Controller

A Controller (Rekisterinpitäjä) is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller bears primary responsibility for ensuring compliance with data protection legislation, including implementing appropriate technical and organizational measures and responding to data subject requests. This role is defined in Article 4(7) of the GDPR and is a key concept in the Tietosuojalaki.

A controller is the entity that determines the purposes and means of the processing of personal data. In most employment scenarios, the employer acts as the data controller, as they decide why and how employee personal data, including pay information, is collected, stored, and used. The controller bears primary responsibility for compliance with the Law on the Processing of Personal Data and the GDPR, including implementing appropriate technical and organisational measures to ensure data security and upholding data subjects' rights. This role entails significant legal obligations and accountability.

A data controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. In an employment context, the employer is typically the data controller for employee data, as they decide why and how employee information, including pay data, performance reviews, and health records, is processed, and bears primary responsibility for compliance.