Please tell me I've read something wrong. Otherwise, this is just panic induced stupidity. I expect they will grow out of it (though maybe not before you go bankrupt, which obviously sucks big time).
Yes.
It's not unreasonable, because GDPR has components that require vendor assurance (more or less). So the megacorp with a point-of-presence in the EU has to be cautious about what strictly-US SaaS services it uses if there's any potential for data crossing into the SaaS.
This is almost certainly exactly what GDPR is intended to do. It aims, in part, to make sure companies can't shirk their responsibilities by handing everything over to vendors who will ignore GDPR.
An actual compliance audit from an accredited auditor, paid for by the SaaS offering of course, is not going to be cheap or easy.
The GDPR regulates both Data Controllers, and Data Processors
Suppose I'm excited to hear about Hats.example, a site that sells hats. I visit, but they don't have any hats for my ostrich. Damn. But, they do have a box where I can leave my email address "to be contacted about future products". Great, maybe they'll introduce Ostrich hats. I fill out the box.
Hats.example uses famous email deliverability company WeSpamPeople.example to ensure their marketing emails have "industry best in class reach". I soon get an email every week featuring different styles of hat, but they're all for people, disappointing.
But then, WeSpamPeople's VC runs thin, and they cut a deal with OutrightFraudAndScams.example, which tricks people into making dubious "investments" and wants a lot of "leads". Now as well as the hats newsletters I asked for but don't really care about, I'm getting stuff inviting me to invest in Venezuelan Bitcoin mining and a project to make "Green cyber-organic goats for the blockchain". Ouch.
Hats.example are a Data Controller. The GDPR says they are responsible for looking after the data that I gave to them, even if "technically" that form I filled out is a Javascript frame injected by WeSpamPeople.example, it's part of the Hats.example business, so it's their responsibility to ensure my email is not abused by a processor like WeSpamPeople.example, for example through contractual terms requiring WeSpamPeople.example to delete my email, never to send it elsewhere, etcetera.
WeSpamPeople.example are a Data Processor because they were given my email address and other details to send me "marketing" information. They have a duty under the GDPR to get reasonable assurance that this was OK with me, for example maybe Hats.example did some paperwork that promised they're legitimate and they got sign-off for these email addresses. Regardless of whether they were given terms requiring them to do so by the Data Controller, the GDPR says they have to take care not to abuse the data, for example they can't sell it to anybody, since they obviously don't have permission to do that.
OutrightFraudAndScams.example are also a Data Processor, and maybe also a Data Controller they know they didn't have permission to touch this data, but presumably they also routinely violate all sorts of other anti-fraud or anti-scam laws. Maybe the GDPR will help add to the fines and charges and put them out of business.
[Edited: minor typos / fixes]
Just so it's clear, you're positing that when WeSpamPeople breaks every existing contract they have, that those on the other side of said contracts are now liable?
Of course it could happen, but I don't see the EU fining those on the other side of the contract as long as they moved to another DP and alerted their users when the breach of contract was discovered. Both actions should happen regardless of GDPR.
