Every visitor to your WordPress site who leaves a trace — an IP address in server logs, a cookie identifier, an email in a contact form — becomes a data subject with enforceable legal rights under GDPR. This includes registered users with full profiles and anonymous visitors who never create an account. Understanding who qualifies as a data subject and what rights they hold is foundational to WordPress compliance because these rights drive your operational obligations.
The GDPR Definition Encompasses Everyone You Track
The GDPR does not provide a standalone definition of data subject but embeds it within the personal data definition. Article 4(1) states that personal data means any information relating to an identified or identifiable natural person, with data subject appearing in parentheses as the term for that natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Two elements matter here: natural person and identified or identifiable. A natural person is a living human being, contrasted with legal persons like corporations and partnerships. The GDPR protects personal data of data subjects who are natural persons, though both natural and legal persons can serve as data controllers and data processors.
The CJEU has confirmed across multiple cases that both registered users and anonymous visitors qualify as data subjects when their personal data is processed. Scarlet Extended (C-70/10), Breyer (C-582/14), and Nowak (C-434/16) all reinforce that an individual becomes a data subject insofar as they are directly or indirectly identified or identifiable. For WordPress sites, this means every visitor whose IP address is logged, whose cookies are tracked, or whose browser fingerprint is captured becomes a data subject with enforceable rights. Citizenship and residency are irrelevant to this determination.
Deceased persons fall outside GDPR scope. Recital 27 explicitly states that the Regulation does not apply to the personal data of deceased persons, though Member States may provide their own rules. Legal entities like corporations, foundations, and institutions also fall outside data protection coverage. Data must be assignable to identified or identifiable living persons to qualify as personal data.
Children Receive Heightened Protection
Children merit specific protection under GDPR. Recital 38 explains the rationale: children may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. This protection applies particularly to marketing, personality profiling, user profile creation, and data collection when services are offered directly to children.
Article 8 establishes consent requirements for information society services offered directly to children. Where consent is the lawful basis, processing of a child’s personal data is lawful only where the child is at least 16 years old. Below 16, processing requires consent given or authorized by the holder of parental responsibility. Member States may lower this threshold but not below 13 years.
The age threshold varies across Member States. Ireland and Germany set it at 16. The UK and Belgium set it at 13. France uses 15, Spain uses 14, and the Netherlands uses 16. Article 8(2) requires controllers to make reasonable efforts to verify that consent is given or authorized by a parent, taking into consideration available technology.
The ICO defines a child as anyone under 18 in accordance with the UN Convention on the Rights of the Child. Children are data subjects irrespective of age and can exercise their GDPR rights at any age provided they have capacity and it serves their best interests.
Article 8 applies only to information society services, meaning online services, and only when consent is the legal basis. Selling ringtones to teenagers involves personal data collected for contract performance under Article 6(1)(b), not consent. But sending marketing newsletters to those same teenagers requires consent, and if the data subject is under 16, parental consent becomes mandatory.
Eight Rights That Drive Your Compliance Obligations
GDPR Chapter 3 establishes comprehensive rights for data subjects across Articles 12 through 23. Each right creates corresponding operational requirements for WordPress site owners.
The right to be informed under Articles 13 and 14 requires controllers to provide clear, concise, and easily accessible information about data processing activities. This includes the controller’s identity, purposes of processing, legal basis, recipients of data, retention periods, and data subject rights. Your privacy policy must communicate all of this in language that visitors can actually understand.
The right of access under Article 15 allows data subjects to obtain confirmation whether their personal data is being processed and, if so, access to that data along with detailed information about the processing. The response must include the processing purposes, categories of personal data, recipients, retention period, information about rights, data source if not collected directly, and whether automated decision-making including profiling occurs. This right is central because only through access can data subjects exercise further rights like rectification and erasure.
The right to rectification under Article 16 requires controllers to correct inaccurate personal data without undue delay. Data subjects can demand that their information be accurate and up-to-date.
The right to erasure under Article 17, commonly called the right to be forgotten, allows data subjects to request deletion when data is no longer necessary for its original purpose, when consent is withdrawn and no other legal basis exists, when the data subject objects to processing, when data has been unlawfully processed, when erasure is required by EU or Member State law, or when data was collected in relation to information society services offered to a child. Minors who gave consent to use an online service can always request erasure of that personal data regardless of their current age.
