This is called "negligence"
Sorry to use technical terms, but this is generally called "negligence". Under the GDPR (and lots of other legislation) outsourcing does not absolve from compliance with the law. If your outsource provides you with an unlawful service or product and you accept and deploy it, you're liable just as much as if you'd created it yourself. However in my professional experience most businesses (and here even a regulator) seem to believe they don't have to verify the legality of the services they subcontract.
Biting the hand that feeds IT
