Deleted user
posted 3 years ago
If my organization is processing data on behalf of a controller, does the data subject have access rights through the processor, or must Subject Access Requests (SARs) go through the controller?
If the processor then becomes a controller (or joint controller) through activities that create new data about the individual, should a SAR disclose all data about said individual, or only data not passed in by the original controller?
