What is a data controller?

A data controller is a person or legal entity that determines how and why personal data is processed. In other words, anyone or anything that decides on the purposes behind and means of data processing is called a data controller in line with Chapter 1. Article 4.7 of the General Data Protection Regulation (GDPR).

What are the duties of a data controller?

A data controller ensures that personal data is stored, processed, and used in accordance with the GDPR. The data controller monitors and supervises the work of the data processor, overseeing how personal data is used. Here are some examples of data-controller duties and responsibilities:

  • Entering into formal agreements with data processors, requiring them to act exclusively on the data controller’s instructions and comply with any security requirements imposed on the data collector.
  • Deciding whether to collect personal information from individuals and confirming they have a legal right to do so.
  • Notifying their national authority before engaging in any data processing.
  • Deciding what personal information to collect.
  • Deciding whether to modify collected data.
  • Deciding where to use collected data, how, and in the service of what purpose.
  • Deciding whether to store personal data and where to store it (in-house or with third parties).
  • Deciding with whom to share personal data, if anyone.
  • Determining how long to keep data.
  • Complying with EU (European Union) data protection principles.
  • Communicating to data-collection targets the controller’s identity, what personal data is collected, and to what ends.

Is a data controller always a data collector?

In effect, yes, a compliant data collector will always be a data controller. This is because it’s the data controller that determines the purposes and means of data collection. Data processors, who may well be the ones to retrieve a target’s personal information when asked, act under the supervision of a data controller.


What is an example of a data controller?

A bookstore is hosting a special event for its loyalty program members and hires a printing company to design and print some invitations. The bookstore sends the printing company the names and addresses (personal data) of loyalty program members from its database. This data is used to make and send the invitations.

The bookstore is the controller of the personal information (names and addresses) in this case. It’s the bookstore that has determined the purpose behind and method of data collection, the printing company is responsible only for processing personal data in accordance with the bookstore’s instructions, making the printing company a data processor.

What is a GDPR data controller?

A GDPR (General Data Protection Regulation) data controller is an individual or legal entity that’s responsible for determining the purposes and means of processing data collected from individuals (also known as targets).

What is the difference between a data controller and a processor?

In general, the difference between a data controller and a data processor is that a data controller decides how and to what ends personal data is collected, processed, and stored, whereas a data processor is engaged and supervised by the controller exclusively to handle the processing of that data.

What is the difference between a data owner and a data controller?

There is no difference between a data owner and data controller in situations in which there is no true data owner. The data owner typically holds the legal rights to and has complete control over data elements. If no entity or individual is explicitly tasked with data ownership, then this role defaults to the data controller.

What can a data controller do?

A data controller can determine the purposes for and means of data collection. In the absence of a dedicated data owner, the data controller also takes ownership of the collected data. A data controller decides what data is collected and from whom, where and how that data is stored, and with whom it’s shared.

Does a data controller collect data?

A data controller decides on what data is collected, how it’s collected, and to what ends it’s collected. They monitor how the data processor processes the data, ensuring compliance with relevant data protection laws. In effect, the data controller is responsible for data collection.

Is Google a data controller or processor?

Whether Google is a data controller or processor depends on the personal data in question. There are contexts in which it is a data controller, collecting its targets’ personal data and ensuring compliance, but there are also contexts in which it acts as the data processor, processing data on behalf of data owners or data controllers.

Is Microsoft a data controller or processor?

Microsoft can be both a data controller and processor, depending on the source of the data and the reason for its collection. In some cases Microsoft is indeed a data controller, collecting data and ensuring the compliance of the processing of that data. In others, it’s the data processor, processing another data owner’s or controller’s data.

Does every company need a data controller?

Every company that collects, processes, and/or uses individuals’ personal data in the EU (European Union) or any other jurisdiction with data privacy legislation similar to the EU’s GDPR (General Data Protection Regulation) needs a data controller to remain compliant.

Updated on: August 17, 2023

Is this article helpful?
Scroll to Top