This document focuses on what processors can (and cannot) do in helping controllers respond to consumer rights requests. It explains that processors play an assisting role and should not be obligated to respond directly to consumer requests to access, correct, and delete their personal data. Instead, the processor should help the controller when those requests seek data held by the processor.

The document also focuses on the key point of what that assistance should look like – and explains that a processor can fulfill its obligation to assist the controller by creating a tool the controller can use to execute consumer requests itself, rather than requiring the processor to respond 1:1 to requests from the controller.

Related: The Global Standard in Privacy Legislation: Distinguishing Between Controllers and Processors
Controller and Processors: A Longstanding Distinction in Privacy
State Privacy Legislation: Distinguishing Between Controllers and Processors