Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Under Article 4(7) GDPR, the controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller bears the primary responsibility for GDPR compliance.
What is a controller?
The controller bears 13 core obligations — including accountability (Article 5(2)), ROPA (Article 30), data subject rights (Articles 12-22), data breach notification (Articles 33-34), DPIA (Article 35), appointment of a DPO (Article 37).
The controller is NOT: the individual employee processing the data — they act on behalf of the controller.
Practical example
Examples:
- Mustermann GmbH is the controller for employee data (personnel files)
- Mustermann GmbH is the controller for customer data (CRM)
- A tax advisor is an independent controller (BayLDA 2024) — no processor relationship
- In a corporate group structure: each subsidiary GmbH is an independent controller (unless joint controllership under Article 26 is expressly established)
Frequently asked questions
What is the difference from a processor?
The controller determines purposes and means. The processor carries out processing on the controller's behalf without setting its own purposes. The DPA (Article 28) governs the relationship.
Can several controllers be jointly responsible?
Yes, under Article 26 GDPR. Joint controllership requires a joint controller arrangement. Example: Facebook fan page operator and Facebook (CJEU C-210/16).
Who is liable in the event of a breach?
Primarily the controller. Fines plus damages. The processor is additionally liable in case of independent breaches of obligations.