AI Data Controller/Processor Classifier

Determine your GDPR role when using AI APIs with customer data

Answer questions about how you use an AI provider's API with your customers' data to determine whether you act as a data controller, processor, or joint controller under GDPR — with the contract and liability implications of each role. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the difference between a controller and a processor?

A controller decides the purposes and means of processing personal data. A processor only acts on the controller's documented instructions. Your role determines your legal obligations and who is accountable to data subjects.

AI data controller / processor classifier

When you send your customers’ personal data to an AI provider’s API, GDPR assigns you a role — controller, processor, or joint controller — and that role dictates your legal obligations, the contract you need, and who is liable to the people whose data you used. Many teams assume the provider is “just a processor” without checking, which is exactly how unlawful processing and missing data-processing agreements happen. This tool walks the key questions and classifies your role.

The three possible roles

Controller — your organisation decides the purpose and means of processing. You chose to send the personal data, you chose the AI provider, and you are responsible to data subjects for how their data is used. You need a lawful basis under Article 6, and your provider (if only acting on your instructions) is your processor.

Processor — you only act on another controller’s documented instructions. If your customers are the controllers and you process their users’ data on their behalf using an AI API, you may be a processor for your customers while still being a controller in your own relationship with the AI vendor.

Joint controller — two or more organisations together decide the purposes or means of processing. This is the most legally complex outcome and requires a transparent arrangement (Article 26) defining each party’s responsibilities to data subjects.

How it works

You answer a handful of questions: who decides why the data is processed, who chooses what data is sent, whether you act on your own behalf or someone else’s, and crucially whether the AI provider reuses your inputs for its own purposes such as model training. The classifier applies the GDPR test — determining purposes and means makes you a controller; acting only on documented instructions makes you a processor; sharing the decision-making makes you joint controllers. It then explains the reasoning and the consequences.

The data reuse question — why it is decisive

The single biggest factor is the provider’s data reuse policy. If the provider only processes your inputs to return an output and does not train on, store, or otherwise use your data for its own benefit, it is likely acting as a processor and you need an Article 28 data-processing agreement. If the provider trains its models on your inputs — even with an opt-out you did not exercise — it determines its own purpose and becomes a controller for that processing. At that point you and the provider are likely joint controllers, each with direct GDPR obligations to the people whose data was processed.

Major AI API providers typically offer a “no training on API inputs” commitment in their terms (often requiring explicit opting out or a specific API tier). Check the current terms of your specific provider before drawing conclusions.

What to do once you know your role

Your roleAgreement requiredKey obligations
Controller using a processorGDPR Article 28 DPAAudit the processor, restrict sub-processors
Joint controllerGDPR Article 26 arrangementDefine responsibilities, inform data subjects
Processor for a controllerContract with your controllerProcess only on documented instructions

Treat this tool as a structured starting point. Roles depend on the full factual picture and your actual contract terms — have a data protection specialist confirm before you sign or publish your privacy notice.