Data Controller
Under the GDPR and similar privacy laws, the person or entity that determines the purposes and means of processing personal data and bears primary compliance responsibility.
What Is a Data Controller?
A data controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. The data controller decides why and how personal data will be processed and is the primary party responsible for compliance with the GDPR and other major privacy frameworks. Customer-facing organizations that collect data for their own use are typically controllers.
Controller Responsibilities Under the GDPR
- Establishing a lawful basis for each processing activity - Providing transparent privacy notices to data subjects - Implementing appropriate technical and organizational security measures - Maintaining records of processing activities (Article 30) - Conducting data protection impact assessments for high-risk processing - Notifying supervisory authorities of personal data breaches within 72 hours - Engaging processors through written contracts that meet Article 28 requirements - Appointing a data protection officer (DPO) when required
Joint Controllers and Cross-Border Implications
When two or more entities jointly determine processing purposes and means, they are joint controllers and must agree in writing on their respective responsibilities. The CJEU has interpreted joint controllership broadly, including operators of social media Facebook fan pages and websites embedding third-party plugins. Controllers transferring data outside the EEA must implement approved transfer mechanisms. U.S. state privacy laws (California, Colorado, Connecticut, Virginia, Utah, and others) use the term business or controller with similar responsibilities, though specific obligations differ.