> embed a third party on my website, all bets are off considering privacy/data flow.

That's definitely not the case. It'd be true only if there is no contract w/ the 3rd party at all. Many contracts cover data leaks and the like and the contractual obligations are "non-trivial" to put it mildly.

Then our experiences differ somehow. Most Disqus users don't look like they have a contract, rather they accept terms and services than can be unilaterally changed by Disqus.

I've signed some DPAs and those that I've signed were very vague and liberal on what data they take - at least none of them felt that they would not try to get all the data that they can.

> Most Disqus users don't look like they have a contract, rather they accept terms and services than can be unilaterally changed by Disqus.

In that case the terms are invalid.

You cannot use terms of service to take away consumer protection in Europe.

Yes.

> Not to sound too clever, but I would assume if I embed a third party on my website, all bets are off considering privacy/data flow.

That you have to take care of these things is kind of the point of GDPR. If you don't know what some embedded server will do with users data, don't use it. No more fast and loose.

Yes I agree.

My point was more about companies embedding Javascript on their sites and "did not know they were sharing data".

Sadly European data protection agencies are vastly understaffed. I've filed some complaints, and have been waiting for an answer for them for years in some cases. I regularily get letters sent from agencies which say "we're still on it, but it takes more time".

One complaint was about an UK company ("Boden") filed with the Berlin data protection agency. Then they transfered it to the UK, then back to Berlin, it currently is in the Netherlands.