Data Controller
Stands for: Data Controller (GDPR role)
The natural or legal person that, alone or jointly with others, determines the purposes and means of personal data processing under GDPR.
Definition
The **Data Controller** is the central accountability anchor of the GDPR, defined in Article 4(7). Whoever decides why personal data is processed and how it is processed (the purposes and means) is the controller, and the controller carries the obligations: lawful basis, transparency, data subject rights, security, breach notification, records of processing, and DPIA where required.\n\nThe role is determined by factual control, not by contract. Calling a counterparty a processor in a contract does not make them one if they actually decide purposes and means. Two or more parties determining purposes and means together are joint controllers under Article 26 and must publish the essence of their arrangement and the contact point for data subjects.\n\nThe controller selects processors and signs Article 28 data processing agreements with them, and remains responsible for the processor's acts. Controllers established outside the EU/EEA but in scope under Article 3(2) generally must designate a Representative in the EU under Article 27 to act as a local point of contact for supervisory authorities and data subjects.
When you'll encounter it
You will act as a controller any time your business decides to collect personal data: customer accounts, employee records, marketing lists, CCTV, analytics. Vendors that merely execute your instructions, such as cloud hosting, payroll providers, or email-sending services, are typically processors, with you remaining the controller and bearing primary accountability.
Used in our guides
- Turkey Business Laws and Compliance: What Every Foreign Investor Must Know
- UK Data Protection and GDPR: Compliance Guide for Businesses
- UAE Data Protection Law (PDPL): Compliance Guide for Businesses
- Estonia GDPR Compliance: AKI and Data Protection Requirements
- Portugal Data Protection (RGPD/GDPR): CNPD Compliance Guide
FAQ
What is the difference between controller and processor?
The controller decides why and how personal data is processed. The processor processes data on behalf of the controller, only on documented instructions. The same entity can be a controller for some processing activities and a processor for others; the analysis is per-processing-activity, not entity-wide.
Are joint controllers jointly and severally liable?
Towards data subjects, yes, under Article 82. Joint controllers must agree their respective responsibilities under Article 26, but a data subject can claim full compensation from any of them, with internal recourse between controllers afterwards based on the agreed allocation.
Does the controller have to be in the EU?
No. Controllers anywhere in the world can be in scope under Article 3(2) if they offer goods or services to EU data subjects or monitor their behaviour in the EU. Article 27 then usually requires the appointment of an EU Representative, with limited exemptions for occasional processing.
References
- GDPR Article 4(7), Article 24, Article 26, Regulation (EU) 2016/679 https://eur-lex.europa.eu/eli/reg/2016/679/oj
- EDPB Guidelines 07/2020 on the concepts of controller and processor https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en
- ICO controllers and processors guide https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/