Under GDPR, the data controller is the organization that decides what personal data to collect and how to use it. The controller bears primary responsibility for GDPR compliance.
Controllers must ensure they have lawful basis for processing, implement required safeguards, and fulfill data subject rights requests.