Data Controller

A data controller is the entity that determines the purposes and means of processing personal data. Under GDPR, the controller bears primary responsibility for ensuring that personal data is processed lawfully, fairly, and transparently. Most organizations that collect customer data, employee data, or user data function as data controllers.

Controller Responsibilities

GDPR places extensive obligations on data controllers:

• Lawful basis — Establish and document a lawful basis for each processing activity (consent, legitimate interest, contractual necessity, legal obligation, vital interests, or public task)
• Transparency — Provide clear privacy notices explaining what data is collected, why, and how it is used
• Data subject rights — Facilitate rights including access, rectification, erasure, portability, and objection
• Data protection by design — Integrate data protection into systems and processes from the outset
• Breach notification — Notify supervisory authorities within 72 hours and affected individuals when required
• Data protection impact assessments — Conduct assessments for high-risk processing activities
• Processor oversight — Ensure data processors comply with GDPR through appropriate contracts and monitoring

Joint Controllers

When two or more organizations jointly determine the purposes and means of processing, they are joint controllers under GDPR Article 26. Joint controllers must establish a transparent arrangement defining their respective responsibilities for compliance. This is common in partnerships, platform ecosystems, and data-sharing arrangements.

Why It Matters

Understanding your role as a data controller is critical because it determines your compliance obligations. Controllers cannot delegate their responsibilities to processors — they remain accountable even when processing is outsourced.

For ISO 27001, the concept aligns with information asset ownership. The organization must identify who is responsible for each category of information and ensure appropriate protections are in place.

SOC 2 evaluates how service organizations protect the data entrusted to them. Whether you are a controller or processor, demonstrating strong data governance through a SOC 2 report builds trust with customers and partners.

Organizations that misidentify their role — treating themselves as processors when they are actually controllers — face significant compliance risk, as they may fail to meet obligations they did not realize applied to them.