GDPR – The Data Subject , Citizen or Resident?

GDPR Citizens

Data Subjects, who are they?

Does the GDPR really apply only to EU Citizens? If so then what about all the non-EU Citizens residents of the EU?

Something I have been trying to research as it is not crystal clear in discussions and articles I have read and I have read many, too many. Non I have come across offer a clear explanation as to who is an EU Citizen and what happens to the data of non-EU Citizens for instance.

What does the GDPR say?

The GDPR does not actually mention EU Citizen nor Residents. It instead uses the term “Data Subject”. So who is a Data Subject? We know they a “natural individuals” however, does the Data Subject has to be an EU Citizen or can they be non-EU Citizens? As we all know, the GDPR is aimed at protecting the privacy of EU Citizens and that is quite clear in the regulation. However, not all people residing in the EU hold nationality of a member state.

So lets first define who is a Citizen.

Who is an EU Citizen?

The EU Article 20(1) describes EU Citizenship thus:

Article 20 (1) of the Treaty on the Functioning of the European Union states that: “Citizenship of the Union is hereby established. Every person holding the nationality of a Member State shall be a citizen of the Union.

The GDPR defines it scope to only EU Citizens:

“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”    –

By this definition, you would be correct to assume that the GDPR only applies to citizens of the EU. Those that are not citizens of one of the member countries will not be afforded the protection. This will exclude foreign students, ambassadors, immigrants, asylum seekers, refugees, migrant workers etc?

Well, this is not so. This is not the intention of the GDPR.

When is a Resident a Citizen too?

You have to search deep in the regulation to find what the actual definition of a citizen is in the context of the Regulation. Recital 14  states that:

The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data.”

However, even the recital wording is ambiguous.  When it says “whatever nationality”, does it mean whatever EU member nationality or globally, i.e.  citizens of non EU countries? Not clear.

This is not always clear in documents, articles and posts I have seen and read. Many, by esteemed experts in this field. All I have read only refer to “EU Citizens or “EU Citizen’s Data” and not just Data Subject or “EU Residents”. Of course, the correct terminology is “Data Subject” as in Article 3, which states:

This Regulation applies to the processing of personal data of data subjects who are in the Union “

By the above definition, the data subject is more than an EU Citizen or Resident. Both are by definition a Data Subject but the Data Subject does not have to be either. It could be someone on holiday in the EU or even someone in transit through the EU, on a flight.

I for instance personally know people who have lived in the UK for 40 years as residents but do not hold a British/EU passport or are not Naturalised citizens.


So why is something as fundamental as this is buried in a recital, I wonder? Even recital 14 does not provide the required clarity. However, even though the Regulation is mute on that point, for all intents and purposes the GDPR will apply equally whether one is a EU citizen or not and we should always use the term “Data Subject”.

Therefore a Data Subject under GDPR is anyone within the borders of the EU, whose personal data is being processed. They have to be within the EU borders for them to qualify and therefore have the protection of the GDPR.

This and other articles can be found at

Author: Moyn Uddin GDPR-P, CISSP, CISA, CISM, CRISC, ISO27001 LA, TOGAF  is a certified GDPR and Cybersecurity practitioner. He is also the co-author of RESILIA – Cyber Resilience Best Practices from AXLEOS, published in 2014 and the author of the accompanying Pocketbook. He is also the lead author of the Cyber Resilience Best Practices training course for ITpreneuers


If you need any assistance with any aspects of GDPR implementation or cyber security please contact us.