Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI
Dictionary termTrack DStablev2026.2

Data controller

The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined in Article 4(7) of the GDPR.

ByCASRAI Editorial Board
· Last updated 21 May 2026

Examples

Worked examples

  • Is an instance

    A university is the controller for processing personal data of cohort participants it has recruited and consented under its own ethics approval.

  • Is an instance

    Two universities running a joint clinical study sign a joint-controller agreement under Article 26 specifying their respective responsibilities for transparency and data-subject requests.

Counter-examples

Looks similar, but isn't

  • Not an instance

    A cloud-storage provider hosting research data on infrastructure-as-a-service terms and acting only on documented instructions is a processor, not a controller.

  • Not an instance

    A statistical analyst engaged purely to run queries on a controller's behalf under instructions is not a controller.

Editorial commentary

The controller is the entity accountable for compliance with the GDPR's principles in Article 5(2) and bears primary obligations including providing transparency information, securing a lawful basis, ensuring data-subject rights, maintaining records of processing, conducting DPIAs where required, notifying breaches, and appointing a Data Protection Officer where applicable. The controller relationship is determined by the factual circumstances of who decides the why and how of the processing, not by what the parties choose to label themselves in a contract. In multi-institutional research, parties may be separate controllers (each determining their own purposes) or joint controllers under Article 26 (where they jointly determine purposes and means).

References

  • GDPR Regulation (EU) 2016/679 Article 4(7) and Article 26 joint controllers
  • European Data Protection Board Guidelines 07/2020 on the concepts of controller and processor
  • UK Information Commissioner's Office Guidance on Controllers and Processors

Also known as

controller · GDPR controller · data-protection controller

Machine-readable encodings

Use in your systems

JATS XML <role> element
xml
<role vocab="credit"
      vocab-identifier="https://casrai.org/dictionary/"
      vocab-term="Data controller"
      vocab-term-identifier="https://casrai.org/dictionary/term/data-controller" />
Schema.org DefinedTerm (JSON-LD)
json
{
  "@context": "https://schema.org",
  "@type": "DefinedTerm",
  "name": "Data controller",
  "identifier": "https://casrai.org/dictionary/term/data-controller",
  "description": "The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined in Article 4(7) of the GDPR.",
  "inDefinedTermSet": "https://casrai.org/dictionary/domain/compliance-and-regulatory/",
  "url": "https://casrai.org/dictionary/term/data-controller",
  "sameAs": [
    "controller",
    "GDPR controller",
    "data-protection controller"
  ],
  "license": "https://creativecommons.org/licenses/by/4.0/"
}

Adopted by research universities worldwide

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoMassachusetts Institute of Technology logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoMassachusetts Institute of Technology logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • Massachusetts Institute of Technology logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo

View CASRAI adoption →