← Glossary·Privacy

Data Controller

GDPR

The entity that determines the purposes and means of personal data processing (GDPR Art. 4(7)).

A data controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

Why it matters
Controllers carry the primary accountability for GDPR compliance and are the named respondent in regulator complaints. Misclassifying yourself as ‘processor only’ when you in fact determine purposes is a recurring enforcement theme.

Related terms

Data Processor
An entity processing personal data on behalf of a controller, governed by a written DPA (GDPR Art. 28).
Data Subject
The identified or identifiable natural person to whom personal data relates (GDPR Art. 4(1)).
Data Processing Agreement (DPA)
Contract between a controller and processor codifying GDPR Art. 28 obligations.

Does your program actually cover Data Controller?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary