Handling Complex B2B DSARs: Controller vs. Processor Responsibilities

The B2B DSAR Challenge

In B2B environments, data processing relationships are rarely straightforward. Your company may act as a controller for some data, a processor for other data, and even a joint controller in certain scenarios. When a DSAR arrives, understanding which role you play determines your obligations and response process.

Controller vs. Processor: Who Responds?

When You Are the Controller

If you determine the purposes and means of processing, you are the controller and bear full responsibility for responding to the DSAR. This is straightforward: collect the data, apply exemptions, redact third-party information, and deliver the response within the deadline.

When You Are the Processor

If you process personal data on behalf of another organization (your client), you are a processor. Under GDPR Article 28(3)(e), the processor must assist the controller in fulfilling its obligation to respond to DSARs. In practice:

• If a data subject sends a DSAR directly to you (the processor), you should redirect it to the controller without undue delay.
• When the controller requests your assistance, provide the necessary data extracts from your systems within the timeframe specified in your Data Processing Agreement (DPA).
• Do not independently respond to the data subject unless explicitly authorized by the controller.

Joint Controllers

Under Article 26, joint controllers must determine their respective responsibilities for DSAR compliance through a joint controller agreement. Regardless of these internal arrangements, the data subject can exercise their rights against either controller.

Contractual Obligations (DPAs)

Your Data Processing Agreement should define:

• Notification obligations: Processor must notify the controller of any DSARs received.
• Response timelines: How quickly the processor must provide data to the controller (should be shorter than the GDPR deadline to allow the controller time to review and respond).
• Scope of assistance: What data the processor must search and extract.
• Cost allocation: Whether the processor charges for DSAR assistance (and any fee structure).

Multi-Party Coordination

Complex B2B scenarios may involve multiple processors and sub-processors. A DSAR from an end user may require coordinating data collection from your organization (controller), your SaaS provider (processor), their cloud infrastructure (sub-processor), and a marketing platform (another processor). Key strategies:

• Maintain a processor inventory with DSAR contact points for each processor.
• Pre-agree DSAR assistance SLAs in every DPA.
• Designate an internal DSAR coordinator who manages multi-party requests.
• Test the process annually with mock DSARs that trigger the full chain.

Jerisaliant supports multi-role DSAR workflows with configurable controller/processor routing, DPA-aligned SLA tracking, and sub-processor coordination tools.