1) One can place validation in the Entity so that validation is handled automatically, and is closely associated with the data it's validating (though, personally, because I find that in my typical usage, any given field frequently has several different conditions that sometimes do and sometimes don't apply, this started looking complicated... and I've resorted to having a separate 'validation class' that handles user input, which the Controller invokes separate to the Entity class (an approach that also has it's own inherent drawbacks)).
2) "Business rules" are typically supposed to be placed in the Model.