Processing and Data Subject
Processing is defined extremely broadly: any operation or set of operations on personal data, whether or not automated - collection, recording, storage, use, disclosure, erasure and so on. It is hard to think of a use of personal data that is not processing. But Article 2(1) limits scope: processing is covered only if it is wholly or partly automated, or, if manual, the data form (or are intended to form) part of a filing system. A data subject is not defined in its own right - it appears parenthetically in the definition of personal data as an 'identified or identifiable natural person'. Protection does not extend to legal persons (companies), per Recital 14.
Processing covers any operation or set of operations on personal data - automated or manual - including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure and destruction. The list is so broad that almost any handling of personal data is processing.
- Article 2(1) limits material scope: the GDPR catches processing that is wholly or partly carried out by automated means; OR
- non-automated (manual) processing only where the data form part of, or are intended to form part of, a filing system - a structured set of personal data accessible by specific criteria.
The GDPR does not give 'data subject' its own definition. It is defined parenthetically inside the definition of personal data as an 'identified or identifiable natural person'.
| Entity | Data subject? | Source |
|---|---|---|
| A living, identified or identifiable natural person | Yes | Article 4(1) |
| A legal person / company (incl. its name and contact details) | No - the GDPR does not cover legal persons | Recital 14 |
| A deceased person | May be a data subject, but the GDPR itself does not apply (member states may legislate) | Recital 27 |