Skip to content
AuditFront
Data Protection

Data Controller

Under GDPR, the entity that determines the purposes and means of processing personal data. The data controller decides why personal data is collected and how it will be used, and bears primary responsibility for compliance with data protection obligations.

A data controller is the organization or individual that makes decisions about how and why personal data is processed. In a typical SaaS context, the SaaS company's own customer is often the data controller — they decide to use the SaaS product to process their end users' personal data, and they determine the purposes of that processing.

The controller has extensive obligations under GDPR, including ensuring lawful processing, maintaining transparency with data subjects, implementing appropriate security measures, conducting Data Protection Impact Assessments for high-risk processing, maintaining records of processing activities, and notifying supervisory authorities of data breaches within 72 hours.

The distinction between data controller and data processor is fundamental to GDPR compliance, but it can be nuanced. A single organization can be a controller for some processing activities and a processor for others. For example, a SaaS company is typically a data processor for its customers' data, but a data controller for its own employee data and marketing contact lists. Understanding which role you occupy for each processing activity determines your legal obligations.

Related frameworks

GDPR

Related terms

Data Processor

Under GDPR, an entity that processes personal data on behalf of a data controller. The processor acts on the controller's instructions and must not process data for its own purposes. A Data Processing Agreement (DPA) governs the relationship between controller and processor.

Data Protection Impact Assessment

A structured process required by GDPR for assessing the potential impact of a data processing activity on individuals' privacy. DPIAs are mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons.

Data Protection Officer

A designated role within an organization responsible for overseeing data protection strategy and compliance with GDPR. Appointment of a DPO is mandatory for public authorities, organizations conducting large-scale systematic monitoring, and those processing special category data at scale.

Back to glossary

Assess your compliance posture

Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.

Start free assessment