Nowadays, data has become marketable, and users often underestimate the impact of not protecting their data. Even more than that, some users agree to sale their private data. In this context, data protection and user sensitization have to be at the heart of our concerns. This work is part of Personal Information Controller Service (PICS) project. In this paper, we propose a user-centric data protection service to (1) allow users to identify their protection requirements thanks to risks evaluation support tools, (2) provide a “privacy evaluation” of SaaS suppliers based on their ToS and (3) allow users to control the access authorizations they grant to SaaS providers. To this end, we define a semi-structured Personal Information System organization used to organize access rights based on a General Data Protection Regulation-compliant ontology.