[deepsun]

I'm not sure about that, I'm pretty sure any company that has your PII is obliged to follow the law, regardless of their contracts with their customers/vendors. Law doesn't make you investigate who's the end customer for your data, only who has it.

As for "subprocessor" -- it might as well be the case that both sides are subprocessors for each other, nothing wrong with that.

[Aaargh20318]

I don’t know this specific law, I just know how it works in the EU with the GDPR. Of course any company that has your PII has to follow the law, but it matters which entity is the one that has is the end customer for your data. They are the one that has to have a legal basis for even collecting that data and they are the one you as a use deal with. If they use a sub-contractor then that’s an internal matter for them and not something you as the subject has to deal with. Of course they have to have a DPA in place with the sub-contractor and they have the responsibility to make sure the sub-contractor follows the law. Likewise the sub-contractor has to make sure that their client has a sound legal basis for processing the PII.

For example: if a bank outsources part of their KYC process to a third party, that’s not something you have to concern yourself with, you only deal with the bank.

[deepsun]

All true, but if the third party receives a delete request from you, they have to oblige (and may notify the bank). Otherwise it would be very easy to circumvent the law by saying "oh we're just keeping it for another customer, we're going to send it to them next year maybe". And that customer will say they need it for another customer etc.

Privacy law (in your case GDPR) does not concern with who's customer. If a company processes PII -- they are subject to the privacy laws.