Data Controller

The entity that determines the purposes and means of processing personal data—essentially, the decision-maker regarding data processing. This is a legal classification under GDPR and similar laws that determines responsibility and obligations. Controllers decide what data to collect, why to collect it, how to use it, who to share it with, and how long to keep it. Being a data controller isn't about physical possession but about authority and decision-making. A small company with limited technical infrastructure can still be a controller if it makes these decisions. Controllers must comply with all data protection principles, establish lawful bases for processing, implement appropriate security, respect data subject rights, maintain processing records, appoint DPOs when required, and demonstrate accountability. When using service providers, controllers must ensure they act only as processors under written contracts. Understanding your role as controller versus processor is fundamental to compliance.