The right to restriction of processing under Article 18 allows data subjects to limit processing when accuracy is contested, when processing is unlawful but they prefer restriction over erasure, when the controller no longer needs the data but the data subject needs it for legal claims, or when the data subject has objected to processing pending verification of the controller’s grounds.
The right to data portability under Article 20 entitles data subjects to receive their personal data in a structured, commonly used, and machine-readable format with the right to transmit it to another controller without hindrance. This applies where processing is based on consent or contract and carried out by automated means. Data subjects can also request direct transmission between controllers where technically feasible.
The right to object under Article 21 allows data subjects to object to processing based on legitimate interests or public task, in which case the controller must demonstrate compelling grounds to continue. For direct marketing, the right to object is absolute and must always be honored immediately. Objection rights also extend to processing for scientific, historical research, or statistical purposes.
Rights related to automated decision-making under Article 22 protect data subjects from being subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects. Exceptions exist for contract performance, legal authorization, or explicit consent, but appropriate safeguards must be in place.
The One-Month Response Deadline Is Strictly Enforced
Article 12(3) establishes strict response timeframes. Controllers must provide information on action taken without undue delay and in any event within one month of receipt of the request. The period may be extended by two further months where necessary, taking into account the complexity and number of requests. The controller must inform the data subject of any extension within one month of receipt, together with reasons for the delay.
The one-month deadline runs as a calendar month, not 30 days. The clock starts the day the request is received. If no matching date exists in the following month, the deadline falls on the last day of that month. Weekend and holiday deadlines extend to the next working day.
Extension to three months total requires specific conditions. The controller must inform the individual within the original one-month period, provide reasons for the delay, and does not need permission from the individual or supervisory authority. The Swedish DPA confirmed that during identity verification the time limit may be paused where controllers have reasonable grounds to doubt the requester’s identity.
If a controller refuses to act on a request, they must inform the data subject without delay and within one month at latest, explaining the reasons for not taking action, the possibility of lodging a complaint with a supervisory authority, and the option of seeking judicial remedy.
Identity Verification Must Be Proportionate
Recital 64 requires controllers to use all reasonable measures to verify the identity of a data subject who requests access, particularly in the context of online services and online identifiers. However, verification must be proportionate.
Asking for passport copies, government-issued ID, or similar documentation as standard verification should be avoided. This approach is disproportionate and not always relevant, is not considered secure or efficient authentication, creates additional risks including identity theft and fraud, would require a Data Protection Impact Assessment before implementing, and demands higher security measures than the original data collection.
Appropriate verification methods consider context and reasonable expectations. If a method was good enough when obtaining data originally, it should be good enough for verifying requests. Use data you already have rather than requesting new data. Verify knowledge the data subject would possess. In online contexts, use the same credentials used to log into the service. For lost credentials, verify using other linked information rather than unrelated identifiers.
The IAPP guidance states that in the online context, the GDPR explicitly says identification should include digital identification, for example through an authentication mechanism such as the same credentials used by the data subject to log in to the online service.
WordPress Privacy Tools Since Version 4.9.6
WordPress introduced built-in privacy tools in version 4.9.6 released May 2018. These tools provide a foundation but do not constitute complete compliance.
The Export Personal Data tool at Tools then Export Personal Data manages export requests. The workflow begins when an administrator creates an export request by entering a username or email address. WordPress sends a confirmation email to the user, who clicks a confirmation link to verify the request. The status changes to Confirmed. The administrator reviews and approves, WordPress generates a downloadable zip file, and a download link valid for three days is sent to the user.
The Erase Personal Data tool at Tools then Erase Personal Data follows a similar workflow. The administrator must manually approve requests to remove data. Deleted data is permanently removed from the database, and erasure requests cannot be reversed after confirmation.
Critical limitations constrain these tools. They only gather data from WordPress core and participating plugins. They do not remove data from backups or archive files. They do not automatically delete registered user accounts. They do not address third-party services including analytics, email marketing, and CRM platforms. Site administrators must understand their complete data collection scope beyond what WordPress core handles.
The Privacy Policy page generator aggregates plugin-contributed privacy declarations into a starting template. This requires customization for site-specific processing activities and does not automatically satisfy transparency obligations.
Plugin Integration Extends Privacy Tool Coverage
WordPress provides hooks for plugin developers to integrate with the privacy system. Personal data exporters allow plugins to register exporter callbacks that include their data in export requests. The exporter callback receives the email address being processed and returns data in a structured format.
