Skip to main content
Data Protection / GDPR

Controller

The controller is the natural or legal person, public authority or body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

Under Art. 4(7) GDPR, the controller is the entity that decides on the „whether“, „why“ and „how“ of processing personal data, that is, on its purposes and means. What matters is actual decision-making power, not a contractual label: whoever in fact determines which data are processed for which purpose and by which essential means is the controller, regardless of whether it carries out the processing itself or has it performed by third parties.

The controller bears the central set of obligations under the GDPR. These include ensuring a legal basis under Art. 6 GDPR, observing the processing principles of Art. 5 GDPR including accountability, fulfilling information and data subject rights (Art. 12 et seq. GDPR), maintaining a record of processing activities (Art. 30(1) GDPR), implementing technical and organisational measures (Art. 24, 32 GDPR), and notifying personal data breaches (Art. 33, 34 GDPR). The controller must not only guarantee compliance with these obligations but also be able to demonstrate it.

The controller must be distinguished from the processor (Art. 4(8) GDPR), who processes personal data solely on the controller's instructions and does not decide on the purposes. Their relationship must be governed by a data processing agreement under Art. 28 GDPR. Where several entities jointly determine purposes and means, joint controllership under Art. 26 GDPR applies, requiring a transparent arrangement on the allocation of duties. Correct role determination is the precondition for properly assigning liability, contracts and data subject rights.

Legal Basis

Art. 4(7) GDPR, Art. 5, 24, 28, 26 GDPR

Practical Example

A mid-sized company operates an online shop and engages an external service provider to send out newsletters. The company decides which customer data are used for which marketing purpose and is therefore the controller; the newsletter provider processes the data only on instructions and is the processor. The company's data protection officer checks whether an Art. 28 agreement exists, whether there is a legal basis for the marketing, and whether the record of processing activities correctly lists the activity as the company's own controllership.

FAQ

The controller decides on the purposes and means of processing and bears primary responsibility for GDPR compliance. The processor acts solely on the controller's instructions and does not decide on the purposes. Their relationship must be governed by a contract under Art. 28 GDPR.
Yes. Where several entities jointly determine the purposes and means of processing, joint controllership under Art. 26 GDPR applies. They must set out in a transparent arrangement who fulfils which obligations, in particular towards the data subjects.
The controller must ensure a legal basis, observe the processing principles of Art. 5 GDPR, fulfil data subject rights and information obligations, maintain a record of processing activities, implement appropriate technical and organisational measures, and notify data breaches. It must also be able to demonstrate compliance with these obligations.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Processor Data Processing Agreement (DPA) Joint Controllership Accountability Record of Processing Activities (ROPA)
Back to Glossary