- 15-Oct-2025
- public international law
A data controller is an individual or organization that determines the purposes and means of processing personal data. The role of the data controller is critical in ensuring that the collection, storage, and use of personal data comply with privacy laws and regulations. In jurisdictions like the European Union, the General Data Protection Regulation (GDPR) imposes specific legal duties on data controllers to protect personal data and uphold the rights of data subjects (the individuals whose data is being processed). This ensures that individuals' privacy and data protection rights are respected.
A data controller has several key legal duties, many of which are designed to protect personal data and ensure transparency in its processing. These duties include:
The data controller must have a lawful basis for processing personal data. Under the GDPR, there are six possible lawful bases for processing, including:
The controller must identify and document which basis applies to each type of data processing they conduct.
Data controllers must implement data protection by design and data protection by default. This means that they must integrate data protection measures into their business processes, products, and services from the outset and ensure that only the minimum amount of personal data is processed, stored, or shared.
Data controllers must be able to demonstrate compliance with data protection laws. They are required to keep records of their data processing activities, detailing the types of data processed, the purposes for processing, the recipients of the data, and the security measures in place. This documentation is essential in case of audits or investigations by regulatory authorities.
The data controller must provide clear and transparent information to data subjects about how their personal data is collected, used, and stored. This includes informing individuals about:
This information is typically communicated through privacy notices or privacy policies.
Data controllers must respect and facilitate the rights of data subjects under data protection laws. These rights include:
The data controller is responsible for ensuring the security and confidentiality of personal data. This includes implementing appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, loss, or disclosure. If a breach occurs, the data controller must notify the relevant supervisory authority and, in some cases, the affected data subjects.
If a data controller uses a third party (a data processor) to handle personal data, they must enter into a written contract with the processor. This contract must specify the processor's responsibilities, including data security, confidentiality, and compliance with applicable data protection laws. The controller remains ultimately responsible for ensuring that the data processor meets these obligations.
Data controllers are required to notify both the relevant supervisory authority and the data subjects in case of a data breach that risks the rights and freedoms of individuals. Under the GDPR, data controllers must notify the breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in any harm.
Data controllers must ensure that personal data is not kept longer than necessary. They must establish data retention policies that determine how long personal data will be stored and ensure secure disposal once the data is no longer needed.
Failure to meet the legal duties of a data controller can have serious consequences, including:
Non-compliance with data protection laws, such as the GDPR, can result in significant fines. The GDPR allows fines of up to €20 million or 4% of a company's annual global turnover, whichever is higher.
Data subjects have the right to seek compensation for damages resulting from violations of their data protection rights. This could lead to individual lawsuits or class-action lawsuits, depending on the scale of the breach or violation.
A data breach or failure to comply with data protection laws can damage a company’s reputation, leading to a loss of trust among customers and business partners.
Regulatory authorities can impose corrective measures, such as audits or restrictions on data processing activities, if a data controller fails to comply with legal obligations. In extreme cases, authorities may ban certain data processing activities altogether.
Regularly review the types of personal data your organization processes, the lawful basis for processing it, and whether your data handling practices comply with relevant laws.
Invest in appropriate data security measures, such as encryption, access control, and regular security testing, to protect personal data from breaches.
Regularly train employees on data protection best practices, including how to identify phishing attempts, how to handle personal data securely, and how to respond to data subject requests.
Stay informed about changes to data protection laws, including any updates to GDPR, CCPA, or other relevant regulations, and update your policies and practices accordingly.
Ensure that all third-party vendors or data processors are compliant with data protection laws and that they sign proper Data Processing Agreements (DPAs) outlining their obligations.
A healthcare provider operates as a data controller, collecting personal health information from patients. The provider fails to implement proper data encryption and suffers a data breach where patients' sensitive health data is exposed.
Discover clear and detailed answers to common questions about Cyber and Technology Law. Learn about procedures and more in straightforward language.
