Basically, this is the structure that the GDPR mandates: the data controller (entity that processes data on behalf of the customer) is liable for data security breaches, regardless of whether the breach occurred at themselves or a third-party data processor.
Eventual fines will also be shared by them, and the ratio will depend on how diligent the controller was in selecting and auditing their data processor(s). Exactly because it's too easy to outsource your exposure risk along with your customers' data.
Eventual fines will also be shared by them, and the ratio will depend on how diligent the controller was in selecting and auditing their data processor(s). Exactly because it's too easy to outsource your exposure risk along with your customers' data.