In data protection law, a controller is the organization that decides why personal data is collected and how it is processed. It sets the purpose, chooses the main tools or vendors, and remains accountable for the overall legality of the processing, even when some tasks are outsourced.
This matters in cyber security because the controller defines the security requirements around the data: access control, retention, logging, and vendor oversight. In real systems, a company using a CRM, telemetry platform, or monitoring tool is often the controller, while a service provider acts as a processor. Attackers may target controllers because they hold decision power and often centralize sensitive records. Defenders use the controller role to assign responsibility, enforce least-privilege access, and make sure monitoring is proportionate, transparent, and limited to a specific purpose.



