The Controller is the legal entity that decides what to do with personal data: which data to collect, why to collect it, how long to keep it, who to share it with. Under the GDPR, the Controller bears the primary legal accountability; under similar US state laws (which often use the term "Business"), the same concept applies under a different label.
A few common cases sharpen the definition. An e-commerce company that decides to collect customer addresses for shipping is the Controller. A SaaS vendor that hosts that company's CRM is not the Controller of those customer records — it is the Processor. But that same vendor, when collecting analytics about its own logged-in users, becomes a Controller for that separate dataset.
The Controller/Processor distinction drives the operational compliance model. Controllers issue instructions and answer to data subjects and regulators; Processors execute under contract. Every system in an organization's data map should have its controller/processor responsibility documented, because the same vendor relationship can include both roles for different data — and the legal obligations differ accordingly.