Personal data erasers allow plugins to hook into the erasure feature to erase or anonymize personal data they collect, whether in postmeta or custom post types. When the admin initiates removal, an AJAX loop iterates over all registered erasers one at a time. Plugins can register their own eraser callbacks.
The key for all exporters and erasers is the user’s email address. This was chosen because it supports both registered users and unregistered users such as logged-out commenters.
Not all plugins participate in this system. WooCommerce, Gravity Forms, and other major plugins have added integration, but many plugins store data without registering with WordPress privacy tools. Testing export and erasure requests reveals which plugins participate and which leave gaps.
Front-End Request Mechanisms
Site owners need mechanisms for visitors to submit data requests. The GDPR Data Request Form plugin provides one workflow: the user submits a request for export or erasure, the request is created in WordPress Tools, a confirmation email is sent to the user, the user confirms, the status updates, an email notifies the administrator, and personal data is either sent by email as a three-day download link or erased.
Implementation options include widgets for sidebar or footer integration, Gutenberg blocks for page integration, shortcodes for posts and pages, and PHP functions for theme integration. The mechanism should be linked prominently from the privacy policy page.
Third-Party Data Requires Separate Handling
WordPress privacy tools only handle data from WordPress core and participating plugins. Plugin data from form submissions requires separate handling unless the plugin developers have added integration. Data in external services demands independent attention.
Depending on how you handle user data, you may need to delete it from CRM systems, email marketing services like Mailchimp and ConvertKit, analytics platforms, payment processors like Stripe and PayPal, hosting provider logs, CDN logs from Cloudflare and similar services, third-party form processors, newsletter services, and external databases.
Each of these services has its own data deletion mechanisms. A data subject request to your WordPress site does not automatically propagate to third parties. You must establish procedures for forwarding requests and documenting completion across all services receiving visitor data.
Practical Compliance Requirements
Implementing data request mechanisms requires installing a front-end request form through widget, shortcode, or dedicated page, linking it prominently from the privacy policy, and testing the full workflow from submission through completion.
Establishing response procedures requires documenting internal workflow for handling requests, assigning responsibility for monitoring the Tools export and erase sections, setting calendar reminders for one-month deadlines, and creating templates for extension notifications.
Verifying plugin compliance requires checking which plugins integrate with WordPress privacy tools, testing export and erasure requests to see what data is included, contacting plugin developers for plugins that do not participate, and considering replacement of non-compliant plugins.
Documenting third-party processing requires listing all external services receiving visitor data, establishing procedures for forwarding requests to third parties, and including third-party data in privacy policy disclosures.
Identity verification protocol requires using email verification through the WordPress default for standard requests, considering additional verification matching original collection methods for sensitive data, documenting verification procedures, and avoiding over-collection of verification data.
Children’s data considerations require determining if your site offers information society services to children, implementing age verification if required, establishing parental consent mechanisms if processing children’s data, and using child-friendly language in privacy notices.
Enforcement Consequences Are Real
Non-compliance creates multiple risks. Failure to respond within one month triggers regulatory action. Denial of rights without lawful grounds generates complaints and fines. Inadequate identity verification leading to data breaches invokes Article 83 penalties. Systematic failures can result in fines up to €20 million or 4% of global annual turnover.
Data subjects can lodge complaints with supervisory authorities, seek judicial remedies, and claim compensation for material and non-material damage. The CJEU has confirmed that mere loss of control over personal data constitutes compensable harm.
WordPress-specific risks include comment IP addresses stored indefinitely without erasure capability, plugin data not included in export and erasure tools, third-party services not addressed in request workflows, and backup restoration reintroducing erased data.
Every Visitor With a Trace Is a Data Subject
Everyone who leaves identifiable data on your WordPress site is a potential data subject, not just registered users but every visitor whose IP address, cookies, or behavior is tracked. Their rights are enforceable through complaints to supervisory authorities and legal remedies.
One calendar month is the response deadline, with strict extension requirements that must be communicated within that original period. WordPress tools are necessary but insufficient, covering only core and participating plugins while third-party services remain your responsibility.
Children require extra protection through age verification and parental consent for online services depending on Member State thresholds. Identity verification must be proportionate, using methods matching original data collection rather than excessive documentation.
Document everything: requests received, verification performed, actions taken, and communications sent. Test your workflows by running practice export and erasure requests to identify gaps before real requests arrive. The data subject rights framework is not theoretical. It drives daily operational requirements for every WordPress site processing EU personal data.
— Comments 0
No comments yet. Be the first to share your opinion!
Comments are closed for this post.