A data controller is a person, company, or other body that determines the purpose and means of personal data processing. In other words, the data controller decides how and why personal data is processed. The data controller can be a legal or natural person, an agency, a public authority, or any other body. Employees processing personal data within an organization do so to fulfill the tasks of the data controller. A data processor, on the other hand, processes personal data only on behalf of the controller. The processor is usually a third party external to the company, but in some cases, one undertaking may act as a processor for another undertaking. The duties of the processor towards the controller must be specified in a contract or another legal act.