Data Subject

What is a data subject?

‍A data subject is the living individual whom personal data relates to. Under GDPR, personal data is any information that identifies or can identify a person, directly or indirectly. That person is the data subject. In a business context, data subjects may include customers, website visitors, employees, job applicants, contractors, suppliers, investors, newsletter subscribers, and users of a product or service.

‍The term matters because GDPR is built around protecting the rights and freedoms of data subjects. When a company collects an email address, tracks product usage, stores payroll details, records support tickets, or analyses customer behaviour, it is processing personal data about data subjects. The company must have a lawful basis, provide clear information, protect the data, and respect the person's rights.

‍For Irish startups, understanding who the data subjects are is the first step in building a practical privacy programme. If the business cannot identify whose data it holds and why, it cannot confidently prepare a privacy notice, respond to access requests, build a retention schedule, or complete a data protection impact assessment.

Examples of data subjects

‍In a SaaS company, data subjects include the admin who signs up for the account, employees of the customer who use the software, individuals whose information is entered into the product, support contacts, and potentially website visitors tracked by analytics tools. Some of those people may have a direct relationship with the SaaS company. Others may only be known through the customer.

‍In an employer context, employees are data subjects. Payroll data, performance reviews, absence records, right-to-work checks, disciplinary notes, and emergency contact details all relate to identifiable people. Job applicants are also data subjects, even if they are never hired, because their CVs, interview notes, and application records contain personal data.

‍In fundraising and corporate governance, investors, beneficial owners, directors, and company officers may also be data subjects. KYC checks, cap table information, board minutes, signatures, identification documents, and contact details all involve personal data. This means privacy compliance is not limited to customer-facing products.

Data subject rights

‍GDPR gives data subjects specific rights. These include the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restriction, the right to data portability, the right to object, and rights relating to automated decision-making. Not every right applies in every situation, but companies need a process for assessing and responding.

‍The most common request is a subject access request, where a person asks what personal data the organisation holds about them. The company must verify the request, search relevant systems, apply exemptions where appropriate, and respond within the required timeframe. Poorly organised data makes this much harder than it needs to be.

‍Data subjects also have the right to complain to a supervisory authority, which in Ireland is the Data Protection Commission. Complaints can trigger regulatory correspondence, investigations, or enforcement, especially where the company cannot show clear policies, records, and decision-making.

Practical implications for companies

‍Start by mapping categories of data subjects. Do not only list systems or databases. Identify the groups of people behind the data: customers, end users, staff, applicants, suppliers, shareholders, and visitors. For each group, record what data is collected, why, the lawful basis, where it is stored, who receives it, and how long it is retained.

‍Privacy notices should be written for data subjects, not lawyers. A person should be able to understand what data you collect, why you collect it, how it is used, who it is shared with, and what rights they have. Dense generic wording creates risk because it may not accurately describe the real processing.

‍Finally, design support and operational processes around data subject rights. Customer support, HR, finance, security, and product teams should know how to recognise a request and where to escalate it. A request does not need to mention GDPR to be valid. If someone asks for their data, wants it corrected, or asks for deletion, treat it as a potential rights request and handle it promptly.