[karatinversion]

IANAL

Under GDPR you are the data controller of you decide what data is collected and for what purposes.

I would expect this to cover you as the operator of the website (or other service). Your agreements with your tool providers probably specify that they are data processors for you.

If data was being collected and accessed without lawful basis (by eg GA embedded somewhere in your stack), this would count as a data breach. You would have to inform your data regulator (eg ICO in the UK) within 72 hours of becoming aware of it, and tell them among other things what remedial action you are taking. You could also be fined for failing to do due diligence.