We've recently exchanged emails with one of our Data Processors, because they don't grant the ability to permanently delete hosted documents (pdf, png, etc.) on their platform. Such documents might contain personal information.
In the event where an end-user would want to permanently delete such documents, we don't have the ability to do it for them (because the Provider doesn't give us any tool for doing so). Thus, we can't comply with any privacy-related request from our end-users. It also seems even the Processor cannot perform such a request in the event where we would forward the request to them. (they don't seem to have the necessary tools, either)
Therefore, we believe they don't comply with GDPR because of the Right to erasure/rectification.
The Processor doesn't recognize their responsibility on this matter, and are stating they respect GDPR regulations. Although, they haven't provided us with any meaningful reply regarding that particular matter. They're basically saying they're doing things "by the book" and sending us links to their online documentation, which do not answer the issue at hand.
At this point, we're concerned about what to do next. It feels like they won't acknowledge the issue and won't take responsibility about fixing it. We're thinking about opening an official enquiry, but we're unsure how to proceed.
Edit: The data processor is based in the US, while we are based in France (EU). We have signed a DPA with them.
documents
feature) and it's not a good move for us to change our data processor at this point. Our goal would be to make them compliant by providing us with the necessary tooling, rather than simply leaving. We were wondering if pressuring them would be effective, adn how to do so.