ai-vendor-privacy-due
Installation
SKILL.md
AI Vendor Privacy Due Diligence
Overview
AI services create complex controller-processor relationships that differ significantly from traditional data processing arrangements. Whether an AI vendor is a processor, joint controller, or independent controller depends on the degree of autonomy the vendor has over personal data processing — particularly regarding model training on customer data, data retention for model improvement, and the vendor's independent purposes for the data. This skill provides the framework for determining controller-processor roles in AI service relationships, conducting privacy due diligence on AI vendors, and establishing appropriate contractual protections.
Controller-Processor Determination for AI
Decision Framework
| AI Service Model | Typical Role | Key Factors | GDPR Article |
|---|---|---|---|
| SaaS AI — Customer data processed per instructions | Vendor = Processor | Vendor processes data solely on controller's instructions; no independent use | Art. 28 DPA required |
| SaaS AI — Customer data used for model training | Vendor = Joint Controller or Independent Controller | Vendor uses customer data for own model improvement beyond contracted service | Art. 26 JCA or separate controller notice |
| Embedded AI — Pre-trained model in customer infrastructure | Customer = Controller; Vendor = may be processor for support | Model runs in customer environment; vendor may access data for support/updates | Art. 28 if vendor accesses data |
| API-based AI — Customer sends data for inference | Vendor = Processor (if no data retention) or Joint Controller (if training on inputs) | Depends on whether vendor retains, uses, or trains on input data | Assessment required |
| AI Platform — Customer builds models on vendor platform | Vendor = Processor for infrastructure; Controller for platform data | Vendor provides compute; customer controls data and model | Art. 28 DPA + audit rights |
| AI Marketplace — Pre-built models with customer data | Depends on data flow | If customer data enters vendor model → joint controller assessment | Case-by-case |
Related skills