Data Controller

A data controller is an individual or organization that manages how data is processed and is responsible for complying with data protection regulations. The controller, whether one person or an entire business, is responsible for writing an organization’s privacy policy, which details what data that organization collects, how it uses the data, and where it sends the data. Data controllers manage data processors, dictating how the organization analyzes and uses personal data such as contact information, addresses, and identification numbers.

The term data controller typically references the General Data Protection Regulation (GDPR) and its requirements for data protection; this role originated from European data protection laws. The GDPR necessitated data controllers when it laid down stringent requirements for personal data use in 2018.

Requirements for data controllers under the GDPR

The GDPR, which applies to not only the entire European Union but also to all countries that have businesses or customers in Europe, is specifically designed to protect individuals and their personal information. Therefore, it is extremely stringent on organizations. Businesses had to scramble to comply with the requirements, including many United States businesses. Data controllers have many responsibilities; these are just a few.

The GDPR requires that businesses have at least one good reason for collecting someone’s personal data. The business’s data controller must be able to demonstrate that good reason. The six reasons or “lawful bases” for collecting personal data are:

  • Consent, given to the company by the individual
  • Contract that is made between an organization and individual and requires personal data
  • Compliance with a legal obligation (having to provide someone’s data to the government by law)
  • Protection of an individual’s vital interests
  • Public tasks that require personal data to be processed (an organization needs an email address to follow up with a customer regarding a specific service)
  • Protection of the organization’s legitimate interest, typically for legal purposes

Data controllers must also keep detailed records of the data they collect, where they are sending it, and how they are using it. They’re required to have those records available in writing. If they are selling data to any third parties, they must document exactly who and for what purpose. Individuals (or, as the GDPR calls them, data subjects) must be able to access that information, too.

Data controllers must also make their contact information readily available to data subjects, who can then contact the data controller with questions regarding their personal data and how it is used.

The GDPR sets requirements for organizations to appoint a Data Protection Officer (DPO): this may be the responsibility of a data controller. An organization must appoint a DPO if it handles large amounts of sensitive data (such as a large medical facility or financial institution) or collects copious amounts of data regularly, including frequent monitoring or surveillance.

GDPR requirements for US companies

An important note for businesses in the United States: if US companies have EU customers, EU branches of business, EU employees, or even a presence in EU nations, GDPR regulations are indeed applicable to them as well. California’s CCPA has similar requirements. This means that the above requirements for data controllers and possibly data protection officers apply to U.S. businesses, as well as any business that has EU customers. Even a company in the United States that has a large online presence or email marketing campaign, such as a department store, is probably subject to the GDPR because it’s likely to have EU customers online.

Jenna Phipps
Jenna Phipps
Jenna Phipps is a writer for, Enterprise Storage Forum, and CIO Insight. She covers data storage systems and data management, information technology security, and enterprise software solutions.

Related Articles

Special Character

A special character is one that is not considered a number or letter. Symbols, accent marks, and punctuation marks are considered special characters. Similarly,...


Table of contents What is Software? History of Software Software vs. Hardware Software vs. Hardware Comparison Chart What Types of Software Exist? Saas vs....

Email Address

What is an Email Address? An email address is a designation for an electronic mailbox that sends and receives messages, known as email, on a...

Information Technology (IT) Architect

The information technology architect applies IT resources to meet specific business requirements. The role requires a high degree of technical expertise as well as...


Geotargeting is a method of delivering data or content to users based on...

Agile Project Management

Agile project management enables business teams to approach their projects and tasks with...

Private 5G Network

A private 5G network is a private local area network (LAN) that utilizes...