What Is a Data Controller According to Gdpr?

The General Data Protection Regulation (GDPR) defines a data controller as "a person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data" (European Parliament and Council, 2016). This role entails the responsibility for deciding why and how personal data is processed. The data controller not only identifies the purpose of data usage but also specifies the scope of data necessary to achieve that purpose.

For instance, a small business handling customer information to fulfill shipping orders qualifies as a data controller. In such cases, the business decides the purpose (shipping products) and determines what data (e.g., name, address) is necessary. When this business outsources shipping to a third party, that third party acts as a data processor, executing tasks on behalf of the controller without deciding the data's purpose or means.

The GDPR mandates that data controllers must have a lawful basis for processing personal data, such as:

• Consent of the data subject,
• Legitimate interest pursued by the controller,
• Compliance with a legal obligation,
• Performance of a contract.

Controllers are obligated to ensure that processing is lawful, fair, and transparent. Furthermore, they must implement appropriate technical and organizational measures to safeguard personal data from unauthorized access, misuse, or disclosure. These responsibilities emphasize accountability and data protection by design and by default (Voigt & von dem Bussche, 2017).

Key responsibilities of a data controller include:

• Defining purposes and means of processing,
• Establishing lawful bases for processing,
• Ensuring transparency toward data subjects,
• Implementing security measures,
• Managing data subject rights such as access, rectification, and erasure.

Failure to properly fulfill these duties can result in significant penalties under GDPR enforcement.

This framework clearly delineates the role of the data controller as central to GDPR compliance, ensuring control over personal data processing while protecting individual privacy rights.

References:

• European Parliament and Council. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

• Voigt, P., & von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer. https://link.springer.com/book/10.1007/978-3-319-57959-7