Data Controller

From Open Risk Manual


Under Regulation (EU) 2018/1725, as well as under the GDPR, the Data Controller is the party that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

The actual processing may be delegated to another party, called the Data Processor. The controller is responsible for

  • the lawfulness of the processing
  • for the protection of the data, and
  • respecting the rights of the Data Subject.

The controller is also the entity that receives requests from data subjects to exercise their rights.


  • In ISO/IEC the term 'PII Controller' is used.