What is the difference between a controller and a processor?

A controller decides the purposes and means of processing personal data. A processor only acts on the controller's documented instructions. Your role determines your legal obligations and who is accountable to data subjects.

Can both my company and the AI provider be controllers?

Yes. If the provider uses your customers' data for its own purposes — such as training its models — it becomes a controller for that purpose, and you may be joint controllers, each with direct GDPR obligations.

Why does the AI provider's data reuse matter so much?

A provider that only processes inputs to return outputs on your instructions is usually a processor. The moment it reuses your data for its own benefit (model training, analytics), it determines its own purpose and stops being a pure processor.

Is this a definitive legal determination?

No. Roles depend on the full factual context and contract terms. This tool gives a well-reasoned indication so you ask the right questions, but a data protection lawyer should confirm before you rely on it.

What should I do once I know my role?

As a controller using a processor, sign a GDPR Article 28 data-processing agreement. If you are joint controllers, put a transparent arrangement in place defining responsibilities. Either way, document the analysis.

AI Data Controller/Processor Classifier

AI data controller / processor classifier

When you send your customers’ personal data to an AI provider’s API, GDPR assigns you a role — controller, processor, or joint controller — and that role dictates your legal obligations, the contract you need, and who is liable to the people whose data you used. Many teams assume the provider is “just a processor” without checking, which is exactly how unlawful processing and missing data-processing agreements happen. This tool walks the key questions and classifies your role.

How it works

You answer a handful of questions: who decides why the data is processed, who chooses what data is sent, whether you act on your own behalf or someone else’s, and crucially whether the AI provider reuses your inputs for its own purposes such as model training. The classifier applies the GDPR test — determining purposes and means makes you a controller; acting only on documented instructions makes you a processor; sharing the decision-making makes you joint controllers. It then explains the reasoning and the consequences.

Notes and next steps

The single biggest factor is the provider’s data reuse. If the provider only returns outputs on your instructions and does not train on your data, it is likely your processor and you need an Article 28 DPA. If it trains on or otherwise repurposes your data, it becomes a controller in its own right and you may be joint controllers, each with direct obligations to data subjects. Roles are fact-specific and contract-dependent, so treat this as a structured starting point and have a data protection specialist confirm before you sign.