Data Controller: Definition, Role & Duties

Understanding the role of a data controller is fundamental for any organization handling personal data under the GDPR. As the key decision-maker, the data controller determines the purposes and means of processing information—a responsibility that brings both obligations and significant influence over how data is managed and protected.

In practice, being a data controller means more than just setting policies. We are expected to ensure every step of data processing aligns with a lawful basis, maintains transparency, and fully respects the rights of data subjects. These duties aren’t just legal checkboxes—they are essential to building trust and safeguarding privacy.

This article will guide you through the essentials: from the definition and distinctions between controllers and processors, to the complexities of joint controller arrangements and the allocation of responsibilities. We’ll break down your core duties, including handling requests from individuals, drafting compliant processor contracts, and maintaining accurate records of processing.

You’ll also learn about the importance of Data Protection Impact Assessments (DPIA), managing security and breach notifications, and navigating international data transfers under GDPR. By the end, you’ll have a clear, practical understanding of what it means to be a data controller and how to fulfill this vital role in your organization.

Definition of a data controller

A data controller, as defined by the GDPR, is the individual or organization that determines the purposes and means of processing personal data. This core concept places the controller at the heart of data governance, making us responsible not just for why data is collected, but also for how it is handled, stored, shared, and deleted.

In simple terms, if we choose what data is gathered and decide how it will be processed, we are acting as the data controller. This role can be held by companies, public authorities, non-profits, or even individuals, as long as they exercise control over the data processing activities.

Key aspects that define a data controller include:

• Decision-making authority: We establish the purposes (the reasons for processing) and the means (the methods and tools used) for handling personal data.
• Legal responsibility: The controller is accountable for identifying a lawful basis for processing, ensuring transparency with data subjects, and respecting all data subject rights as outlined by the GDPR.
• Documentation and records: We are required to keep comprehensive records of processing activities and, where necessary, conduct a Data Protection Impact Assessment (DPIA) to evaluate potential risks.
• Partnerships: In some situations, we may act as a joint controller, sharing decision-making responsibilities with another entity. In such cases, clear agreements must outline each party’s obligations.

Ultimately, being a data controller is about stewardship and accountability. We must not only design how personal data is handled, but also stand as the primary point of contact for regulatory compliance, ensuring that every processing activity respects individuals’ privacy and legal rights.

Controller vs processor

Controller vs Processor

When it comes to GDPR compliance, understanding the distinction between a data controller and a processor is essential. Each role carries unique responsibilities and risks, so it’s crucial to clarify their boundaries to avoid confusion and ensure lawful data handling.

The data controller is the party who decides the “purposes and means” of processing personal data. This means the controller determines why data is collected, what data is collected, and how it is processed. For example, if we decide to collect customer emails for marketing campaigns, we are the controller because we set the goals and methods for this processing.

On the other hand, a data processor acts on behalf of the controller, following their instructions without making decisions about the data’s use. Processors provide services such as storing, transmitting, or analyzing data, but they don’t determine the reasons or methods for processing. An example is when we use a cloud provider to store customer data; the provider processes the data only as instructed by us, the controller.

• Lawful Basis: Controllers must identify and document a lawful basis for processing personal data, such as consent or contractual necessity. Processors do not need their own lawful basis—they rely on the controller’s instructions.
• Transparency: Controllers are required to inform data subjects about how their data is used and their rights under the GDPR. Processors, meanwhile, are not responsible for direct transparency but support controllers by following agreed procedures.
• Data Subject Rights: Controllers manage and respond to requests from data subjects, such as access, rectification, or erasure. Processors help controllers fulfill these requests but never respond directly unless authorized.
• Records of Processing: Both controllers and processors must keep records, but controllers take the lead in documenting the purposes and means, while processors record their processing activities for each controller they serve.
• DPIA: Conducting a Data Protection Impact Assessment is the controller’s responsibility when high-risk processing is involved. Processors may assist but the obligation sits with the controller.

It’s also worth noting the concept of a joint controller. This arises when two or more organizations jointly determine the purposes and means of processing. In such cases, both parties share controller responsibilities and must transparently define their respective duties for GDPR compliance.

In summary, the data controller holds the reins, making key decisions and shouldering primary accountability for GDPR obligations. The processor, while vital, acts as a support function—processing data under explicit instructions and maintaining robust security. Recognizing these differences helps us assign responsibilities clearly, mitigate risk, and protect the rights of every data subject.

Joint controllers and role allocation

Joint controllers and role allocation is a crucial area under the GDPR that every data controller should understand, especially when personal data processing involves more than one organization. Under Article 26 of the GDPR, two or more entities may jointly determine the purposes and means of processing personal data. In these cases, both are considered joint controllers, sharing responsibility for data protection compliance.

When acting as joint controllers, it’s essential to clearly define each party’s roles and responsibilities. This isn’t just best practice—it’s a legal requirement. The GDPR expects joint controllers to transparently outline, in a documented agreement, who handles which aspects of their shared obligations, such as responding to data subject rights requests, maintaining records of processing, and conducting a Data Protection Impact Assessment (DPIA) if necessary.

Here’s what effective role allocation between joint controllers should include:

• Purpose and Means: Clearly specify which party determines the purpose of processing and who selects the means (such as technical or organizational measures).
• Lawful Basis: Agree and document the legal basis for processing data, ensuring all parties are aligned on compliance.
• Transparency: Decide who informs data subjects about the processing, and how. This includes privacy notices and ensuring data subjects know who to contact with questions or complaints.
• Data Subject Rights: Allocate responsibility for responding to requests like access, rectification, or erasure. Ensure both parties have procedures in place to cooperate and respond within GDPR deadlines.
• Records of Processing: Determine how records will be maintained and by whom, covering what data is processed, for what purpose, and any data sharing arrangements.
• DPIA: Identify who conducts and maintains the DPIA, especially if high-risk processing is involved.

For the joint controller arrangement to be robust, the agreement should be easily accessible to data subjects, demonstrating a commitment to transparency. Both parties remain fully accountable to supervisory authorities and can be held liable if obligations are not met—even if one controller was primarily responsible for a particular task.

In practice, successful joint controller relationships rely on open communication, detailed agreements, and a shared understanding of GDPR obligations. By proactively defining responsibilities, we reduce the risk of non-compliance and build greater trust with data subjects and partners alike.

Core duties

The core duties of a data controller under the GDPR are intricate, reflecting both the strategic and operational responsibilities organizations must fulfill to protect individuals’ data rights. These duties go far beyond initial policy-setting—they require active, ongoing measures to ensure compliance, accountability, and respect for data subjects at every stage of processing.

Here’s what we must do as data controllers to meet GDPR requirements:

• Define the purposes and means of processing: We are responsible for clearly determining why personal data is being collected and how it will be used. This means specifying, documenting, and regularly reviewing our data processing practices to ensure they’re always justified and appropriate.
• Establish a lawful basis for processing: Every processing activity requires a lawful basis under the GDPR—such as consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. We must assess and document which basis applies, explaining it transparently to those whose data we handle.
• Ensure transparency and provide information: Transparency is a cornerstone of trust. As data controllers, we must inform data subjects—clearly and in accessible language—about the processing activities, the reasons for collecting their data, their rights, and how they can exercise them.
• Safeguard data subject rights: Individuals enjoy robust data subject rights under the GDPR, including access, rectification, erasure, restriction, portability, and objection. Our duty is to set up efficient, user-friendly processes for handling these requests and to respond within required timeframes.
• Maintain comprehensive records of processing activities: We must keep detailed records of processing—documenting what data we collect, from whom, for what purpose, where it’s stored, and with whom it’s shared. This not only supports internal governance but also demonstrates compliance to regulators.
• Conduct Data Protection Impact Assessments (DPIAs): When our processing is likely to result in high risks to individuals’ privacy, we’re required to undertake a DPIA. This involves systematically evaluating risks and implementing measures to mitigate them before proceeding.
• Collaborate as a joint controller, when relevant: If we jointly determine the purposes and means of processing with another organization, we must clearly define roles and responsibilities in a transparent agreement, ensuring data subjects know how to exercise their rights.

