"I'm able to do more in the day, which means I'm providing more value to my clients - and it's helped my margins in terms of how much I can bill. ½Û×ÓÊÓÆµ is helping me make money."
ParrisWhittaker
Access all documents on Data subject
Under the GDPR, an identified or identifiable natural person. The concept is key to determining what is personal data (ie information relating to a data subject) and which persons have rights under the GDPR.
An ‘identifiable natural person’ is a living person who can be identified, directly or indirectly, in particular by reference to an identifier (such name, identification number, location data and other examples set out in Article 4(1) of the GDPR).
A deceased person is not a data subject under the GDPR, although EEA states may make further rules regarding personal data of the deceased.
Speed up all aspects of your legal work with tools that help you to work faster and smarter. Win cases, close deals and grow your business–all whilst saving time and reducing risk.
For our full legal glossary and more legal research sources, register for a free Lexis+ trial
Privacy notices—what information to include—checklist FORTHCOMING CHANGE: On 19 June 2025, the Data (Use and Access) Bill received Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025) and coming partly into force on that date. Parts 5 and 6 serve to amend aspects of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. Certain provisions of DUAA 2025, concerning matters such as responding to data subject access requests and the conferring of power to make further regulations, came into force immediately on 19 June 2025. Other provisions, concerning notices from the Information Commissioner and some aspects of law enforcement processing, come into effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions require further regulations (in the form of statutory instruments) to be made to bring...
Planning a digital marketing campaign—checklist This Checklist is for use when planning a digital marketing campaign. The focus is on marketing-specific requirements and the Checklist does not consider general issues in relation to transactional activity (eg contract formation, distance selling). It covers media selection, territorial targeting, agency contracts, data protection, advertising compliance, user-generated content, influencer engagement, prize and price promotions, and behavioural advertising. It also considers compliance with legislative and self-regulatory regime in the UK, including the unfair commercial practices provisions of the Digital Markets, Competition and Consumers Act 2024 (DMCCA 2024) and the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code). Digital marketing can reach consumers at home, at work and, through their mobiles, tablets and video game consoles, virtually everywhere else. Alongside unrivalled potential audience numbers, it offers brands the opportunity to target individuals on the basis of their specific interests, locations or habits. It is no surprise, then, that brands are diverting more and more of their marketing spend from traditional media to...
Discover our 20 Checklists on Data subject
Direct marketing decision tree—live telephone calls—data protection This decision tree provides a logical process for determining whether you can engage in live telephone marketing and, if so, to whom. For other types of marketing, see: Direct marketing decision tree—postal—data protection and Direct marketing decision tree—email and other electronic mail marketing—data protection. Live or automated telephone calls? This decision tree is not suitable for automated calls because the rules on automated calls are far stricter than those relating to live calls. You must not make automated telephone marketing calls to an individual unless they have specifically consented to receive this type of call from you. General consent for marketing, or even consent for live calls, is not enough—it must specifically cover automated calls. There is therefore little point in having a decision tree for automated marketing calls—this decision tree relates exclusively to live marketing calls. See Practice Note: Direct marketing compliance—Automated calls. Claims management services Unsolicited phone calls advertising claims management services are not permitted unless the recipient previously notified...
Evaluating a restriction of data processing request—flowchart This document reflects the UK GDPR regime. References and links to the GDPR refer to the UK GDPR (Assimilated Regulation (EU) 2016/679) unless expressly stated otherwise. The UK General Data Protection Regulation (UK GDPR) provides a number of rights for data subjects, including providing a right to restriction of processing of personal data. Data subjects can make a request to an organisation to exercise their right to restriction of processing of their personal data in certain circumstances. It is not, however, an absolute right. There are strict time limits for complying with requests made. See Practice Notes: • Rights of data subjects • How to handle data subject requests This Flowchart maps out a process for evaluating restriction of processing requests that your organisation receives under the UK GDPR. It reflects the requirements in the UK GDPR and the Data Protection Act 2018 (DPA 2018) together with guidance issued by the Information Commissioner’s Office. It should be read in conjunction with Practice Note:...
Discover our 15 Flowcharts on Data subject
ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998 (DPA 1998). This Practice Note is for background information only and is not maintained.Changes as a result of the General Data Protection RegulationThe General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) (applicable from 25 May 2018) introduces substantial amendments to EU and UK data protection law and replaces the DPA 1998 and Directive 95/46/EC (the Data Protection Directive) from that date.For further information, see Practice Notes: Introduction to the EU GDPR and UK GDPR and Rights of data subjects.A data subject is a living individual who is the subject of personal data, ie data from which he can be identified. For key definitions under the DPA 1998, see Practice Note: Key definitions under the DPA 1998. For a comprehensive introduction to the GDPR, collating key practical guidance, see: Data protection toolkit.Right of access to personal dataAn individual has a right to be informed...
ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998 (DPA 1998). This Practice Note is for background information only and is not maintained.BackgroundThe DPA 1998 governs processing of personal data in the UK. It obliges processors of such data to comply with eight principles, and gives individuals a right to know what information is held about them. For further information on the principles, see Practice Note: Data protection principles under the DPA 1998.The Information Commissioner's Office (ICO) supervises and enforces the implementation of the DPA 1998. For more information, see Practice Notes: The Information Commissioner’s Office (ICO) and Sanctions and enforcement under the DPA 1998.Sections 1 and 2 of the DPA 1998 contain definitions for the key terms used throughout the act and within the Information Commissioner's codes of practice or other guidance. Key statutory definitions include:•Data•Personal data•Sensitive personal data•Data subject•Data controller•Data processor•Processing•Relevant filing systemChanges as a result of the General Data Protection...
Discover our 167 Practice Notes on Data subject
Data breach monitoring record 1 General information Date of monitoring review [insert date] Person conducting monitoring review [insert name and job title] 2 Volume of data breaches identified and reported Review your Data breach register for the past 12 months and complete the information below. Category Over the last 12 months Suspected data security breaches [insert number of suspected data security breaches] Actual data security breaches [insert number of actual data security breaches] [Reports to [insert name of any relevant regulator or trade body]] [[insert number of reports sent to relevant regulator or trade body]] Reports to the ICO (involving actual or suspected data security breaches) [insert number of reports sent to the ICO] Data subjects notified of actual or suspected data security breaches [insert number of data subjects notified of actual or suspected data security breaches] Reports to the police (involving actual or suspected data security breaches) [insert number of reports sent to the police] Insurer notifications (involving actual or suspected data security breaches) [ Professional...
Ireland—data protection impact assessment—artificial intelligence DPIA screening questionnaire The screening questionnaire should be a concise document and not overly burdensome on the business. However, it needs to provide sufficient information to the DPO/Privacy POC to decide if a DPIA needs to be completed. Like the DPIA itself, the screening questionnaire will be drafted by a multidisciplinary team within the business. All completed screening questionnaires should be approved, time stamped and retained by the DPO/Privacy POC. Where a DPIA is required, it should be kept with the screening questionnaire to avoid duplication. The DPIA template is a continuation of the screening questionnaire. While the screening questionnaire and the DPIA detail AI use in accordance with EU GDPR requirements, companies deploying AI systems also need to factor in their obligations under additional relevant legislation, such as the requirement to carry out a fundamental rights impact assessment (FRIA) under the EU AI Act. While outside the scope of this document, information gathered as part of the screening questionnaire / DPIA exercise will be...
Dive into our 129 Precedents related to Data subject
What is the position where a former client (who is now a defendant in proceedings brought by their former solicitors firm) makes a request under the Data Protection Act 1998 for a copy of any or all documents in the solicitors' file pertaining to him while he had instructed the firm? In strict legal terms a former client is entitled to have his former solicitor’s papers delivered to him provided that the solicitor has no lien over them due to the non-payment of fees. If fees have not been paid then the solicitor is entitled not to deliver up the papers unless the papers are needed to conduct litigation. In those cases the court will order delivery up of the papers but usually upon the provision by the client of security for the fees. In any case the solicitor is entitled to take and keep copies of those documents. If the documents are part of a well organised paper filing system organised in such a way that...
Where an unsuccessful job applicant submits a data subject access request in relation to the reference supplied by their employer, is it reasonable for the reference to be withheld from disclosure if it was stated as being ‘given in confidence’, but it only contained standard information, such as the applicant’s job title, employment dates and absence record, all of which was information already know to the applicant? A reference will include personal data relating to the individual and may, depending on the circumstances, include special category data (or special categories of personal data, formerly known as sensitive personal data), eg where it includes information concerning the individual’s sickness absence record, ie health. Before processing personal data in relation to an individual, an employer will need to consider whether that processing is lawful under Assimilated Regulation (EU) 2016/679, UK GDPR (UK GDPR) and the Data Protection Act 2018 (DPA 2018). For further information, see Practice Note: References, under the section dealing with ‘Data protection issues’. For information about the lawful processing...
See the 199 Q&As about Data subject
MLex: Ireland’s Data Protection Commission (DPC) has fined the City of Dublin Education and Training Board (CDETB) 125,000 euros, after finding multiple GDPR breaches linked to a data breach in 2018 that affected around 13,000 student grant applicants, whose personal data were exposed on a malware-infected webserver. CDETB had failed to implement proper security measures, didn’t notify the DPC or affected individuals on time, and ignored a direct order to notify data subjects, the watchdog said.
The Data (Use and Access) Act 2025 (DUAA 2025), which received Royal Assent on 19 June 2025, introduces targeted amendments to the UK’s data protection regime. While most provisions await further regulation, compliance professionals in UK private sector organisations should take note of the implications of DUAA 2025 and prepare for phased implementation. To help you with this, we’ve published a new Practice Note explaining what’s changing, when and what you need to do about it.
Read the latest 157 News articles on Data subject
**Trials are provided to all ½Û×ÓÊÓÆµ content, excluding Practice Compliance, Practice Management and Risk and Compliance, subscription packages are tailored to your specific needs. To discuss trialling these ½Û×ÓÊÓÆµ services please email customer service via our online form. Free trials are only available to individuals based in the UK, Ireland and selected UK overseas territories and Caribbean countries. We may terminate this trial at any time or decide not to give a trial, for any reason. Trial includes one question to LexisAsk during the length of the trial.
0330 161 1234