definition of a data subject is intertwined with and derived from the concepts of both personal data and data processing as they are defined in European law. Since most of us generate large amounts of data by merely existing in the world today, we’re all data subjects.

Personal data

In European law the definition of personal data is very broad.There is no definitive list of what constitutes personal data which you can consult. Any information from which you can be identified is personal data. This ranges from the obvious (your name, your address, your photograph) to very far from obvious (an IP address, an examiner’s notes on an exam paper of yours, the advertising identifier of your phone).


  • If the information can be combined with other information to identify you, it’s personal data.
  • If the information can be used to single you out from a group, it’s personal data.

Here’s the formal definition from the General Data Protection Regulation:

Article 4(1) GDPR

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Whether data is personal data often depends on the context in which it is acquired and used. The Information Commissioner’s Office (the UK’s independent supervisory authority) has this useful example involving biscuits.

“Information may be recorded about the operation of a piece of machinery (say, a biscuit-making machine). If the information is recorded to monitor the efficiency of the machine, it is unlikely to be personal data ….  However, if the information is recorded to monitor the productivity of the employee who operates the machine (and his annual bonus depends on achieving a certain level of productivity), the information about the operation of the machine will be personal data about the individual employee who operates it.”  
Source: ‘Determining what is personal data’ (PDF)

Here’s another example, this time featuring graffiti, from the Article 29 Working Party (now known as the European Data Protection Board, see our ‘Who’s Who’ for more about them).

Passenger vehicles owned by a transportation company suffer repeated damage when they are dirtied with graffiti. In order to evaluate the damage and to facilitate the exercise of legal claims against their authors, the company organises a register containing information about the circumstances of the damage, as well as images of the damaged items and of the “tags” or “signature” of the author. At the moment of entering the information into the register, the authors of the damage are not known nor to whom the “signature” corresponds. It may well happen that it will never be known. However, the purpose of the processing is precisely to identify individuals to whom the information relates as the authors of the damage, so as to be able to exercise legal claims against them. Such processing makes sense if the data controller expects as “reasonably likely” that there will one day be means to identify the individual. The information contained in the pictures should be considered as relating to “identifiable” individuals, the information in the register as “personal data”, and the processing should be subject to the data protection rules, which allow such processing as legitimate under certain circumstances and subject to certain safeguards.

Source: ‘Opinion 4/2007 on the concept of personal data’ (PDF)

Special Categories of Personal Data

The GDPR also identifies what are called special categories of personal data, which require a higher level of protection and care.These are listed in Article 9 and are 

  • personal data revealing your racial or ethnic origin
  • personal data revealing your political opinions
  • personal data revealing your religious or philosophical beliefs   
  • personal data revealing whether you are a member of a trade union
  • your genetic data
  • your biometric data if it is processed for the purpose of uniquely identifying a natural person
  • your health data
  • data concerning your sex life or sexual orientation

Data Processing

Like personal data, the concept of data processing in European law is considerably broader than you might imagine. Any of the following activities, when applied to personal data or sets of personal data qualify as processing

  • collection
  • recording
  • organisation
  • structuring
  • storage
  • adaptation or alteration
  • retrieval
  • consultation
  • use
  • disclosure by transmission
  • dissemination or otherwise making available
  • alignment or combination
  • restriction
  • erasure or destruction

So doing almost anything with personal data besides thinking about it constitutes data processing.

Where next?

Now that you’ve an idea of what a data subject is, what personal data is and what data processing is you could move on to

  • ‘Who’s who in data protection terms?’, where we cover data controllers, the Data Protection Commission and a few other people and organisations you might encounter.
  • ‘How data protection works in Europe’ has a (very) brief history of data protection law in Europe, how data protection law continues to evolve and develop through judgments of the CJEU and guidance from the independent supervisory authorities.
  • Alternatively you could hop on over to the ‘Your Rights’ section and learn about the extensive array of data protection rights you have, and how to put them to work.
Read more elsewhere

‘Definition of Key Terms’, Data Protection Commission of Ireland


Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)