Privacy

Data Controller

The entity that determines the purposes and means of processing personal data.

A data controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Key Responsibilities

  • Determining why personal data is processed (the purpose)
  • Deciding how it will be processed (the means)
  • Ensuring a valid legal basis for each processing activity
  • Implementing appropriate technical and organisational measures
  • Responding to data subject rights requests
  • Maintaining records of processing

Controller vs Processor

The distinction is crucial for accountability:

  • The controller makes decisions and bears primary legal responsibility
  • The data processor acts on the controller's instructions

A company can be both a controller (for its own customer data) and a processor (when handling data on behalf of another company).

Examples

  • A company that collects customer emails for marketing → controller
  • A hospital maintaining patient records → controller
  • An employer processing employee payroll → controller

Defined in GDPR Article 4(7). See also Joint Controller.

Related Terms

Data ProcessorPrivacy

An entity that processes personal data on behalf of a data controller.

Data SubjectPrivacy

The identified or identifiable person whose personal data is being processed.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Joint ControllerLegal

Two or more controllers who jointly determine the purposes and means of processing personal data.

Legal BasisLegal

The lawful ground under which personal data may be processed — the GDPR defines six possible bases.

Data BreachData Minimization