Who are these actors?
The data subject is indirectly introduced in Art.4(1) GDPR as “an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. A data subject is therefore a, living, individual that is identified through personal data. Deceased persons and legal entities are not defined as data subjects.
The GDPR aims to protect data subjects by getting them back in control of personal data that relates to them, by providing data subjects with rights that they can then exercise.
What are their rights and responsibilities?
Data subjects are provided with a large number of rights under Art.14-23 GDPR. Data subjects for instance have the right of access, meaning that they can demand from the controller to know whether personal data is processed, what categories of personal data are used, what the personal data is processed for and who the recipients of the personal data are. Data subjects furthermore have the right of erasure and rectification, meaning that they can demand that personal data relating to them is to be rectified or deleted. Data subjects also have the right of data portability, that is they can receive the personal data from the controller in a structured format and are then free to provide another controller with the data. According to Art.12 and Art.13 GDPR, controllers have to provide data subjects with personal data relating to them if data subjects request this. The personal data can be provided in writing or electronically, as well as orally if the
identity of the data subject could be confirmed through other means. With regards to responsibilities, a controller might refuse to act on such a request for data, or charge a reasonable fee, if such requests for personal data are found to be unfounded or excessive.
If data subjects feel that their rights have been infringed upon by a controller or processor or as a result of processing of personal data, they can lodge a complaint with a supervisory authority (Art.77 GDPR). They can also have the have the right to an effective judicial remedy (Art.77 GDPR) in such a situation. If data subjects have suffered (non)material damage through the infringement of their rights given through the GDPR, they are able to be compensated by the controller or processor for the damage that they suffered. Data subjects are also able to mandate not-for-profit organizations or bodies to take these actions on their behalf, according to Art.80 GDPR.
Individual I is a user of a social network provider S. S gathers personal data such as home address, name, age and gender of I in order to provide I with the intended service.
As I is not sure what data S has gathered exactly, I requests access to the data using the right of access under Art.15 GDPR. Seeing that some of the data is factually incorrect, I requests the rectification of this inaccurate personal data under Art.16 GDPR.