What is a data controller under GDPR?

GDPR Art. 4(7): the controller is "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". In short: who decides the why and the how = controller. Examples: your bank (they decide which transactions are retained), your employer (HR decisions on personnel info), the municipality (which civil services), a webshop (which customer data for which purpose), social media platform. Joint controllers (Art. 26): for joint controllers — e.g. Facebook + fanpage owners (CJEU Wirtschaftsakademie 2018), Google + websites using Google Analytics. Both must establish a transparent arrangement about who does what for data subject rights. Main obligations: lawfulness (Art. 6 basis), transparency (privacy statement), facilitate data subject rights (access, erasure, etc), security measures (Art. 32), DPIA on high risk (Art. 35), notify breaches (Art. 33-34), liability (Art. 82). How do you know who? Privacy statement must explicitly name the controller + contact. On doubt: file an access request (Art. 15) — party that responds = controller. Fines: the controller bears the largest fine risk — Art. 83(5) provides fines up to €20m / 4% turnover for breach of core principles (Art. 5, 6, 7, 9, 12-22, international transfers).