Not to forget that they have to keep a protocol around of their considerations and have to explain why they used exactly this product or service. If they don't, that's already a GDPR violation.
For some data processing they even need to provide a formal document that simulates possible risks and when it comes to the conclusion that there is a high risk, your DPO is required to report this to the local DPA.
This is really an amazing mechanism to prevent danger from people's data.
This is my personal microblog. It's filled with my fun, joy and silliness.