From time to time we receive what is represented by the sender as a GDPR subject access request but which has been sent to us by a third party. The ICO has provided guidance on third party requests:

The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.

Based on this guidance we do not respond to such requests.