What is a data controller according to GDPR?

A data controller is a person, public authority, or agency that determines the purposes and means of the processing of personal data. The data controller decides the purpose for which personal data is processed and what personal data is necessary to fulfil that purpose.

For example, if you are a small business store that collects personal data for shipping products (purpose) to customers in the EU, you are the data controller. If you use a third-party company to ship your products, then that business is a data processor.

The controller should have a lawful basis for processing personal data, such as the consent of the data subject or legitimate interest. Controllers are also responsible for ensuring that the processing is lawful, fair, and transparent and should implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, or disclosure.