Since CA servers do have personal data on and if any of that data didn't come from Facebook and Facebook is claiming it didn't, then Facebook doesn't have the data subjects permission for that data and they can't have access to the servers.
Is it me not understanding GDPR or facebook?