Data Controller

Data controller meaning - is a company or an individual that decides on how to collect, process and use data in compliance with internet privacy laws and regulations.

What is a data controller?

As per definiton a data controller determines the purpose for which and the means by which data is processed.

Who is a data controller is a equally good question in this case. In other words, the data controller is the person or legal entity that determines the purpose of the processing of personal data and how the data is processed.

In short, the data controller will be the one to dictate how and what data is going to be used.

If you are classed as a data controller, you are responsible for ensuring that you comply with the GDPR and demonstrate compliance with the regulation’s data protection principles.

The data controller is the person (or company) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller's own employees).

Read more about the different GDPR roles

What are the duties of the data controller?

According to Article 24 of the GDPR, controllers have the highest level of responsibility. They must comply with and be able to demonstrate compliance with all GDPR data protection principles. Furthermore, data controllers are also responsible for the compliance of the vendors that process personal data on the controllers’ behalf.

Data controllers must:

  • Take into account the purpose, nature, context, and scope of any data processing activities,
  • consider the likelihood of any severe risk to the freedoms and rights of any natural persons,
  • implement appropriate organisational and technical measures and security measures that demonstrate that the data processing activities have been performed in accordance with the GDPR,
  • review and update these measures where necessary.

Is your company a data controller?

These questions can help you determine whether your company is a data controller under GDPR.

  • We decided to collect or process the personal data.
  • We decided what the purpose or outcome of the processing was to be.
  • We decided what personal data should be collected.
  • We decided which individuals to collect personal data about.
  • We are processing the personal data as a result of a contract between us and the data subject.
  • The data subjects are our employees.
  • We have a direct relationship with the data subjects.
  • We have complete autonomy as to how the personal data is processed.
  • We have appointed the processors to process the personal data on our behalf.

Learn more about Privacy Hub →