GDPR Glossary Also known as: controller
The organisation or person that decides why and how personal data is processed — and carries primary responsibility under the GDPR.
A data controller is the entity that determines the purposes and means of processing personal data — in plain terms, the 'why' and the 'how'. Most businesses are controllers for the customer and employee data they decide to collect and use.
The controller carries the primary legal responsibility for GDPR compliance: choosing a lawful basis, honouring data-subject rights, keeping data secure, and being able to demonstrate accountability.
In the Regulation
Related terms
Data processorA third party that processes personal data on behalf of, and under the instructions of, a data controller.Joint controllersTwo or more controllers that jointly decide the purposes and means of processing.ProcessingAlmost anything you do with personal data — collecting, storing, using, sharing, or even deleting it.AccountabilityThe principle that you must not only comply with the GDPR but be able to demonstrate it with records and policies.
Need this applied to your business?
Our data-protection lawyers turn GDPR terms into a working plan.