Data controller

A data controller is a person or organisation that decides why and how personal data is processed. In the context of political advertising, controllers determine the purposes of targeting, what data is used, and how ads are delivered to specific audiences. Under EU law, the controller is responsible for ensuring data processing is lawful, transparent, and respects individuals' rights.

Legal Basis

"'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;"

— Article 4(7), Regulation (EU) 2016/679 (GDPR)

Why It Matters

The data controller role is central to compliance with both the GDPR and the Regulation on the transparency and targeting of political advertising (Regulation 2024/900). When political actors, providers of political advertising services, or platforms use personal data to target or deliver ads, one or more entities act as controllers and must ensure the processing is lawful, fair, and transparent.

In political advertising, determining who is the controller is essential for accountability. If a political party commissions an agency to run targeted ads using voter data, both may be controllers—either jointly or separately, depending on who decides the purposes and means of processing. Controllers must have a valid legal basis (such as consent or legitimate interest), respect data subject rights, and implement technical and organisational measures to protect personal data.

Regulation 2024/900 places strict conditions on the use of targeting techniques in political advertising. Controllers must ensure they only process personal data collected for the purpose of political advertising targeting, obtain proper consent where required, and never use certain sensitive categories of data (such as biometric data) for targeting. Failure to comply can result in enforcement action by data protection authorities and significant fines under the GDPR.

Key Points

The data controller is the entity that decides why (purpose) and how (means) personal data is processed.
In political advertising, controllers can be political parties, campaign organisations, advertising agencies, platforms, or a combination acting jointly.
Controllers must comply with GDPR principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.
Under Regulation 2024/900, controllers using targeting or ad-delivery techniques in online political advertising face strict conditions, including limits on what data can be used and requirements for consent.
Controllers are responsible for responding to data subject rights (access, rectification, erasure, restriction, portability, objection) and for data security.
Data protection authorities supervise and enforce controller obligations; non-compliance can lead to fines up to 4% of annual global turnover or €20 million under the GDPR.

Data controller vs. Data processor

A data controller decides the purposes and means of processing personal data, while a data processor processes data on behalf of and under the instructions of a controller. For example, if a political party (controller) hires a marketing platform (processor) to send targeted emails, the party determines what data to use and why, while the platform executes the task. Processors must follow the controller's documented instructions, implement security measures, and assist the controller in meeting GDPR obligations, but they do not decide the "why" or "how" of processing. Under Regulation 2024/900, both controllers and processors must ensure compliance with targeting restrictions in political advertising; controllers bear primary responsibility, but processors can be held liable if they exceed instructions or fail to meet their own obligations.

Related Terms

Data processor
Personal data
Targeting techniques
GDPR
Consent
Legal basis
Data subject rights
Joint controllers
Provider of political advertising services
Sponsor

Very transparent. Every political ad will be labelled, linked to a transparency notice with detailed information, and online ads will be searchable in a central European repository.

The Network coordinates election-related cooperation between member states. National contact points for TTPA enforcement should be members of this network where possible.

Election campaigns will need to ensure all paid advertising includes proper labels and transparency notices. Sponsors must be prepared to provide required information to all service providers.

Several major platforms currently do not allow paid political advertising, including some large social networks. This limits where political actors can place paid online advertisements.

The TTPA applies from 10 October 2025. Member States had until 10 April 2025 to designate competent authorities, and the Commission must provide label templates by 10 July 2025.

Publishers must ensure completeness and accuracy of certain information but are not required to verify all sponsor claims. They must correct manifestly erroneous information when they become aware of it.

Yes. When a hosting provider and a website both display an ad, both are considered publishers with responsibility for their specific services. Contracts should clarify how they share compliance duties.

If a publisher removes or disables access to a political ad due to illegality or terms violations, they must still provide access to the transparency information for the full seven-year retention period.