The Data Subject Explained: Your Hidden Superpower in Privacy Laws
Share
In today’s digital world, personal information powers everything — from online shopping to social networking and healthcare. But behind every piece of personal data lies a person — the data subject.
Understanding who a data subject is, and what rights and responsibilities come with that role, is essential for both individuals and organizations. Whether under the EU’s General Data Protection Regulation (GDPR) or Nigeria’s Data Protection Act (NDPA 2023), the data subject stands at the center of modern privacy law.
This guide explores what it means to be a data subject, the rights granted under global data protection laws, and how individuals and organizations can uphold those rights responsibly.
What Is a Data Subject?
A data subject is any identifiable living person whose personal data is collected, stored, or processed by an organization.
If your name, phone number, location, email, or even online behavior is recorded or analyzed — you are a data subject.
Examples of Data Subjects
| Scenario | Who Is the Data Subject? |
|---|---|
| A customer ordering products online | The customer |
| An employee whose details are stored in HR records | The employee |
| A student whose grades are stored in a university system | The student |
| A patient’s health data used by a hospital | The patient |
The Legal Foundation: GDPR and NDPA Definitions
Under Article 4(1) of the GDPR, a data subject is “an identified or identifiable natural person.” Similarly, Section 65 of Nigeria’s NDPA (2023) defines a data subject as an identifiable individual to whom personal data relates.
This means privacy protection applies only to living individuals, not organizations or deceased persons.
What Are the Rights of a Data Subject?
Both GDPR and NDPA guarantee several fundamental rights that allow individuals to control how their data is used.
1. Right to Information
Data subjects have the right to know:
- Who is collecting their data.
- Why it’s being collected.
- How long it will be stored.
- Who it will be shared with.
2. Right of Access
Individuals can request access to their personal data held by an organization and understand how it’s being processed.
3. Right to Rectification
If data is inaccurate or incomplete, the data subject can request correction.
4. Right to Erasure (“Right to Be Forgotten”)
Under certain conditions, individuals can request that their personal data be deleted when it’s no longer needed or processed unlawfully.
5. Right to Restrict Processing
A data subject can ask an organization to temporarily stop using their data while accuracy or legal grounds are verified.
6. Right to Data Portability
Individuals can request to receive their personal data in a structured, machine-readable format — or have it transferred to another controller.
7. Right to Object
Data subjects can object to processing based on legitimate interests or direct marketing purposes.
8. Rights Related to Automated Decision-Making and Profiling
When automated systems make decisions affecting individuals (like loan approvals or job applications), the data subject has the right to request human intervention.
Data Subject Rights: Quick Comparison
| Right | GDPR | NDPA (Nigeria) | Applies To |
|---|---|---|---|
| Access | ✅ | ✅ | All data subjects |
| Rectification | ✅ | ✅ | All |
| Erasure | ✅ | ✅ (under limited conditions) | All |
| Portability | ✅ | ✅ | Digital environments |
| Restriction of Processing | ✅ | ✅ | Case-by-case |
| Object to Processing | ✅ | ✅ | All |
| Automated Decision Review | ✅ | ✅ | Automated systems |
Responsibilities of a Data Subject
While the focus often falls on organizations, data subjects also have roles to play in protecting their privacy.
| Responsibility | Description | Example |
|---|---|---|
| Provide accurate data | Ensures correct service delivery and compliance. | Submitting true contact details for an account. |
| Read privacy notices | Understand how data is collected and used. | Reviewing terms before signing up. |
| Exercise rights responsibly | Avoid making excessive or bad-faith requests. | Requesting data access once every few months. |
| Use secure channels | Protect your data during transmission. | Using encrypted websites (HTTPS). |
Real-World Example
In 2021, a European job applicant requested access to recruitment data held by a multinational company. The company failed to respond within the one-month GDPR deadline, leading to a €20,000 fine by regulators.
This case highlighted that data subject access requests (DSARs) are not optional — they are legal obligations.
How to Exercise Your Rights as a Data Subject
- Submit a Written Request – Contact the organization’s Data Protection Officer (DPO) or use its online privacy portal.
- Identify Yourself Clearly – Provide necessary identification to confirm your identity.
- Be Specific – State exactly what data or processing activity your request concerns.
- Keep Records – Save copies of all correspondence.
- Escalate to the Regulator – If unsatisfied, complain to your national Data Protection Authority (e.g., NDPC in Nigeria, ICO in the UK, CNIL in France).
Data Controllers’ Obligations Toward Data Subjects
Organizations that collect or process data must:
- Obtain valid consent or another lawful basis.
- Provide transparent privacy notices.
- Respond to data subject requests within the legal timeframe (usually 30 days).
- Implement technical and organizational safeguards.
- Maintain records of data processing activities.
Failure to respect these rights can result in severe penalties, public sanctions, and loss of trust.
FAQs
Q1. Who qualifies as a data subject?
Any living individual whose personal data is processed — customers, employees, patients, users, etc.
Q2. Can a company be a data subject?
No. Data protection laws apply only to natural persons, not legal entities.
Q3. How do I know if my rights have been violated?
If an organization collects, uses, or shares your data without your consent or other lawful basis, your rights may be infringed.
Q4. Can I withdraw my consent after giving it?
Yes. You can withdraw consent anytime, and the organization must stop processing unless another legal basis applies.
Q5. What should I do if my request is ignored?
You can file a complaint with the relevant Data Protection Authority or take legal action where applicable.
Conclusion
Being a data subject means having both power and responsibility in the digital age. You have the legal right to control how your data is collected, used, shared, and deleted — but you also share responsibility for managing your own privacy.
For organizations, respecting these rights is not just a legal requirement — it’s a sign of transparency and trustworthiness. And for individuals, understanding and exercising these rights ensures that your personal information remains truly personal.
Leave a Reply