Data subject – Any identified or identifiable natural person.
Data controller – Any natural or legal person or other entity that determines the purposes and means of the processing of personal data. A company is a data controller with regards to personal data they hold about their employees, customers, suppliers, and others on their own behalf. A typical example is keeping and using personal data such as email addresses for their marketing purposes.
Data processor – An entity that processes personal data on behalf of a data controller. A typical example is a marketing automation vendor that sends out marketing emails on behalf of another company.
In general, “personal data” means any information that can be used to identify a person. The GDPR expands on previous legal definitions to include identifiers such as:
The GDPR sets out stricter requirements for what constitutes consent when data subjects provide their personal data. A typical example is when a web site visitor opts in to an e-marketing campaign by supplying their email address.
The GDPR states that consent must be:
- freely given – an employer requesting personal data from an employee would not meet this requirement, due to the relationship
- specific – it must be clear that the data being collected will be used only for specific activities
- informed – the data subject must have sufficient information about those activities to make an informed decision
- unambiguous – “consent should be given by a clear affirmative act”; this is one of the most significant changes with the GDPR, as it means it’s no longer legal to gain a data subject’s consent by means such as offering a pre-ticked opt-in box
Data controllers have new compliance requirements, including:
- When soliciting consent, data controllers must use clear and plain language to communicate with data subjects.
- Consent must be verifiable. Businesses are required to maintain consent records that can be checked to verify:
- that the data subject has consented
- what they consented to
- when they consented
Data Subject Rights (DSR)
The GDPR defines various rights that all EU citizens have as data subjects. We all have the right to know who holds and processes our personal data, and for what purposes. We also have the right to:
- request a transcript of our personal data and receive it in a portable format
- correct any errors
- request that our data be permanently erased
- restrict the kinds of data that can be stored and processed
- restrict the ways our data can be processed
- withdraw our consent at any time
- be clearly informed of all these rights
In turn, data controllers are required to:
- make it just as easy for data subjects to withdraw their consent as it is to give it
- take all reasonable measures to verify the identity of data subjects making these requests
- respond to and fulfil these requests without undue delay (within one month of receipt of the request)
- erase personal data as soon as the purpose for which they collected it has expired (not dependent on requests from data subjects)
- ensure that their contracts with data processors specify that GDPR-compliant security measures are in place to protect personal data