Data analytics services are on the rise, fostered by an increasing number of wearables and industrial sensors which are connected over the Internet. As a result, users who want to take advantage of these services are confronted with the challenge of keeping their private data and business secrets secure, while still providing the information required for the analytics service to operate. Traditional access and usage control do not solve this problem, as they only take binary access decisions, but do not enforce specific views on data sets. We propose a mechanism to control the ways in which data may be processed, thereby limiting the information which can be gained from data sets to the specific needs of a service. The core of our approach is to model data analytics as a data flow problem and to apply dynamic taint analysis for monitoring the processing of individual records. We propose a policy language to state requirements on the way how data is processed and enforce measures to ensure that critical data is not revealed. Our approach is based on the query evaluation of a complex event processing engine, which is thereby turned into a policy-controlled privacy-preserving data analytics service.