The data controller is the central figure in GDPR compliance. Art. 4(7) GDPR defines the controller as the entity that “determines the purposes and means of the processing of personal data.” Every obligation in the regulation – from transparency notices to breach notification, from data subject rights to security measures – falls primarily on the controller. Misidentifying who the controller is leads to gaps in compliance, unenforceable contracts, and regulatory liability. The CJEU has issued multiple rulings clarifying controller status, including the landmark Fashion ID decision (C-40/17, 29 July 2019) which established that even embedding a third-party plugin can make an organization a controller for the data collected through it. This article defines the data controller concept, distinguishes it from processors and joint controllers, and maps the controller’s obligations under GDPR.
Key Takeaways
- The data controller is the entity that determines the purposes and means of processing – factual control matters more than contractual labels.
- Controller status carries the heaviest GDPR obligations: lawful basis, transparency, data subject rights, security, breach notification, and accountability.
- The distinction between controller, processor, and joint controller has direct consequences for liability, fines, and contractual requirements.
- Organizations can be controllers for some processing activities and processors for others – the role is determined per processing activity, not per organization.
Art. 4(7): The Legal Definition
Art. 4(7) GDPR defines the controller as:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Two elements are decisive: purposes (why the data is processed) and means (how the data is processed). The EDPB Guidelines 07/2020 on the concepts of controller and processor clarify that determining the “essential means” – the type of data, the duration of processing, the categories of recipients, and the categories of data subjects – is the hallmark of controller status. “Non-essential means” – technical implementation details like specific software or security measures – may be delegated to a processor without transferring controller status.
Factual control over contractual labels
The CJEU has consistently held that controller status is a factual determination, not a contractual one. In Wirtschaftsakademie Schleswig-Holstein (C-210/16, 5 June 2018), the Court found that a company administering a Facebook fan page was a joint controller with Facebook because it influenced the purposes of processing visitor statistics, even though it had no access to the underlying data and Facebook’s terms gave it no contractual control.
This means that labeling yourself as a “processor” in a contract does not make you one. If you determine the purposes and essential means of processing, you are a controller regardless of how the contract is structured. Supervisory authorities regularly reclassify organizations that have mislabeled their roles.
Controller vs Processor vs Joint Controller
Understanding the controller’s role requires distinguishing it from two related concepts.
Controller vs processor
The data processor processes personal data “on behalf of the controller” under Art. 4(8) GDPR. The processor acts on the controller’s instructions and does not determine purposes or essential means independently.
| Factor | Controller | Processor |
|---|---|---|
| Determines purposes | Yes | No |
| Determines essential means | Yes | No |
| Determines technical means | May delegate | May choose |
| Direct obligations to data subjects | Yes (Art. 12-22) | No (except limited Art. 28 duties) |
| Breach notification to DPA | Yes (Art. 33) | Must notify controller (Art. 33(2)) |
| Fine exposure | Up to EUR 20M / 4% turnover (Art. 83(5)) | Up to EUR 20M / 4% turnover for direct obligations |
| Must maintain ROPA | Yes (Art. 30(1)) | Yes, but narrower scope (Art. 30(2)) |
Practical example: A company (controller) engages a cloud hosting provider (processor) to store customer data. The company decides what data to collect, why, and for how long. The hosting provider follows instructions on storage location, access controls, and retention – but does not decide what data to process or for what purpose.
Joint controllers under Art. 26
When two or more controllers jointly determine the purposes and means of processing, they are joint controllers under Art. 26 GDPR. Joint controllers must enter into an arrangement that defines their respective responsibilities, particularly regarding data subject rights and information obligations under Art. 13 and Art. 14.
The CJEU’s Fashion ID decision (C-40/17, 29 July 2019) established that joint controllership can arise even where one party has no access to the personal data. Fashion ID embedded a Facebook “Like” button on its website, which transmitted visitor data to Facebook. The Court held that Fashion ID and Facebook were joint controllers for the collection and transmission of data, even though Fashion ID never accessed the data Facebook received.
Key implication: If you embed third-party tracking pixels, social media widgets, or analytics scripts on your website, you may be a joint controller with the third-party provider for the data collected through those tools.
Controller Obligations Under GDPR
The controller bears primary responsibility for GDPR compliance. Art. 24(1) states that the controller must “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
Lawful basis (Art. 6)
The controller must identify and document a lawful basis for each processing activity. The six bases under Art. 6(1) are: consent (a), contractual necessity (b), legal obligation ©, vital interests (d), public interest (e), and legitimate interest (f). The choice of legal basis determines the controller’s further obligations – consent triggers Art. 7 requirements; legitimate interest requires a balancing test.