In summary, data controllers are accountable for every aspect of personal data processing—from the moment data is collected to its eventual deletion. By embedding transparency, lawful processing, and respect for data subject rights into our practices, we not only achieve compliance but also build trust with those whose data we hold.

Handling data subject rights

Handling data subject rights is at the heart of a data controller’s responsibilities under the GDPR. As data controllers, we’re not only trusted with defining the purposes and means of processing personal data, but also with upholding the fundamental freedoms of individuals—known as data subjects—whose information we collect and process.

The GDPR grants several explicit rights to data subjects, and as controllers, we must ensure these rights can be exercised easily, promptly, and transparently. Here’s what handling data subject rights involves:

• Right of Access: Data subjects can request confirmation as to whether their personal data is being processed, along with access to that data and information about how it’s being used. We must respond without undue delay—typically within one month.
• Right to Rectification: If data is inaccurate or incomplete, subjects can request corrections. As controllers, we must ensure these updates happen swiftly and that all relevant parties are notified of changes.
• Right to Erasure (“Right to be Forgotten”): Under certain conditions, individuals can ask us to delete their personal data. We must evaluate such requests carefully, balancing legal obligations and the lawful basis for processing.
• Right to Restrict Processing: Subjects can limit how their data is processed, for example, while accuracy is contested or if they object to processing. We’re required to flag such data and process it only for specific purposes during the restriction period.
• Right to Data Portability: Upon request, we must provide personal data in a commonly used, machine-readable format. This enables individuals to transfer their information to another service provider seamlessly.
• Right to Object: Data subjects can object to processing, especially if it’s based on legitimate interests or direct marketing. We need to review these objections promptly and, unless there are compelling grounds, cease processing for those purposes.
• Rights related to Automated Decision-Making: If decisions are made solely by automated means, data subjects have the right not to be subject to such decisions with legal or similarly significant effects, and to request human intervention.

Transparency is key. We must clearly inform individuals about their rights, how to exercise them, and what to expect from the process. This information should be readily available—often in privacy notices or through customer support channels.

As controllers, it’s also vital to keep detailed records of processing activities, including how we handle and respond to rights requests. For more complex requests or in cases involving sensitive data, conducting a DPIA (Data Protection Impact Assessment) helps ensure that risks to data subjects are minimized and that our processes remain compliant.

If we act as a joint controller alongside another organization, we need clear agreements outlining responsibilities for responding to data subject rights requests. Everyone involved must know their role to avoid confusion or delays that could undermine trust or result in regulatory penalties.

By taking a proactive, structured approach to handling data subject rights, we not only comply with the GDPR but also build trust with our customers and users—demonstrating our commitment to ethical data stewardship.

Contracts with processors: Article 28 essentials

Contracts with processors: Article 28 essentials

When a data controller enlists a third party to process personal data on its behalf, the GDPR is clear: a written contract is not optional—it’s a legal requirement. Article 28 of the GDPR lays out exactly what these contracts must include to ensure that both the controller and processor uphold the rights and freedoms of data subjects, and that processing remains compliant.

