What's A Data Subject Anyway?
You’re a data subject. The definition of a data subject is intertwined with and derived from the concepts of both personal data and data processing as they are defined in European law. Since most of us generate large amounts of data by merely existing in the world today, we’re all data subjects.
In European law the definition of personal data is very broad.There is no definitive list of what constitutes personal data which you can consult. Any information from which you can be identified is personal data. This ranges from the obvious (your name, your address, your photograph) to very far from obvious (an IP address, an examiner’s notes on an exam paper of yours, the advertising identifier of your phone).
- If the information can be combined with other information to identify you, it’s personal data.
- If the information can be used to single you out from a group, it’s personal data.
Here’s the formal definition from the General Data Protection Regulation:
Article 4(1) GDPR ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Whether data is personal data often depends on the context in which it is acquired and used. The Information Commissioner’s Office (the UK’s independent supervisory authority) has this useful example involving biscuits.
Source: ‘Determining what is personal data’ (PDF)
Here’s another example, this time featuring graffiti, from the Article 29 Working Party (now known as the European Data Protection Board, see our ‘Who’s Who’ for more about them).
Special Categories of Personal Data
The GDPR also identifies what are called special categories of personal data, which require a higher level of protection and care.These are listed in Article 9 and are
- personal data revealing your racial or ethnic origin
- personal data revealing your political opinions
- personal data revealing your religious or philosophical beliefs
- personal data revealing whether you are a member of a trade union
- your genetic data
- your biometric data if it is processed for the purpose of uniquely identifying a natural person
- your health data
- data concerning your sex life or sexual orientation
Like personal data, the concept of data processing in European law is considerably broader than you might imagine. Any of the following activities, when applied to personal data or sets of personal data qualify as processing
- adaptation or alteration
- disclosure by transmission
- dissemination or otherwise making available
- alignment or combination
- erasure or destruction
So doing almost anything with personal data besides thinking about it constitutes data processing.
Now that you’ve an idea of what a data subject is, what personal data is and what data processing is you could move on to
- ‘Who’s who in data protection terms?’, where we cover data controllers, the Data Protection Commission and a few other people and organisations you might encounter.
- ‘How data protection works in Europe’ has a (very) brief history of data protection law in Europe, how data protection law continues to evolve and develop through judgments of the CJEU and guidance from the independent supervisory authorities.
- Alternatively you could hop on over to the ‘Your Rights’ section and learn about the extensive array of data protection rights you have, and how to put them to work.
Read more elsewhere
Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)