Skip to main content


Home Data subject

Data subject

(also individual concerned)

Data subject definition

Data subject refers to an individual who consents to a data controller collecting, processing, and storing their data. Usually, data subjects are customers, employees, patients, students, and citizens. The data controller is typically an organization or entity that determines the purposes and means of the processing, such as marketing, employment, healthcare, education, or government services. Data subjects have various rights under data protection laws to protect their privacy and autonomy and give them more control over their personal data. Examples include the General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) in the US, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Data subjects can access their personal data, rectify inaccurate data, ask for erasure, restrict processing, move data, or object to certain types of processing.

See also: man-in-the-middle attack, anti-phishing service

Data subject risks

  • Identity theft. Cybercriminals can use personal data, such as names, addresses, and Social Security numbers, to steal someone’s identity and commit fraud.
  • Financial loss. Data subjects may suffer economic losses if cyber parties compromise their financial information, such as credit card or bank account details.
  • Discrimination. Third parties can use data subjects’ personal data, such as race, ethnicity, or gender, to discriminate against them for employment, housing, or credit.
  • Reputational damage. Third parties can embarrass or damage the reputation of data subjects by exposing their sensitive data, such as private images or medical records.
  • Harassment. Cybercriminals can use email addresses or phone numbers for phishing or other types of harassment.
  • Cyberstalking. Third parties can use the data subject’s personal data to track their movement or engage in cyberstalking.
  • Loss of privacy. Collecting and using the data subject’s data without their consent can infringe on their right to privacy.