Here’s what every controller needs to know and do:

• Clear Assignment of Instructions: The contract must state that the processor only acts on documented instructions from the data controller. This covers what data is processed, for what purposes and means, and how the data is handled at every stage.
• Confidentiality Obligations: All people authorized to process the data must be committed to confidentiality—this helps safeguard the data subject’s rights.
• Security Measures: The processor is obliged to implement appropriate technical and organizational measures to protect personal data. The controller should ensure these measures are robust and regularly reviewed, supporting the requirement for security under the GDPR.
• Sub-processor Controls: If the processor wishes to engage another processor (a “sub-processor”), it must have the controller’s prior written consent. The same contractual obligations must be imposed on the sub-processor, creating a chain of accountability.
• Assistance with Data Subject Rights: The processor must help the controller respond to requests from individuals exercising their data subject rights—such as access, rectification, or erasure—without delay.
• Support with DPIA and Compliance: Processors must assist controllers in meeting obligations for data security, reporting data breaches, and conducting Data Protection Impact Assessments (DPIA).
• Return or Erasure of Data: At the end of the contract, processors have to either return all personal data to the controller or securely delete it, unless legal requirements dictate otherwise.
• Audit and Inspection Rights: Controllers must be able to audit processors for compliance. The processor is required to make all relevant information available and allow for inspections.

Why does this matter? These contract terms build a transparent, documented relationship based on accountability and trust. Without them, both the controller and processor risk non-compliance and potentially serious regulatory penalties.

As data controllers, we must take the lead: review processor contracts regularly, make sure they address all Article 28 essentials, and keep detailed records of processing. This proactive approach not only fulfills the GDPR’s requirements—it protects the interests of our organization and, most importantly, the individuals whose data we handle.

Records and assessments

Records and assessments are at the heart of a data controller’s accountability under the GDPR. We can’t just say we comply—we need to prove it. This means maintaining thorough documentation and performing regular evaluations to ensure our data processing activities remain lawful, fair, and transparent.

Keeping accurate records of processing is not optional. As data controllers, we must document what personal data we collect, the purposes and means for which it’s processed, the lawful basis for each activity, and details about data sharing and transfers. These records help us track our compliance and demonstrate it to regulators if questioned.

• Details of processing: For each processing activity, we need to log the categories of personal data, data subjects, recipients, and retention periods. This goes beyond a basic inventory—it’s about knowing exactly where data flows and who can access it.
• Lawful basis mapping: Every record should specify the GDPR lawful basis used—such as consent, contract, or legitimate interests—showing we’ve thought through our reasons for handling data.
• Transparency commitment: These records aren’t just for internal use. They form the foundation for privacy notices and responses to data subject rights requests, supporting our transparency obligations.

Data Protection Impact Assessments (DPIAs) are another critical tool. Whenever our processing is likely to result in a high risk to individuals’ rights and freedoms—such as large-scale monitoring or use of sensitive data—we’re required to carry out a DPIA. This assessment helps us:

• Identify and minimize risks before launching new projects or technologies.
• Demonstrate that we’ve considered privacy from the outset and designed controls into our processes.
• Engage stakeholders, including data subjects and, where needed, supervisory authorities, especially when risks can’t be fully mitigated.

For joint controllers, clear records and joint assessments are even more important. When two or more organizations jointly determine the purposes and means of processing, all parties must agree on their responsibilities and document how they’ll uphold data subject rights. This ensures coordinated compliance and avoids ambiguity if issues arise.

By making records and assessments a routine part of our data governance, we not only comply with the GDPR—we foster trust, streamline responses to audits or breaches, and keep the rights of data subjects at the center of everything we do. It’s about building a culture of privacy and responsibility, every step of the way.

Security and breach notification responsibilities

Security and breach notification responsibilities are core obligations for any data controller under the GDPR. As those who determine the purposes and means of processing, data controllers must take active steps to safeguard personal data and respond swiftly to incidents.

We’re not just talking about locking down files. Effective security under the GDPR means implementing technical and organizational measures tailored to the nature of the personal data and the risks involved. This might include:

• Encryption of data at rest and in transit to prevent unauthorized access.
• Access controls ensuring only authorized personnel can handle sensitive information.
• Regular security assessments—such as penetration testing—to identify and address vulnerabilities.
• Employee training to build a security-conscious culture and reduce human error.
• Written policies outlining how data is protected, who is responsible, and what actions to take in case of an incident.

