It has just come to my attention that some are concocting ways of bypassing responsibility to their clients by agreeing with a “co-processor/controller” that they will be responsible for subject requests, etc.
First, the ICO is not going to fall for such an usurpation of the law and the data controller’s responsibility. If you are a data controller and you violate that data subject’s rights under the GDPR then you can bet your bottom dollar the ICO, if not a lawyer, will be coming for you.
Second, the GDPR, in Article 26, section 3 says this:
“3) Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.”