Data Controller

A data controller is the company or organisation that determines why and how personal data is processed. The role follows automatically from that decision. It is not something you opt into or out of.

Back to Dictionary

What is a data controller?

Under GDPR Article 4(7), the data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In plain terms: if your organisation decides why personal data is collected and how it is processed, you are the data controller.

The controller role is determined by the facts of the situation, not by a contract or a title. Even if an agreement labels you as something else, the supervisory authority will look at who actually makes the decisions about the processing.

Data controller vs data processor

The distinction between controller and processor is one of the most fundamental concepts in GDPR. The controller determines the purposes and means of processing, whilst the processor carries out the processing on the controller’s instructions.

Data controller: Decides why and how personal data is processed. Bears primary responsibility for GDPR compliance.
Data processor: Processes personal data on behalf of the controller. Acts only on the controller’s documented instructions.

A clear understanding of this distinction is essential because it determines who is accountable for compliance, who must respond to data subject requests and who must report data breaches to the supervisory authority.

Joint controllers

GDPR Article 26 recognises that two or more controllers may jointly determine the purposes and means of processing. In such cases, the joint controllers must enter into an arrangement that specifies their respective responsibilities for compliance, including how data subjects can exercise their rights.

Joint controllership arises, for example, when two organisations run a shared loyalty programme or jointly operate a platform that collects user data.

The data controller’s obligations

As the data controller, your organisation must fulfil a wide range of GDPR obligations:

Lawful basis: You must have a valid legal basis for every processing activity (e.g. consent, contract, legitimate interest).
Transparency: You must inform data subjects about how their data is processed, typically through a privacy notice.
Records of processing: You must maintain a record of processing activities (ROPA) under Article 30.
Data protection impact assessment: For high-risk processing, you must carry out a DPIA under Article 35.
Data processing agreements: You must have a DPA with every data processor.
Supervision of processors: You must verify that your processors comply with GDPR and the DPA.
Breach notification: You must notify the supervisory authority within 72 hours of becoming aware of a personal data breach.
Data protection officer: Where required, you must designate a DPO under Articles 37–39.

Accountability principle: GDPR Article 5(2) introduces the accountability principle: the controller must not only comply with GDPR but must also be able to demonstrate compliance. This means documentation is not optional — it is a legal requirement.

Frequently asked questions about data controllers

Frequently Asked Questions about Data Controller

What is a data controller?

A data controller is the organisation that determines the purposes and means of processing personal data. Under GDPR Article 4(7), the controller decides why personal data is collected and how it is processed.

What is the difference between a data controller and a data processor?

The data controller decides why and how personal data is processed and bears primary responsibility for GDPR compliance. The data processor processes personal data on the controller’s behalf and acts only on the controller’s documented instructions.

Can two organisations be joint controllers?

Yes. GDPR Article 26 provides for joint controllership where two or more organisations jointly determine the purposes and means of processing. They must agree on their respective responsibilities in a transparent arrangement.

What are the main obligations of a data controller?

Key obligations include having a lawful basis for processing, maintaining records of processing activities, entering into data processing agreements with processors, conducting data protection impact assessments where required and notifying the supervisory authority of data breaches within 72 hours.

How do I know if my organisation is a data controller?

If your organisation determines why personal data is collected and how it is processed, you are the data controller. The role is determined by the factual circumstances, not by contracts or titles. If you make the decisions about the processing, you are the controller.