Art. 4 GDPR -  Definitions

For the purposes of this Regulation:
[...]
7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

What does that mean? 

When the GDPR refers to "the controller", it means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. As a rule, this person is also liable for violations of the GDPR, e.g. the management of a company or the board of an organisation. 

Please note: It is often assumed that the data protection officer of an organisation is "responsible" within the meaning of the GDPR (we will discuss this position in more detail later). However, this is not the case. The data protection officer only has an advisory role in the implementation of data protection; the organisation's decision-makers remain responsible.