What is the correlation between "data subject", "controller", as well as "processing"?

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

1. How can "data subject", "controller", and "processing" be explained?

To answer this question, let’s clarify how "data subject", "controller", as well as "processing" are defined by UK GDPR. 

1.1. What is a "data subject"?

A "data subject" is an individual (a natural person) who is identified or who is identifiable. An identifiable individual is someone who can be identified either directly or indirectly.

An identifiable individual can be identified by reference to an identifier such as;

  • a name,
  • an identification number,
  • location data,
  • an online identifier.

An individual can be also identified when referring to their physical, physiological, genetic, mental, economic, cultural, or social identity that would constitute "sensitive" information.

1.2. What is a "controller"?

A "controller" means either a natural or a legal person, public authority, agency, or other entity.

A "controller" solely or jointly with another controller or controllers, determines purposes and means of personal data processing.

1.3. How should be "processing" understood?

1.3.1. What does "processing" mean under UK GDPR?

"Processing" refers to an operation or a combination of operations that are performed over personal data or on sets of personal data, whether or not by automated means. It can be also called as a "processing operation".

1.3.2. What does "processing" include?

Processing of private data includes the following actions on private data;

  • collection,
  • recording,
  • organisation,
  • structuring,
  • storage,
  • adaptation or alteration,
  • retrieval,
  • consultation,
  • use,
  • disclosure by transmission,
  • dissemination or otherwise making available,
  • alignment or combination,
  • restriction,
  • erasure or destruction. 

2. How are "data subject", "controller", and "processing" interconnected?

Processing of personal data is exercised by a controller or jointly by controllers that define purposes and means of such processing.

A controller is connected with a data subject through an operation of processing, where a controller processes private data of a data subject.

3. Conclusions

  1. An individual who is identified or who is identifiable shall mean a "data subject" under UK GDPR. Purposes and means of personal data processing are determined by a controller. "Processing" refers to an operation or a combination of operations that are performed over personal data or sets of personal data as outlined in UK GDPR.
  2. The correlation between "data subject", "controller", and "processing" can be visualised in the following way:


Author: Dr. Elizabeth Sushko-West
Published: 11 May 2021
Updated: 2 May 2022

Legal Analyses & Legal Solutions:


Right Click

No right click