Transparency (Art. 13 and Art. 14)
The controller must provide data subjects with comprehensive information about processing: the controller’s identity, purposes, legal basis, recipients, retention periods, data subject rights, and whether data is transferred outside the EEA. This information must be provided at the time of data collection (Art. 13) or within a reasonable period if data is obtained indirectly (Art. 14).
Data subject rights (Art. 12-22)
The controller must respond to data subject requests within one month under Art. 12(3). This includes access requests under Art. 15, rectification (Art. 16), erasure under Art. 17, restriction (Art. 18), portability (Art. 20), and objection (Art. 21). The controller cannot delegate these obligations to the processor – the controller must have processes in place to receive, verify, and respond to requests.
Security (Art. 32)
The controller must implement technical and organizational security measures appropriate to the risk. Art. 32(1) references pseudonymization, encryption, confidentiality, integrity, availability, resilience, and regular testing. The controller is liable for security failures even if the breach occurs at the processor level – Art. 82(2) establishes joint liability.
Breach notification (Art. 33 and Art. 34)
The controller must notify the supervisory authority within 72 hours of becoming aware of a breach likely to result in a risk to individuals. Where the breach poses a high risk, the controller must also notify affected data subjects. For a detailed guide, see our article on GDPR breach notification within 72 hours.
Accountability (Art. 5(2) and Art. 24)
The controller must be able to demonstrate compliance. This requires documented policies, a record of processing activities, data protection impact assessments where required (Art. 35), and documented decisions on legal basis, retention, and security measures.
When Are You a Controller? Real Examples
Example 1: SaaS company. A SaaS company collecting user account data, usage analytics, and payment information to provide its service is the controller for that processing. It determines the purposes (service delivery, billing, product improvement) and the essential means (what data to collect, how long to retain it).
Example 2: Employer. An employer processing employee data for payroll, performance management, and benefits administration is the controller. The payroll provider is a processor acting on the employer’s instructions.
Example 3: Online marketplace. A marketplace platform that allows third-party sellers to list products is typically a controller for buyer account data and a joint controller (with sellers) for transaction data, because both the platform and the seller determine purposes for the transaction processing.
Example 4: Website operator with analytics. A website operator using Google Analytics is the controller for the analytics data. The CNIL and Austrian DSB have both confirmed that the website operator determines the purpose (analyzing visitor behaviour) and the means (implementing the tracking code). Google may also be a controller for its own purposes.
Enforcement Against Controllers
Fines under GDPR are directed primarily at controllers because they bear primary compliance responsibility.
DPC Ireland, Decision IN-18-12-2, 22 May 2023, EUR 1.2 billion against Meta Platforms. The DPC held Meta as controller for EU-US data transfers of Facebook user data without adequate safeguards.
CNIL, Deliberation SAN-2023-009, 29 June 2023, EUR 40 million against Criteo. The CNIL found that Criteo, as controller for its advertising data processing, failed to demonstrate valid consent for tracking cookies and lacked adequate consent records.
AEPD, Decision PS/00488/2021, 3 October 2022, EUR 8.15 million against CaixaBank. The AEPD held CaixaBank as controller responsible for processing customer data without adequate legal basis and insufficient transparency notices.
FAQ
Can an organization be both a controller and a processor?
Yes. An organization’s role is determined per processing activity, not globally. A cloud provider is a processor when hosting customer data on the customer’s instructions but is a controller for its own employee data and for any processing it conducts for its own purposes (e.g., service improvement analytics using aggregated customer data). The EDPB Guidelines 07/2020 confirm this activity-level determination.
What is the difference between a controller and a DPO?
The controller is the organization (legal entity) responsible for compliance. The DPO is an individual appointed under Art. 37 to advise the controller, monitor compliance, and serve as a contact point for the supervisory authority. The DPO does not absorb the controller’s liability – the controller remains responsible for implementing the DPO’s recommendations and for all compliance obligations.
Who is liable when a processor causes a data breach?
Both the controller and the processor may be liable. Art. 82(2) GDPR states that a processor is liable for damage caused by processing only if it has not complied with processor-specific obligations or has acted outside the controller’s instructions. The controller is liable for failing to select an adequate processor (Art. 28(1) requires choosing processors that provide “sufficient guarantees”) and for failing to supervise the processor’s compliance. In practice, supervisory authorities fine the controller for security and breach notification failures, regardless of whether the processor was at fault.
How do I determine if I am a controller or a processor for a specific processing activity?
Apply the EDPB’s two-part test from Guidelines 07/2020: (1) Do you determine the purpose of the processing – why the data is processed? (2) Do you determine the essential means – what data is processed, which data subjects are affected, how long data is retained, and who receives it? If yes to both, you are the controller. If you act solely on another entity’s instructions regarding purpose and essential means, you are the processor. If you and another entity jointly determine purpose and means, you are joint controllers under Art. 26.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
