Data Controller

Understanding whether your organization is a data controller or a data processor is one of the most fundamental questions in GDPR compliance. Getting it wrong means misallocating responsibilities, signing the wrong contracts, and potentially facing fines for obligations you didn't know you had.

The controller bears the primary accountability for compliance — they must ensure lawful processing, respond to data subject requests, report breaches, and demonstrate compliance to regulators.

	Data Controller	Data Processor
Decides	Why and how data is processed	Nothing — follows controller's instructions
Accountability	Primary — responsible for compliance	Secondary — responsible for security and following instructions
Contract	Must provide documented instructions	Must have a Data Processing Agreement (DPA)
Breach notification	Must notify the authority within 72 hours	Must notify the controller without undue delay
Examples	Employer processing employee data, hospital managing patient records	Cloud provider hosting data, payroll service processing salaries

Controllers must:

• Determine and document the legal basis for each processing activity
• Provide transparency — inform data subjects about processing through privacy notices
• Implement appropriate security measures (technical and organizational)
• Respond to data subject requests (access, erasure, portability) within one month
• Report breaches to the supervisory authority within 72 hours
• Conduct DPIAs for high-risk processing activities
• Maintain records of processing activities (Article 30)

When two or more organizations jointly determine the purposes and means of processing, they are joint controllers (Article 26). They must transparently determine their respective responsibilities through an arrangement and make the essence of this arrangement available to data subjects.

• GDPR Article 4(7) — definition of controller
• GDPR Articles 24–31 — controller obligations
• GDPR Article 26 — joint controllers