57 GDPR provisions speak of rights and freedoms of "data subjects" that would be protected by the GDPR. A person is considered to be a "data subject" if information is processed that identifies the person or at least makes the person identifiable (cf. the definition in Art. 4 No. 1 GDPR).
Listed below are the 34 provisions in articles and the 23 provisions in recitals that refer exclusively to the rights and freedoms of "data subjects":
Articles: 4 Nr. 24; 5 I e; 6 I f; 9 II b; 9 II g; 9 II i; 9 II j; 10; 14 V b; 21 I; 22 II b; 22 III; 22 IV; 23 I i; 23 II g; 25 I; 26 I 2; 26 III; 28 I; 30 V; 34 III b; 35 VII c; 35 VII d; 36 III c; 49 I c; 49 I f; 49 I 2; 66 I; 66 III; 80 I; 87; 88 I; 88 II; 89 I GDPR.
Recitals: 2 (1); 3; 9 (1); 10 (1)/(2); 53 (3); 54 (2); 74 (3); 75; 77 (2); 78 (1); 80 (1); 84 (1); 85 (2); 86 (1); 89 (3); 94 (1)/(5); 98 (2); 113 (2); 116 (1); 154 (6); 166 (1); 173 (1) GDPR.
It is thus clear that the GDPR primarily protects "data subjects". Another 33 GDPR provisions refer to the rights and freedoms of "natural persons", which can mean data subjects [Tile DS.02], but also controllers, third parties and other persons [Tile CO.02].
The GDPR does not explicitly state which "rights and freedoms" of data subjects are to be protected. The central norm of Art. 1 II GDPR “just” states that their "fundamental rights and freedoms" and "in particular their right to the protection of personal data" are to be protected. How the term "rights and freedoms" is to be further concretised (and possibly also limited) is highly controversial and unclear.
The Tiles on this page show how the rights and freedoms of data subjects can be concretised