The 'Controller' is the entity that determines the purposes and means of the processing of personal data. In other words, they make the high-level decisions about data processing activities. On the other hand, a 'Processor' is the entity that processes personal data on behalf of the controller. Therefore, it is the controller that has the authority over the purposes and means of processing, not the processor, compliance officer, or security administrator.