Data Controller

The data controller is one of the most fundamental concepts in the General Data Protection Regulation (GDPR). Defined in Article 4(7), the controller is the entity that determines the "why" and "how" of personal data processing: it decides the purposes for which personal data are processed and the essential means used for that processing.

Controllership is determined by factual circumstances, not merely by contractual designation. An entity that in practice makes the key decisions about data processing is a controller regardless of how it labels itself. This factual approach means that organisations cannot avoid controller responsibilities simply by claiming to be processors in their contracts. The European Data Protection Board (EDPB) has issued detailed guidance on the distinction between controllers and processors.

Controllers bear the primary compliance burden under the GDPR. They must implement appropriate technical and organisational measures to ensure and demonstrate compliance (the accountability principle), maintain records of processing activities, conduct Data Protection Impact Assessments for high-risk processing, appoint a Data Protection Officer where required, implement data protection by design and by default, and ensure a lawful basis exists for each processing activity.

In cases of joint controllership, where two or more controllers jointly determine the purposes and means of processing, Article 26 GDPR requires them to determine their respective responsibilities through a transparent arrangement. Data subjects can exercise their rights against each of the joint controllers regardless of the internal arrangement.