A data subject is the individual the personal data is about. Customers, employees, contractors, job applicants, website visitors, newsletter subscribers — anyone whose data appears in a controller's system is a data subject for that data.
Under GDPR (and most modern privacy laws), data subjects have a defined set of rights:
- Right of access (Article 15) — to know what data is held about them and to receive a copy.
- Right to rectification (Article 16) — to correct inaccurate data.
- Right to erasure / "right to be forgotten" (Article 17) — to have data deleted in certain circumstances.
- Right to restriction (Article 18) — to limit processing while a dispute is resolved.
- Right to data portability (Article 20) — to receive their data in a machine-readable format.
- Right to object (Article 21) — to processing based on legitimate interests or for direct marketing.
- Rights related to automated decision-making (Article 22) — including a right to human review of automated decisions with legal or similarly significant effect.
A controller's privacy notice has to explain how a data subject can exercise these rights, and the controller has one month (extendable by two more in complex cases) to respond.
Vendors are part of this picture: when a data subject exercises a right, the controller usually has to instruct each processor to act on that data within their systems. A processor that can't surface or delete a data subject's records on request is a non-trivial compliance liability.