GDPR Data Controller: A Beginner’s Guide to Key Traits and Responsibilities

Definition of Data Controller

A GDPR data controller is the entity—company, public body, or individual—that determines the purposes and essential means of processing personal data. If you decide why data is collected and how it will be used, you are acting as the controller.

Controllers may act alone or as joint controllers when two or more parties jointly determine purposes and means. By contrast, a processor acts on your documented instructions to handle data on your behalf.

Key Traits of Data Controllers

• Decision authority: You set the purposes and key parameters of processing, selecting processors and tools that align with those goals.
• Accountability Principle: You must not only comply but be able to demonstrate compliance through records, evidence, and governance.
• Data Protection by Design and by Default: You embed privacy into systems and processes from the outset and limit data to what is necessary.
• Risk-based mindset: You assess risks to individuals, perform DPIAs for high-risk activities, and adapt controls to context.
• Vendor and transfer stewardship: You establish Data Processing Agreements with processors and manage cross-border transfers via Standard Contractual Clauses or Binding Corporate Rules where appropriate.
• Transparency orientation: You provide clear notices, honest choices, and easily exercised rights for individuals.

Responsibilities of Data Controllers

• Choose and document a lawful basis for each purpose before processing begins and record it in your records of processing.
• Provide transparent privacy information that is concise, intelligible, and tailored to the audience.
• Enable data subject rights end to end—intake, verification, assessment, response, and fulfillment—within statutory timeframes.
• Implement appropriate Technical and Organizational Measures, test their effectiveness, and train staff regularly.
• Manage processors via robust Data Processing Agreements that define scope, security, sub-processing, audits, and return/erasure of data.
• Handle international data transfers lawfully using Standard Contractual Clauses, Binding Corporate Rules, and supplementary measures when needed.
• Define retention schedules, minimize data, and securely delete or anonymize when no longer needed.
• Apply the Accountability Principle through governance: DPIAs, risk registers, incident playbooks, and periodic compliance reviews.

Lawful Basis for Processing

You must select one lawful basis per purpose and stick with it. The six lawful bases are:

• Consent: Freely given, specific, informed, and unambiguous, with easy withdrawal.
• Contract: Necessary to perform or enter into a contract with the data subject.
• Legal obligation: Required by law to which you are subject.
• Vital interests: Necessary to protect someone’s life.
• Public task: Necessary for tasks in the public interest or official authority.
• Legitimate interests: Your interests balanced against individuals’ rights, supported by a Legitimate Interests Assessment.

For each purpose, assess necessity, identify the appropriate basis, document your rationale, and reflect it in privacy notices. If relying on consent, maintain granular records; if relying on legitimate interests, record your balancing test and safeguards.

Data Subject Rights

As a controller, you must enable and respond to requests typically within one month (with limited extensions for complexity), free of charge unless requests are manifestly unfounded or excessive.

• Right of access: Provide a copy of personal data and key processing details.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Delete data when criteria apply (e.g., withdrawal of consent, no longer necessary).
• Restriction: Limit processing while accuracy or objections are assessed.
• Portability: Provide commonly used, machine-readable data when processing is based on consent or contract and by automated means.
• Objection: Stop processing based on legitimate interests or public task unless you demonstrate compelling grounds; always honor objections to direct marketing.
• Automated decision-making/profiling: Provide safeguards, human review where required, and clear explanations.

Security Measures

You must implement and maintain appropriate Technical and Organizational Measures proportionate to risk, and review them regularly for effectiveness.

• Technical controls: Encryption at rest and in transit, pseudonymization, network segmentation, secure configurations, patching, and continuous monitoring.
• Identity and access management: Least privilege, role-based access, MFA, periodic access reviews, and logging.
• Operational safeguards: Secure SDLC, vulnerability management, change control, tested backups, and incident response playbooks.
• Organizational measures: Policies, role-based training, vendor risk management, and Data Protection by Design integrated into project gates.
• Lifecycle controls: Data minimization, retention and deletion of personal data, and validation of processor TOMs via audits or attestations.

Data Breach Notification

A personal data breach is a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Your first step is containment and impact assessment.

• Assess risk to individuals: Determine likelihood and severity of harm (e.g., identity theft, financial loss, discrimination).
• Supervisory Authorities Notification: Notify the competent authority without undue delay and, where feasible, within 72 hours of becoming aware, including required details and reasons for any delay.
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms; explain what happened, likely consequences, and steps they can take.
• Document every breach in a register, even those not notified, and implement corrective actions to prevent recurrence.
• For cross-border cases, coordinate with the lead supervisory authority and ensure consistent messaging across jurisdictions.

In practice, strong prevention, clear roles, rehearsed playbooks, and timely transparency are your best tools. By applying the Accountability Principle, robust TOMs, and Data Protection by Design, you reduce breach likelihood and impact while proving compliance.

FAQs.

What are the main responsibilities of a GDPR data controller?

You decide the purposes and means of processing, select and supervise processors, choose and document a lawful basis, provide transparent notices, enable data subject rights, implement appropriate Technical and Organizational Measures, manage transfers using tools like Standard Contractual Clauses or Binding Corporate Rules, and maintain evidence of compliance under the Accountability Principle.

How does a data controller establish lawful bases for processing?

Map each purpose, test necessity, select the appropriate basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests), record the rationale, and reflect it in privacy notices. For consent, capture and manage opt-ins; for legitimate interests, conduct a balancing test and apply safeguards; keep your records up to date.

What security measures must a data controller implement?

Adopt risk-appropriate Technical and Organizational Measures, including encryption, pseudonymization, access controls, MFA, monitoring, secure development, backups, incident response, staff training, vendor oversight, and Data Protection by Design and by Default. Review effectiveness regularly and adjust controls as risks evolve.

When must a data breach be reported by a data controller?

You must notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach. If the breach is likely to result in a high risk to individuals, you must also inform affected data subjects without undue delay and document the incident and your response.