Data Controller
What does data controller mean?
A data controllerr is the entity, such as an individual, company, government agency, or organization, that determines why and how personal data is processed. While the term "data controller" is defined in detail under the EU General Data Protection Regulation (GDPR), similar roles exist in other data protection laws worldwide.
For example, under Brazil’s LGPD, the equivalent term is "controller"; South Africa’s POPIA and India’s DPDP Act also describe similar responsibilities for entities deciding the purpose and means of processing personal data. Regardless of the jurisdiction, the controller role usually holds the primary accountability for data privacy compliance and for safeguarding individuals' rights.
How does a data controller work?
Data controllers operate by setting the rules around data collection, usage, storage, and sharing. They define the legal basis for processing (such as consent, contract, or legitimate interest), choose what personal data is collected, how it's processed, and who has access to it.
In many frameworks, controllers may appoint data processors to carry out operations on their behalf, but they remain accountable. For example, a retailer deciding to collect customer emails for marketing is the data controller, even if a third-party email service sends out the campaigns, while the retailer's role is as data processor.
The Data Controller plays a critical role in data privacy governance.
- Accountability: Controllers are typically the primary point of accountability for compliance under most privacy laws.
- Transparency: They are responsible for informing individuals about how their data is used and for responding to data subject rights.
- Risk Management: Controllers must implement safeguards and ensure that any third-party processors also respect applicable data protection standards.
Whether operating under GDPR, CCPA, LGPD, POPIA, or other frameworks, the controller’s obligations are central to protecting individuals’ data and maintaining lawful data practices
FAQs about data controller
Yes, an organization can act as both a data controller and a data processor, but not for the same processing activity. For instance, a company may be a controller for its employee data and a processor when handling client data on behalf of another organization.
An organization is a data controller if it decides the purposes and means of processing personal data. If it dictates why and how data is processed, it holds the role of a controller.
A data controller independently determines the purposes and means of processing, while joint controllers collaborate and jointly decide on these aspects. In such cases, they must transparently define their respective responsibilities.
Yes, data controllers are responsible for ensuring that data processors they engage comply with data protection laws. They must have appropriate contracts in place and monitor the processor's activities to ensure compliance.
Yes, and many privacy laws apply extraterritorially. For instance, GDPR and LGPD can apply to companies outside the EU or Brazil if they handle personal data of residents from those regions.