Data Controller
A Data Controller is defined as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
It is not to be confused with the concept of Data Processor.
The definition comes from Article 2(d) of Directive 95/46/EC, which forms the legal basis for the common Personal Data Protection regime across the 27 member states of the European Union.
In February 2010, the Article 29 Working Group published an Opinion which sought to clarify the definition of both Data Controller and Data Processor in EU Law. It is clear from the deliberations of the Working Group that a key determining factor in deciding if an organisation is a Data Controller will be the factual basis of the relationship between parties who are processing personal data.
From a practical point of view, care must be taken when embarking on any collaborative exercise involving the processing of personal data to ensure that there are clearly defined roles, responsibilities, and duties so that the risk of personal data being processed inappropriately or without due care to the requirements of Data Protection law is mitigated.