Data Controller
A data controller is the entity that determines the purpose and means of processing personal data and is responsible for compliance, governance, and accountability obligations.
What is a Data Controller?
A data controller is the organization or individual that decides why and how personal data is processed. Under the General Data Protection Regulation (GDPR), controllers are responsible for ensuring processing is lawful, transparent, secure, and aligned with individual rights. Controllers may engage data processors to act on their behalf, but remain accountable for defining processing purposes, establishing requirements, approving vendors, and determining retention periods. Common examples of data controllers include employers, healthcare providers, online service providers, retailers, and government agencies.
Why Data Controllers matter
Data controllers play a foundational role in protecting individuals’ privacy and ensuring responsible data use. They must implement governance processes, document processing activities, conduct risk assessments, and maintain appropriate safeguards across personal data lifecycles.
Controllers are also responsible for responding to rights requests, managing incidents, and demonstrating compliance to regulators as required by global privacy laws.
Clear controller responsibilities help build trust, improve transparency, and strengthen accountability for how personal information is handled.
How Data Controllers are involved in practice
- Determining the lawful basis for personal data processing
- Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing
- Managing vendor due diligence when engaging data processors
- Publishing privacy notices and informing individuals of their rights
- Handling Data Subject Access Requests (DSARs) and other rights workflows
- Documenting processing activities to meet GDPR Article 30 requirements
Related laws & standards
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Digital Personal Data Protection Act (DPDPA)
- ISO/IEC 27001 (Information Security Management)
How OneTrust helps Data Controllers
OneTrust helps data controllers operationalize privacy compliance by automating assessments, managing rights requests, documenting processing activities, and centralizing evidence for regulatory reporting. The platform supports governance, transparency, and accountability across global privacy frameworks.
[Explore Solutions →]
FAQs about Data Controllers
A data controller determines the purpose and means of processing, while a data processor acts on behalf of the controller and follows documented instructions.
Yes. Many organizations act as a controller for their internal data processing and as a processor when delivering services to clients.
The GDPR requires controllers to maintain accountability, conduct assessments, secure data, manage vendors, and uphold individual rights throughout the processing lifecycle.
