Empowered by mobile devices and next-generation web services, such as personal cloud-storage services and social-networking services, individuals store increasing amounts of personal data online. As web services become more social, such personal data relates to individuals and to their relationships. As a matter of fact, individuals also disclose online personal data that relates to other individuals (e.g., individuals store their address books, which contain the birthdate and contact information or their contacts, on cloud platforms). The research questions addressed in this article are the following: “How do data protection regulations apply in such cases and to which extent do they protect data subjects from privacy infringements committed by natural persons in such a digital and online context?” and “how such protection can be improved, if needed, by integrating new legal solutions, potentially coupled with technical solutions for achieving compliance and enforcement?” In most regulations that aim to protect the personal data of individuals, including the EU General Data Protection Regulation (GDPR) enacted on April 27th, 2016, the definition of data controllers encompasses natural and legal persons. This means that, even if some exceptions can apply in specific cases, a natural person who manipulates personal data of other natural persons, as illustrated above, must in principle respect the regulation. In their definition of personal data, many regulations rely on the core notion of data subject and make two assumptions: (i) for a given piece of personal data, there is a single data subject, i.e., personal data relates to a single individual, the data subject, (ii) the individual who discloses the personal data to an online service is the data subject (they are one and the same person). But in fact, in many situations, personal data relates to several natural persons and the determination of the data subject(s) is not straightforward. In this article, this problem is introduced and illustrated through carefully chosen real-life examples rooted in the use of information and communication technologies. A classification is proposed for the aforementioned situations: it contains three broad categories based on the relation between the user of the data and the data subject. The considered examples are analysed through the lens of the recently adopted EU GDPR. The ability of the EU GDPR to protect individuals against such infringements is questioned and discussed.