Re: Professional spammers again
I hate that particular bunch of monkeys as much as anyone else, but it is permissible for a Data Controller to use an outside organisation as a Data Processor to provide certain, well, data processing services for the Data Controller, as long as the Data Controller has a suitable contract in place and has verified that the Data Processor also complies with the GDPR, and that the Data Subject has consented to being subscribed to the email list (and/or that very sketchy 'existing relationship' clause, «sigh»).
Admittedly, whatever Safe H Privacy Shield calls itself this week (and US data protection law in general) isn't worth the self-certifying paper it is written on, but you can always send a few euro in the direction of noyb and ask them to prod further (although my understanding, and, obviously, IANAL, is that use of this particular Data Processor is legal as long as Privacy Shield is (hmmm…)).