What does a data controller do under the GDPR?

We help you understand what it means to be a data controller under the GDPR, including defining purposes and means of processing, choosing lawful bases, implementing security measures and handling data subject rights and personal data breaches.

How can we know if our organisation is a data controller or a data processor?

We analyse your processing activities and contracts to assess whether you act as data controller, data processor or joint controller, and clarify the responsibilities that follow from each role.

How can Morling Consulting support our data controller responsibilities?

We provide legal and practical support with role assessments, records of processing, data processing agreements, incident management, communication with the Data Protection Authority and internal policies so that your data controller responsibilities are clearly defined and compliant with the GDPR.

Data controller

GDPR lawyers from Morling Consulting clarify controller responsibilities and the obligations that apply

CONTACT US

What is a data controller?

A data controller is a natural or legal person, public authority, agency or other body that determines the purposes and the means of the processing of personal data. The controller holds a central position in data protection law as it decides which processing of personal data will take place. Put simply, what is a data controller? It is the actor that decides why and how personal data are processed.

In practice, it is often a legal person (for example a company or an authority) that acts as the data controller. A company is usually the data controller for the personal data of its customers and employees, whilst an authority is the data controller for the data it processes in its operations. The question “who is the data controller” is therefore about which company or organisation is responsible.

The controller bears the overarching responsibility to ensure all processing of personal data complies with the GDPR’s principles and rules. This means clearly defining why personal data are collected and processed and how this will be done. The controller must also ensure that every processing activity is supported by one of the six lawful bases listed in the GDPR. This is the core data controller meaning under GDPR.

GDPR for controllers

We identify the relevant processing activities and which parties actually influence decisions on purposes and means, so the assessment is practically useful.
We translate how the business handles personal data into a clear responsibility matrix, linking obligations to the correct role and documenting boundaries.
You receive a concrete basis showing where risks and uncertainties sit, and which measures should be taken first to reduce exposure and day-to-day friction.
We draft or update relevant governance documents and contractual materials so instructions, responsibilities, and follow-up are traceable and consistent across the organisation.
We establish a way of working for ongoing checks of roles, routines, and record-keeping, so you can handle changes, incidents, and audits more predictably.

Top-down view of a tidy workspace with a laptop, notebook, and two suited hands framing a blank sheet of paper to signal scope and clear objectives for legal counsel.

We identify the relevant processing activities and which parties actually influence decisions on purposes and means, so the assessment is practically useful.

Close-up of a whiteboard with simple arrows and neutral markers representing data flows, as legal counsel places a marker.

We translate how the business handles personal data into a clear responsibility matrix, linking obligations to the correct role and documenting boundaries.

Calm meeting table with three neutral document stacks and a pen indicating prioritization; two gender-neutral legal counsel in the background with simplified, faceless features.

You receive a concrete basis showing where risks and uncertainties sit, and which measures should be taken first to reduce exposure and day-to-day friction.

Legal counsel reviewing a tabbed binder beside an open laptop and a checked box on a blank form, signaling implementation and documentation.

We draft or update relevant governance documents and contractual materials so instructions, responsibilities, and follow-up are traceable and consistent across the organisation.

Legal counsel places a neutral token on a stack of folders with a blank calendar in the background, symbolising governance and recurring follow-up.

We establish a way of working for ongoing checks of roles, routines, and record-keeping, so you can handle changes, incidents, and audits more predictably.

Clarify roles and mandate

When responsibilities are clear, decisions are faster and follow-up is easier. Support the work with the right contracts, an up-to-date record and effective incident readiness. Click through to create a framework that holds even as the organisation changes.

Privacy Counsel

Data Protection Officer

Personal data breach

Data processing agreement

Illustration of a business professional standing by a GDPR-themed signpost, representing different responsibilities of a data controller in managing personal data.

Data controller vs data processor: understanding GDPR roles

Understanding the distinction between GDPR roles is essential to allocate responsibility correctly and ensure compliance. The three roles are:

Data controller: Determines the purposes and the means of the processing of personal data. This actor bears ultimate responsibility for GDPR compliance and for respecting the rights of data subjects.
Data processor: Processes personal data on behalf of the controller and in accordance with its instructions. The processor must not determine the purpose or method of processing and there must be a written agreement that governs responsibilities.
Joint controllers: Two or more actors that jointly determine the purposes and the means of processing. They must clearly define their respective areas of responsibility and inform data subjects of the arrangement.

