Data Controller

Under GDPR, a data controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller is responsible for compliance with all GDPR principles, must be able to demonstrate compliance (accountability), and bears the primary obligation to protect data subjects' rights. Controllers must: implement appropriate technical and organizational measures, maintain records of processing activities, conduct DPIAs where required, appoint a DPO where required, and report data breaches. When two or more controllers jointly determine purposes and means, they are 'joint controllers' and must arrange their respective responsibilities.