This is a hypothetical question really, but with basis in real world application. Lets say there's website (lets call it Houses.com) which stores details about houses for sale and the person who's selling them. This website has property solicitors as its' clients, who log in and add their list of properties to the site. The property solicitors then use the API from Houses.com on their own websites to display the details of the properties and the person who's selling them, but the actual Houses.com website doesn't display any of this information - it purely acts as a data service for the solicitor websites. Where does liability sit here? Technically the solicitor sites are only displaying raw data from a third party, though they are responsible for maintaining the data (albeit on someone elses website). Houses.com however are a just a hub, not displaying or directly using the data - however they do host the data and while they provide a mechanism to update the data (to the solicitors) - the end house sellers will never go to their website or update anything. How will this work in terms of who has to do what, with GDPR?