> Not to sound too clever, but I would assume if I embed a third party on my website, all bets are off considering privacy/data flow.
That you have to take care of these things is kind of the point of GDPR. If you don't know what some embedded server will do with users data, don't use it. No more fast and loose.
My point was more about companies embedding Javascript on their sites and "did not know they were sharing data".
Sadly European data protection agencies are vastly understaffed. I've filed some complaints, and have been waiting for an answer for them for years in some cases. I regularily get letters sent from agencies which say "we're still on it, but it takes more time".
One complaint was about an UK company ("Boden") filed with the Berlin data protection agency. Then they transfered it to the UK, then back to Berlin, it currently is in the Netherlands.
That you have to take care of these things is kind of the point of GDPR. If you don't know what some embedded server will do with users data, don't use it. No more fast and loose.