[luckylion]

> "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands"

In this case, the other company is also in Europe (Spain), so by law must abide by GDPR. It seems they didn't have a contract ready, and Kolibri didn't want to spend money on translating/creating a contract to Spanish.

From what I read from Kolibri themselves (https://kolibri-image.com/causa-datenschutz/), the "processing" was a company that bundles DHL package orders to get batch pricing. You send them the information, they send the order (together with other orders) to DHL, DHL picks up the package and you save on postage. Apparently, Kolibri wasn't sure whether that's actually data processing (but did mention them using the company for this particular reason in their privacy information, according to the Bavarian officials, it isn't). They asked the German branch of the company who said they wouldn't need a contract and subsequently referred them to HQ in Spain. They asked the Hessian official to make the company's German branch comply with GDPR and sign a data processing contract. Instead, the Hessians forwarded it to Hamburg.

Kolibri claims to have stopped using that company after hearing back from the Hessians, but forgotten to remove them from the privacy information on one website. If they are to be believed, they were told "you can't use them without a contract" and stopped using them.

The fine has since been withdrawn and the case was closed.