A data controller is the individual or the legal person (for example a company or public authority) which determines the purposes and means of the processing of personal data; in other words, the controller makes material decisions relating to the processing of personal data, such as determining the purposes for which personal data is collected, stored, used, altered and disclosed. As a result, most of the responsibilities for General Data Protection Regulation (GDPR) compliance rest with the data controller, such as providing information to data subjects, ensuring there is a legitimate basis for processing activities, giving effect to data subjects’ rights under the GDPR, and ensuring that there is appropriate security for data processed.

Where two of more entities jointly determine the purposes and means of processing, they will be joint controllers. Joint controllers must determine their respective responsibilities regarding compliance and, in particular, the exercise of the rights of data subjects. Data subjects are nonetheless entitled to exercise their rights in respect of and against each of the joint controllers.

A data processor, on the other hand, is the individual (other than an employee of the controller) or the legal person that carries out processing activities, on behalf of and in accordance with the controller’s instructions. In other words, the data controller can provide personal data to the data processor to carry out such processing activities on its behalf. A data controller does not need the consent of data subjects to engage a processor. Arrangements between the data controller and data processor are governed by a legal agreement. Any queries an individual may have regarding the role of the processor ought to be directed back to the data controller who engaged the processor in the first place.

Some data controllers are required to have a Data Protection Officer (DPO) and others choose to have a DPO (or an assigned individual) to deal with data protection matters on their behalf. The DPO can also be contacted by individuals if they have data protection queries or concerns. If there is no DPO in a company, other persons in the company will then address any data protection queries or concerns on behalf of the data controller. It is important to note, that those individuals within the organisation are not data controller themselves; they are simply acting on behalf of the data controller.