Under data protection legislation, there must be a data controller who is responsible for decisions made about why and how organisations use personal data.

The data controller is defined in the UK GDPR as:  ‘…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.