What on earth are you talking about? I’m making fundamental statement about accountability, you can’t allow companies to outsource their data protections responsibilities, because history has shown time and time again, if let companies outsource responsibilities, they’ll outsource it to someone who just ignores the law and provides a fig to protect execs.

> Because it didn't take into account how companies work in practice.

The whole point of GDPR is to prevent shitty business practices, not enable them. How companies work in practice is most irrelevant, GDPR protects people, not companies.

> A SaaS company has both individuals as well as organisation as customers and thus operates as a data controller and data processor.

Yes, so what?

> Reality is that you can't ask each individual company to sign a document for each new subprocessor or data processing agreement modifications.

Yes you can. If your customer has given you explicit instructions on how they want their data processed, in the form of a data processing agreement, then you’re contractually bound to that agreement. You want to change it, the you need to ask all your customers. You can’t unilaterally just start doing something new with data you’ve been given because you feel like it. Otherwise what prevents you from just deciding that selling all the data your customers gave you is how you now handle their data?

I don’t know you find this so difficult to understand. Your not even taking issue with something unique to GDPR. Modern day slavery laws work in a similar manner, so does financial regulation, so does any contract where you customer gives you instructions, and you want to modify those instructions. Companies update their T&Cs and force customers to explicitly accept the new one all the time, this is not a new concept.