Not an expert at all, but my basic understanding of GDPR is if you outsource a service to a 3rd party and they collect data or do any processing that they shouldn't, you are essentially responsible.
It makes sense. I'm the one selecting the tooling afterall so I should also be responsible for making sure to comply with whatever laws/directives there are.
This being said, it feels unfair when you try to comply but somebody fucks you over.
