Glossary
Data controller
Under the GDPR, the data controller is whoever decides why and how personal data is used. If your business feeds customer data into an AI tool, the controller is you, not the AI company, which means the privacy responsibilities are yours too.
The GDPR splits responsibility into two roles. The controller decides why and how personal data is processed. The processor handles data on the controller’s behalf, following instructions. The controller carries most of the legal duties: informing people, keeping data safe, answering deletion requests.
Here’s where it gets personal. When a bar owner pastes her customer mailing list into a chatbot to write a newsletter, she is the controller of that data. The AI provider’s role depends on the plan: on business plans with a proper agreement it typically acts as her processor; on a consumer account, the provider may use the data for its own purposes too, a setup that’s much harder for her to justify.
That’s why “which plan am I on?” is secretly a privacy question, not just a billing one. The paste checker shows how each vendor treats data on each tier, and a DPA is the document that formalizes the processor relationship. For your specific obligations, your national data protection authority’s guidance is the authoritative source.
Where you’ll meet this
- Privacy policies, in the section naming who the controller is
- Business and enterprise terms of AI vendors, which define controller/processor roles
- Guidance pages of the EDPB and national data protection authorities
Related terms
Put it to work
- Free Skuto Paste Checker Check before you paste: pick what you're about to share and which AI you use, and see in seconds if it's safe — with the vendor's actual terms and a safer alternative.
- Free Skuto Plan Picker Find out in one minute whether a paid AI plan is worth it for you — real euro prices, VAT included, re-verified every week.