Definition · Plain-language

Data controller

A data controller is the entity that determines the purposes and means of processing personal data — the party that decides why and how data is used.

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Deciding the why and the how

The defining test for a controller is decision-making power. A controller determines the purposes of processing — the reasons data is used — and the essential means, such as which data is collected and for how long it is kept. This is a functional question rather than a matter of job title: whoever genuinely exercises that control is the controller, regardless of contractual labels. A university running a study, for example, is typically the controller for the personal data it gathers from participants.

Accountability and obligations

Because controllers set the purposes of processing, GDPR places primary accountability on them. They are responsible for ensuring there is a lawful basis, for honouring data subject rights, for security, and for demonstrating compliance through records and, where relevant, impact assessments. Where a controller uses a processor, it must put a data processing agreement in place. The controller remains answerable for the overall processing even when day-to-day handling is delegated.

Joint and sole controllers

Sometimes two or more organisations jointly determine the purposes and means of processing; GDPR calls them joint controllers and expects them to agree how responsibilities are shared. In research collaborations this arrangement is common, and clarifying who is controller for which data avoids gaps in accountability. Distinguishing controller from processor early in a project shapes contracts, security expectations and how participants are informed about who is responsible for their data.

Key facts

At a glance

Definition: entity determining the purposes and means of processing
Source: GDPR Article 4(7)
Test: decides the “why” and the “how” of processing
Accountability: carries primary responsibility for compliance
Joint controllers: two or more parties deciding purposes together
Contrast: processor acts only on the controller’s instructions

Common misconceptions

What people often get wrong

Often heard: Whoever physically stores or handles the data is the controller.

Actually: Control is about deciding the purposes and means of processing, not who holds the data. A party that merely stores or handles data on instructions is usually a processor, not the controller.

Often heard: A contract can simply label any party as the controller.

Actually: Controller status is a functional question decided by who actually determines the why and how of processing. Contract labels do not override the real allocation of decision-making.

Often heard: There can only ever be one controller for a given dataset.

Actually: Two or more organisations can be joint controllers when they together determine the purposes and means of processing, sharing responsibility under an agreed arrangement.

Going deeper

Related CASRAI guidance

Data processor →Data processing agreement →Data protection officer →Data anonymisation →Standards dictionary →