Let's say you have a SaaS where your customers can create mini-websites which have sign up pages, members area, etc.<p>MY question, what is the SaaS for the data of those users who sign up on the customers' "mini-portals"?<p>Is it a processor or a controller? The SaaS customer can customize pages, send emails etc...so it looks like the controller is the customer and the SaaS is just the processor, but after talking with some lawyers I'm not so sure about that.<p>What do you think?
Both I think you're responsible for your scope and also customers if they have access to APIs or export feeds.<p>Any data about final users should be available and controlled via consentement mgt ui
This ICO guide can help know the difference between the data controller and the data processor:<p><a href="https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf" rel="nofollow">https://ico.org.uk/media/for-organisations/documents/1546/da...</a>