Controller (Data Controller)

An entity that determines the purposes and means of processing personal data—in other words, the entity that decides why and how personal data is processed. The controller is the primary responsible party under privacy laws like GDPR, bearing obligations to comply with data protection principles, ensure lawful basis exists, provide transparency, honor data subject rights, implement security measures, and demonstrate accountability. Being a controller isn't about physical possession of data but about decision-making authority. If you decide what data to collect, how to use it, who to share it with, and how long to keep it, you're a controller. Multiple entities can be joint controllers if they jointly determine processing purposes and means. Controllers must use processors carefully, ensuring data processing agreements are in place. Understanding controller status is fundamental to privacy compliance—it determines your obligations and liability.