Data Controller
Entity that determines the purposes and means of processing personal data
A Data Controller is the entity that determines the "purposes and means" of processing personal data. In simpler terms, the controller is the decision-maker that answers two fundamental questions: "Why are we collecting this data?" and "How will it be used?" While the term originates from European law, the concept is a cornerstone of global privacy regulations—though terminology varies across jurisdictions.
The legal status of a controller is determined by factual influence over processing, not contractual designation. "Purposes" refers to the intended result or objective of processing (e.g., "to process a payment" or "to target an advertisement"). "Means" encompasses the "how" of processing, including which data types are collected, storage duration, and which third parties have access. Under GDPR Article 4(7), a controller is explicitly defined as the entity which "alone or jointly with others, determines the purposes and means of the processing of personal data."
While a controller can delegate "non-essential means" (such as which software to use) to a processor, they must retain control over "essential means"—the fundamental decisions about the data's fate. If a processor begins determining the "why" or "how" itself, it becomes a controller by default and assumes full liability.
Terminology varies across jurisdictions. Under GDPR, the term is "Data Controller." California's CCPA/CPRA uses "Business" (§ 1798.140(d)), defined as an entity that "determines the purposes and means of the processing of consumers' personal information." Newer U.S. state laws like Virginia's VCDPA and Colorado's CPA have adopted the European term "Controller."
The controller-processor relationship places primary liability on the controller. Under GDPR Article 24, the controller is responsible for ensuring and demonstrating that processing complies with the regulation. A processor may only process data on the documented instructions of the controller. The controller bears 100% of the primary liability in a regulatory investigation, though they may later seek indemnity from a processor.
Identifying the Data Controller is the first step in any privacy risk assessment. Controllers bear the primary legal and financial liability for compliance, data subject rights fulfillment, and breach notifications. In M&A due diligence, determining which entity qualifies as the controller is essential for mapping liability exposure.