By interpreting the legislative model of the EU General Data Protection Regulation(GDPR), this article aims to explain the concept and obligations of the data controller, and to highlight the experience of personal data protection in EU. The data controller concept can be understood from four aspects: object,behavior,subject type and meaning;and the term is designed for easily identifying the object to be protected,i.e.personal data,and legal relationship between controlling and being controlled of personal data. Moreover, the definitions in the general provisions and explanation given in each chapter are useful for judging if a data controller is required. The duties of data controller include adopting suitable techniques and organizational measures,documenting breaches of personal data policy, reporting and notifying such breaches, making data protection impact assessments and seeking cooperation with the supervisory authority. These specific duties are useful for internal monitoring of the data controller and setting up data security policies for achieving the necessary legal protection of personal data.