What is a data controller?

Data controllers are the overarching decision-makers of personal data, deciding what to do with data and who to take it from.

GDPR defines them as 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.'

Basically, they're directly responsible for deciding to collect and process personal data, what your personal data will be used for, and how it will be collected. Bear in mind that they can be an individual or large organisation, what matters is their control over personal data.

Are data controllers the same as data processors?

Crucially, data controllers are different to data processors. They have separate and specific requirements to follow, as per GDPR. Data controllers determine exactly what data processors do, with processors working on behalf of controllers. Typically, data processors are third parties external to the main organisation.

Data controllers are also required to pay the data protection fee in the UK, with some exemptions.

What are joint controllers?

Data controllers can act alone or with another organisation. Those that work alongside others are known as joint controllers, sharing the role of data controller to decide why and how data is collected and processed. They have a duty to make clear which of the two is the main party responsible for complying with GDPR. This doesn’t mean that the other is exempt – they are also responsible for compliance with GDPR obligations – but just that one takes on primary responsibility.

What rules do data controllers have to follow?

The seven data protection principles

GDPR outlines seven key data protection principles (Art. 5) that must be adhered to regarding personal data collection and processing. Data controllers, above all, must follow these seven guiding principles: