Question

A data controller and a data subject occupy opposite positions in the flow of personal information: the controller is an organization or person that decides why and how personal data will be processed, while the data subject is the natural person the data are about. This creates two fundamental differences. First, in terms of agency and power, the controller has decision-making authority and operational control—choosing processing purposes, lawful bases, retention periods and security measures—whereas the data subject has little or no control over those decisions and instead holds the status of the source and beneficiary of protections. Second, in terms of legal roles and obligations, the controller bears duties and potential liabilities under data protection law (for example, to implement safeguards, carry out data protection impact assessments, and respond to breaches), whereas the data subject is primarily the holder of rights (such as access, rectification, erasure, portability and objection) that can be exercised to influence processing. In short, controllers are responsible actors with obligations and authority; data subjects are individuals entitled to rights and protections in relation to their personal information.