Data Controller is a legal entity, organization, company, person, or institution that collects and processes personal data for predefined purposes. Data Controller is the one who determines the purpose of the processing and the means of data processing (not the data processor).
Data Controller is obligated to implement appropriate technical and organizational measures to be able to demonstrate that processing is performed in accordance with the GDPR or any other data protection law.
Data Controller is also responsible for fulfilling the data subject requests regarding their personal information. The controller is also responsible for the safekeeping of data, defining data retention and data destruction policies, maintaining the records of processing activities and carries the legal responsibility for a data breach.
Data Controller is held accountable for data processing done by the data processor and needs to ensure there are agreements, contracts and other measures to ensure the GDPR compliant personal data processing done by the data processor.
Data Subjects can file a complaint and ask for compensation from both the Data Controller and Data Processor.
Difference between Data Controller and Data Processor
✅ Data Controller determines the purpose and the meaning of data processing, not the Data Processor
✅ Data Processor acts on Data Controller instructions, and although can make a certain decision about the way the processing will be done, he has limited control over data
✅ Data Processor has no reason to process that particular set of data on his own
✅ Data Processor and Data Controller have a different set of responsibilities