This document focuses on what processors can (and cannot) do in helping controllers respond to consumer rights requests. It explains that processors play an assisting role and should not be obligated to respond directly to consumer requests to access, correct, and delete their personal data. Instead, the processor should help the controller when those requests seek data held by the processor.

The document also focuses on the key point of what that assistance should look like – and explains that a processor can fulfill its obligation to assist the controller by creating a tool the controller can use to execute consumer requests itself, rather than requiring the processor to respond 1:1 to requests from the controller.

Related: The Global Standard: Distinguishing Between Controllers and Processors in Privacy Legislation
Controller and Processors: A Longstanding Distinction in Privacy
The Global Standard: Distinguishing Between Controllers and Processors in State Privacy Legislation