This hits another big point I've been wondering about GDPR. If site X has third-party JS from Google, Facebook, or so on, who does GDPR apply to? Is site X the one collecting the data, or is it the third party?
GDPR distinguishes between the "Controller" and "Processor" for data. A Controller has the most responsibility under GDPR. A Processor has separate responsbilities, and generally fewer of them.
In your example, Site X would be the Controller. Google or Facebook may be a Processor, or they may not be involved at all. If the JavaScript in question sends data to Facebook/Google then they are a Processor, whereas if it's purely a client-side library or something that helps Site X send data to itself then the situation is more ambiguous.
Vendors could arrange the relationship in such a way as to be joint controllers instead of processors if they wanted to. Most companies seem to want to avoid this set-up if possible.
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Generally speaking, site X is the data controller and the third party JS providers are the data processors. GDPR applies to both, with the controller being the party primarily responsible for ensuring compliance.
+1 for actually mentioning (let alone citing!) the article. There is so much information floating around, much of which slightly exaggerated, misinterpreted or misremembered, and if you want to check it you basically have to go and search through the whole thing. Even Dutch data protection authority has lots of info and FAQs without any reference to the law at all. So whenever I refer to it, I often have to go "at least, that's what our national authority says, I have no idea which article in the international law this is based on. Here, go and read some Dutch!"
My understanding (IANAL) is the site requested (i.e., X) is the data controller: X caused the third-party requests to occur, and is therefore responsible for any data transmitted over them.
In your example, Site X would be the Controller. Google or Facebook may be a Processor, or they may not be involved at all. If the JavaScript in question sends data to Facebook/Google then they are a Processor, whereas if it's purely a client-side library or something that helps Site X send data to itself then the situation is more ambiguous.
Vendors could arrange the relationship in such a way as to be joint controllers instead of processors if they wanted to. Most companies seem to want to avoid this set-up if possible.