The party that determines the purposes and means of processing personal data, and bears primary responsibility under the GDPR.
The data controller decides why and how personal data is processed. It carries the main accountability under the GDPR, including establishing a lawful basis, honoring data subject rights, and ensuring appropriate security.
A controller may engage processors to act on its behalf, but it remains responsible for the lawfulness of the processing and for choosing processors that provide sufficient guarantees.
Related frameworks
KaitoSec