The right can only be enforced against a "controller," which is the entity that "determines the purposes and means of the processing of personal data."
It's worth noting that GDPR does not give the data subject the right to request everything in the letter. Only a more limited set of things.
The practical effect for SaaS companies is that they should keep track of data and the systems and services where data is processed. With good preparation and a system of record for security/privacy management data, you can prepare for this kind of request very well. My company does just that - helps others prepare.
The right can only be enforced against a "controller," which is the entity that "determines the purposes and means of the processing of personal data."
It's worth noting that GDPR does not give the data subject the right to request everything in the letter. Only a more limited set of things.
The practical effect for SaaS companies is that they should keep track of data and the systems and services where data is processed. With good preparation and a system of record for security/privacy management data, you can prepare for this kind of request very well. My company does just that - helps others prepare.