A data controller is a person or organisation that decides on the processing of personal data. They are responsible for ensuring that data processing is carried out securely and appropriately, and that the data is either destroyed or archived properly once the research is completed.
If the researcher is employed by the organisation conducting the research, that organisation acts as the data controller. However, an independent researcher or research group can act as the data controller themselves.
If multiple organisations jointly decide on the processing of personal data, they act as joint data controllers. In such cases, it is important to clearly agree on the responsibilities of each party.