The controller is the entity that decides why and how personal data is processed. GDPR Article 4(7) defines it as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data."
The controller is the legally accountable party. Data subjects exercise their rights against the controller. Regulators investigate the controller. Fines under Articles 83(4) and 83(5) generally land on the controller.
How to identify the controller
The label in a contract isn't decisive — what matters is who actually decides. The questions a regulator asks:
- Why is this processing happening? Whoever set the purpose is the controller.
- What data is collected? Whoever decided the data set is the controller.
- How long is it kept? Whoever sets retention is the controller.
- Who do they tell about it? Whoever decides recipients is the controller.
A SaaS vendor processing your customers' data on your instructions is a processor. The same SaaS vendor processing usage telemetry to improve their product is a controller of that telemetry. One vendor often plays both roles for different data flows in the same product.
Why this matters for vendor monitoring
A controller's accountability is ongoing, not one-time. Article 24 requires the controller to "implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation."
"Be able to demonstrate" is the operative phrase. A controller who signed a DPA two years ago and hasn't checked the vendor's current subprocessor list, retention period, or transfer mechanisms cannot demonstrate ongoing compliance. They can demonstrate compliance as of the date of signing, which is not the same thing.
This is the legal foundation for treating vendor monitoring as a continuous activity rather than a procurement-time checkbox.