Determining your organisation’s role in a given processing activity is fundamental GDPR work and affects your obligations. An incorrect assessment can lead to legal risk and practical issues, particularly if responsibility is unclear during, for example, an incident. In short, data controller vs data processor is a governance question about who decides purposes and means.

Central obligations

Central obligations for the data controller

The controller must ensure appropriate technical and organisational measures are implemented to protect personal data. Measures may include encryption, access controls and regular security reviews. If a personal data breach occurs despite these measures, the controller must mitigate harm and, in some cases, notify the supervisory authority and inform affected individuals.

The controller must also respect data subjects’ rights, ensuring that individuals can exercise their rights such as the rights to information, access, rectification and erasure.

The controller must cooperate with the Data Protection Authority and be prepared for audits. This may include providing documentation and explaining decisions regarding processing activities. During an audit, the authority may request to see a record of all processing carried out under the controller’s responsibility. Maintaining such a record is a GDPR requirement and a key tool for demonstrating compliance.

The controller’s main responsibilities can be summarised as follows:

Define the purposes and the means of processing personal data.
Ensure each processing activity has a lawful basis under the GDPR.
Implement appropriate technical and organisational security measures.
Respect and facilitate data subject rights, including rights of access, rectification and erasure.
Manage personal data breaches, including reporting to the Data Protection Authority where required.
Maintain a record of processing activities to demonstrate GDPR compliance (accountability).
Cooperate with the Data Protection Authority and provide relevant documentation when needed.

By meeting these responsibilities, organisations can avoid legal consequences and build stronger, more trusted relationships with stakeholders.

Illustration of a professional legal team advising a data controller on privacy compliance, symbolizing expert help with GDPR rules, data protection policies and organizational structures.

How we can help with GDPR

Morling Consulting can help your organisation ensure you apply GDPR requirements by assessing your role in relation to personal data processing. This includes identifying and defining responsibilities and roles, such as data controller, data processor or whether joint controllership applies under the GDPR. Our experience means we can:

Assess controllership — that is, answer the question: what is a data controller under GDPR?
Advise on the documentation and agreements required to ensure these roles comply with the GDPR.
Develop guidelines to clarify each role and responsibility.
Recommend improvements to internal processes to meet GDPR requirements.

With Morling Consulting as your partner, you can be confident your data protection measures are well-founded and effective. Please get in touch to discuss GDPR.

Being a controller means you are responsible for how personal data are processed. It involves:

Defining the purposes of and methods for the processing.
Ensuring processing has a lawful basis.
Implementing security measures.
Handling data subject rights.
Managing and, in some cases, reporting personal data breaches to the Data Protection Authority.
Being able to demonstrate GDPR compliance through documentation.

The company or organisation as a whole — the legal person — is the controller, not an individual. Internally, specific roles may be appointed to handle data protection in practice, for example a Data Protection Officer or similar roles.

Data controller: decides the purposes and the means of processing personal data.
Data processor: processes personal data on the controller’s behalf without deciding purposes or means.

Possible outcomes include administrative fines from the Data Protection Authority, claims for compensation by data subjects and loss of trust from customers, partners and other stakeholders.

It depends on whether you decide why and how personal data are processed. Morling Consulting can assess your role, particularly in complex situations with multiple actors.
Example: A company that engages a third party providing an IT system for customer data remains the controller because it determines the purposes and methods of the processing — even if the technology is provided by another party.

Yes. Two or more organisations can be joint controllers if they jointly determine the purposes and the means of the processing. In such cases, an agreement is required that sets out each party’s responsibilities, and data subjects must be informed of the shared responsibility.

Accountability means the controller must not only comply with the GDPR, but also be able to demonstrate compliance. This involves documentation of processing activities, internal policies and procedures, risk assessments and impact assessments where needed, and agreements with processors with clear roles inside the organisation.

If you engage an external party to process personal data on your behalf when you are the controller — for example a cloud service provider — a data processing agreement is mandatory. It must cover, among other things, security measures, allocation of responsibilities and sub-processors.

In practice, we provide legal advice for organisations in a range of situations, including help to determine whether an actor is a controller, processor or joint controller, reviewing data processing agreements and other necessary documentation, advising ahead of new processing activities (including selection of lawful bases), supporting management of personal data breaches and contact with the Data Protection Authority, and drafting internal policies to meet accountability requirements.

Contact

Felix Morling

Speak to a GDPR lawyer

Do you need to clarify controller responsibilities and obligations? Contact us to discuss

"*" indicates required fields