So since we are a data processor (SAAS) almost everything we do with (personal) data is on request of the data controller. If our customer requests to show certain personal data which could be in conflict with the GDPR should we inform them about this and provide the functionality or are we responsible to tell them we won't agree on data which might conflict with GDPR?
An example is a public page where members can be found.
- Yes, we can provide an extra check where the member must agree on showing their data
1. What if the customer doens't want to use it, who is responsible?
2. On which personal data is the extra confirmation applicable? (name, birth date, city, etc., all?)
Article Art. 28(3) (h) of the EU GDPR states that the processor must inform the controller if, in its opinion, the controller’s instructions would breach Union or Member State law including the EU GDPR ( https://advisera.com/eugdpracademy/gdpr/processor/ ) so, if you have serious concerns it is your duty just to inform the controller.
It is the duty of the controllers to make sure that their instructions are lawful. Since you don’t have the full picture of the processing activity your perception about the processing being unlawful might be wrong. For example the controller could have already obtained the consent from the data subject thus you as a processor don’t need to obtain that again.
You don't need any extra conformation form the controller or the data subjects since is the job of the controller to ensure that any request that it might have is always in compliance with the EU GDPR and other data protection legislation.