Alice contracts with ACME insurance which sends her to their identity verification solution provider’s app/website (BCME KYC SOLUTIONS Inc). BCME’s portal asks Alice for photos of herself and other materials which they then collect and store on their systems.
If the data were collected by ACME and then stored with a third party infrastructure provider such as AWS or Azure then I expect that they would merely be processors. But as the data is collected from the subject directly by the third party itself, is BCME a controller or processor even though its contractual/business relationship is only with ACME and not Alice herself?