In order to operationalise the fundamental right to privacy, as reaffirmed by the Supreme Court in the landmark K.S. Puttaswamy judgment, the Indian government has recently introduced a draft data protection legislation. The present draft is inspired — to a considerable extent — by the EU’s GDPR and defines numerous key notions in largely identical terms. In view of these similarities, this paper seeks to examine the recent developments in the EU regarding the concept of ‘data controller’ and its application to what may be termed as a ‘Web 2.0 setting’. The paper commences with a review of the obligations imposed on controllers under the GDPR. Next, it introduces the ‘Web 2.0 setting’ and traces the evolution of the ‘data controller’ concept with the emergence of the internet. The paper then turns to a substantive analysis of the understanding of data controllers in a Web 2.0 context by examining the case of Wirtschaftsakademie Schleswig-Holstein, which concerns the potential joint controllership of Facebook and the administrator of a Facebook fan page. The final section challenges the interpretations of the concept previously adopted by the ECJ and provides suggestions to better realise the objectives of data protection law.