Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Paragraph 1.3.5 The processor must assist the controller for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights (Article 28 (3) (e) GDPR).
127. While ensuring that data subjects requests are dealt with is up to the controller, the contract must stipulate that the processor has an obligation to provide assistance “by appropriate technical and organisational measures, insofar as this is possible”. The nature of this assistance may vary greatly “taking into account the nature of th eprocessing” and depending on the type of activity entrusted to the processor. The details concerning the assistance to be provided by the processor should be included in the contract or in an annex thereto.
128. While the assistance may simply consist in promptly forwarding any request received, in some circumstances the processor will be given more specific, technical duties, especially when it is in the position of extracting and managing the personal data.
129. It is crucial to bear in mind that, although the practical management of individual requests can be outsourced to the processor, the controller bears the responsibility for complying with such requests. Therefore, the assessment as to whether requests by data subjects are admissible and/or the requirements set by the GDPR are met should be performed by the controller, either on a case-by-case basis or through clear instructions provided to the processor in the contract before the start of the processing. Also, the deadlines set out by Chapter III cannot be extended by the controller based on the fact that the necessary information must be provided by the processor.