A Controller of an entity is the role that an actor performs as it is executing actions on that entity for the purpose of ensuring that the entity will act/behave, or be used, in a particular way. Thus, a controller controls the behavior and/or use of the entity it controls.
Being a controller of an entity does not imply
- ownership of that entity,
- having a (legitimate) right, duty or authorization for executing actions that control the entity.
The ability to distinguish between (non)controllers of an entity enables us to identify the actors that can make sure that the entity acts/behaves, or will be used, in a particular way. It also helps owners of that entity to manage rights (or duties) to execute controller-actions to actors.
An actor is said to be a controller of some entity if and only if it is executing an action on that entity for the purpose of ensuring that the entity will act/behave, or be used, in a particular way.
- The GDPR (Article 4(7)) defines 'controller' as the party that determines the purposes and means of the processing of personal data, which is different from how we defined it. The GDPR 'processor' (Article 4(8)), i.e. that processes personal data on behalf of a (GDPR-)controller, would (in our terms) control that personal data and hence qualify as controller.
- In the DID spec (of December 2021), the word 'controller' is used for the entity that controls (i.e., has the capability to change) the contents of a DID Document. However, as it is also used in the contest of Verification Relationships, it is better understood as the party or actor that is capable of wielding the private key material associated with a specific verification method.