Despite our best efforts, breaches can still occur. The GDPR sets clear expectations for what data controllers must do if personal data is compromised. If a personal data breach occurs, the data controller is required to:

• Assess the risk to individuals’ rights and freedoms, considering the type and sensitivity of data involved.
• Notify the relevant supervisory authority without undue delay—and no later than 72 hours after becoming aware of the breach, unless it’s unlikely to result in a risk to data subjects.
• Inform affected data subjects if the breach is likely to result in a high risk to their rights and freedoms. This communication should be clear and outline the nature of the breach, potential consequences, and any measures taken to address it.
• Document the breach, including details on what happened, its effects, and the response. This forms part of the controller’s records of processing activities and is crucial for demonstrating accountability.

These responsibilities are not just box-ticking exercises—they’re vital for building trust and transparency with data subjects and for maintaining your organization’s reputation. If you work as a joint controller with another organization, make sure responsibilities for breach notification are clearly defined in your agreement to avoid confusion or delays.

In summary, as a data controller, it’s essential to treat security as a continuous process—regularly review your safeguards, stay informed about emerging threats, and always be prepared to act quickly if a breach occurs. This proactive approach not only supports GDPR compliance, but also respects the data subject rights at the heart of modern data protection.

International transfers: SCCs and adequacy

International data transfers are a critical concern for every data controller operating under the GDPR. When personal data is moved outside the European Economic Area (EEA), the data controller must ensure that the information remains protected to the same standards as within the EU. This responsibility extends to choosing appropriate safeguards and maintaining transparency throughout the transfer process.

Standard Contractual Clauses (SCCs) and adequacy decisions are two main mechanisms that help data controllers lawfully transfer personal data internationally. Let’s break down what each means and how they affect your organization’s duties:

• SCCs (Standard Contractual Clauses): SCCs are pre-approved contract terms published by the European Commission. As a data controller, you can incorporate these clauses into your agreements with non-EEA recipients. They oblige both parties to uphold GDPR-level data protection, covering aspects like purposes and means of processing, security standards, data subject rights, and transparency requirements. SCCs are often the practical choice when transferring data to countries without an adequacy decision.
• Adequacy Decisions: An adequacy decision is a formal recognition by the European Commission that a non-EEA country offers data protection standards comparable to the GDPR. If you’re transferring data to a country with such a decision, no further authorization or contractual safeguards are required. This simplifies compliance for the data controller, making it easier to demonstrate a lawful basis for the transfer in your records of processing.

Both mechanisms require you, as the data controller, to maintain transparency with individuals about where their data is sent and under what safeguards. This is essential not only for compliance but also for upholding data subject rights—people have the right to know if their data leaves the EU and how it will be protected abroad.

It’s important to remember that even when using SCCs or relying on an adequacy decision, the responsibility does not end at the point of transfer. You must carry out a Data Protection Impact Assessment (DPIA) when international transfers present high risks, and regularly review the legal landscape for changes that could affect your transfer mechanisms.

For organizations acting as a joint controller, it’s crucial that all parties involved agree on the roles and responsibilities related to these transfers and document them clearly. This ensures ongoing compliance and reinforces accountability throughout the data lifecycle.

In summary: International data transfers under the GDPR are never a “set and forget” process. As data controllers, we need to proactively select the right mechanisms—SCCs or adequacy decisions—while keeping comprehensive documentation and open communication with data subjects. This approach not only satisfies legal requirements but also builds trust and demonstrates your commitment to global data protection standards.

Ultimately, being a data controller under the GDPR comes with substantial responsibility and a vital role in safeguarding personal data. We’re not just making decisions about the purposes and means of processing—we’re also tasked with ensuring our actions are always backed by a lawful basis and complete transparency toward those whose information we manage.

To achieve true compliance, we must respect data subject rights, maintain up-to-date records of processing activities, and proactively assess risks using tools like a DPIA whenever necessary. Whether acting alone or as a joint controller, our commitment to these duties defines our credibility and trustworthiness in the eyes of both regulators and individuals.

