[tremon]

you can't shield yourself from GDPR simply by saying, "Oh it's this other company's responsibility. And, by the way, they don't agree to do GDPR, so it's out of my hands".

To be specific, this is mandated explicitly by the GDPR:

> the controller shall [ensure] to be able to demonstrate that processing is performed in accordance with this Regulation. [art.24]

> Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees [art.28]

> Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller [art.28]

[art.24] https://gdpr-info.eu/art-24-gdpr/

[art.28] https://gdpr-info.eu/art-28-gdpr/