The customise settings popup has an always-on item literally labelled “Strictly Necessary”.
If they apply that as on and everything else in that popup as off, they are in compliance with GDPR without having to show the popup.
Unless that setting is misleading, but then they are not in compliance even despite showing the popup, even if they fix the problem I raised previously.
That tells me that they don’t know. Making every part of the org prove that they aren’t is very expensive but doesn’t improve the service.