AFAIK it's not transitive, but you can request any company directly. I think there are even people trying this randomly.
As long as it's data about you, you are allowed to request it. When you sign an agreement that your data may be transferred to another controller (and there is no other way this data may be transferred), you are totally entitled to ask this controller for your data.
For subprocessors it's different - they should send you back to the top-level controller for the data request. The subcontroller might not even know which data they have is actually connected to you, eg AWS is not going to figure out the schema of an RDS instance. But the controller is required to have an agreement with the subcontroller to be able to get them to cooperate to processing your requests.
(that's partly what all those data processing agreements that subprocessors and controllers have to sign are about)
There are some aspects of B2B AFAIK that are excluded. For example, b2b doesn't need the employees permission for the data processing. But for clients of the b2b they do.
Of course they need the employees permission if it is personal data (see also https://www.dickinson-wright.com/news-alerts/the-gdpr-covers...). At least under German law if the times when I work are logged and processed I have to agree to this as employee. This is usually part of the employment contract. Also companies have to rightfully store legally relevant data usually 10 years so there are of course exceptions. For the storage clause there is even the right for data access blocking (when deletion is not possible because of a retention period).
In most countries there is a time limit measured in years on suing for breach of contract (for instance in England it's 6 years) so this can always be a legitimate reason to keep personal data for years after their use has ended: GDPR say that data must not be kept longer than necessary, but keeping records in case of legal action seems like a very 'necessary' reason.
> Without consent, there are only a number of other ways an employer can process data, and those are identified in the GDPR as “legitimate basis”, which include, in relevant part: (1) to perform an employment contract; (2) to comply with legal obligations; and (3) to further a legitimate interest of the employer.
I would claim this paragraph will side with the employee in dubious cases (see the article): "To use the legitimate interest allowance, employers must perform a privacy impact assessment balancing their legitimate interest against the employees’ privacy interests. The hard part, this must be documented to demonstrate that the employer’s legitimate interest does outweigh the employees’ rights. The next step that employers cannot overlook is that, even if the employer has a basis to process employee data, the employer must then provide notice to the employee that spells out exactly what data the employer is going to collect and what the employer is going to do with it."
There are some limits. For instance your Internet Protocol address(es) are considered to be personal data, yet AFAIK the various routers that have to store them in the normal process of doing Internet connections don't have to comply with the GDPR ?
I think this is not correct.
AFAIK it's not transitive, but you can request any company directly. I think there are even people trying this randomly.
As long as it's data about you, you are allowed to request it. When you sign an agreement that your data may be transferred to another controller (and there is no other way this data may be transferred), you are totally entitled to ask this controller for your data.