Data Controller

Definition

Entity determining purposes/methods of data processing.

Technical Details

A Data Controller is an entity, which can be an individual or an organization, that determines the purposes for which and the means by which personal data is processed. This role is defined within data protection laws, such as the General Data Protection Regulation (GDPR). The Data Controller is responsible for ensuring that data processing activities comply with legal requirements, protecting the rights of data subjects, and implementing appropriate technical and organizational measures to safeguard personal data. This includes making decisions about how data is collected, used, stored, and shared, as well as ensuring that data processing is transparent and accountable.

Practical Usage

In practice, Data Controllers must implement data protection policies and procedures to handle personal data responsibly. They are required to maintain accurate records of data processing activities, conduct Data Protection Impact Assessments (DPIAs), and ensure that data subjects are informed about their rights. Data Controllers often engage with Data Processors, which are entities that process data on behalf of the Data Controller, and must ensure that contracts are in place to govern this relationship. Organizations may also appoint a Data Protection Officer (DPO) to oversee compliance and act as a point of contact for data subjects and supervisory authorities.

Examples

• A hospital (Data Controller) managing patient records, determining how patient data is collected, processed, and shared with healthcare providers.
• An e-commerce company (Data Controller) deciding how customer data is used for order processing, marketing, and analytics.
• A social media platform (Data Controller) setting policies on user data collection, usage for targeted advertising, and sharing with third parties.

Related Terms