By staying informed, documenting our processes, and putting people’s privacy at the heart of our operations, we transform compliance from a checkbox exercise into a competitive advantage. The journey to GDPR compliance isn’t always simple, but as data controllers, we have the opportunity—and the obligation—to get it right, every step of the way.

FAQs

Are we a controller or a processor?

Determining whether you are a data controller or a processor under the GDPR depends on your role in deciding the “purposes and means” of personal data processing. If your organization decides why (the purposes) and how (the means) personal data is collected, used, or shared, you are acting as a data controller. This means you’re responsible for identifying a lawful basis for processing, ensuring transparency, and respecting data subject rights.

If, however, you process personal data strictly on someone else’s instructions—without making decisions about the core purposes and means—you are a data processor. Processors must follow the controller’s guidance, keep records of processing, and may need to conduct a DPIA if instructed, but they don’t set the rules.

Ask yourself: Who decides what data is collected and for what reason? If that’s you, you’re likely a data controller. If you process data on behalf of someone else, you’re a processor. Sometimes, organizations can be joint controllers if they share responsibility for key decisions.

Understanding this distinction is essential for GDPR compliance—it shapes your obligations around lawful basis, transparency, records of processing, and how you respond to data subject rights. If you’re unsure, reviewing your contracts and data flows is a great place to start.

Can two organizations be joint controllers?

Yes, two organizations can absolutely be joint controllers under the GDPR. This happens when both parties together determine the purposes and means of processing personal data. In other words, they make key decisions about why and how data is processed, rather than one following instructions from the other.

When acting as joint controllers, both organizations share responsibility for ensuring a lawful basis for processing, maintaining transparency with data subjects, and upholding data subject rights. They must clearly define their respective roles in a transparent agreement and inform individuals about how their personal data is managed.

Joint controllers are also jointly accountable for records of processing activities and, where relevant, conducting a Data Protection Impact Assessment (DPIA). This collaborative approach means both organizations need to work closely to meet all GDPR obligations and safeguard data privacy effectively.

If you're considering a partnership where decisions about personal data are made together, it's important to clarify roles from the start. This helps ensure compliance, avoids confusion, and ultimately builds trust with your users and customers.

What liabilities does a controller carry?

Data controllers shoulder significant legal and operational liabilities under the GDPR, as they determine the purposes and means of processing personal data. If a controller fails to establish a lawful basis for processing, maintain transparency, or respect data subject rights, they can face substantial fines, regulatory investigations, and reputational harm.

The controller is also directly accountable for ensuring that all processing activities are well-documented, including maintaining accurate records of processing and conducting Data Protection Impact Assessments (DPIAs) when required. Any lapses, omissions, or mistakes in these duties can result in sanctions or orders to halt processing.

Joint controllers carry shared responsibility and may be held jointly liable for damages caused by non-compliance. This means that if individuals’ rights are infringed or data is mishandled, affected data subjects can claim compensation from any joint controller involved.

In summary, a data controller’s liabilities are broad and can impact both the organization’s finances and public trust. Prioritizing compliance, transparency, and robust documentation is essential for minimizing these risks.

Do controllers need a DPO?

Not every data controller is required to appoint a Data Protection Officer (DPO) under the GDPR. The obligation depends on the nature of your data processing activities. If your organization’s core activities involve large-scale, regular, and systematic monitoring of individuals, or if you process special categories of data (like health or biometric data) on a large scale, then a DPO is mandatory.

For most businesses, especially smaller ones or those not engaging in high-risk processing, the GDPR does not require a DPO. However, even if it's not legally required, having a DPO or designated privacy lead can help ensure compliance with key responsibilities, such as maintaining records of processing, conducting DPIAs when necessary, and supporting data subject rights.

Regardless of whether a DPO is appointed, data controllers must remain transparent about their purposes and means of processing, establish a clear lawful basis for each activity, and uphold all other GDPR obligations. If you operate as a joint controller, coordination regarding the appointment and responsibilities of a DPO is also essential for compliance.