We see there are some security and privacy consumer products in the market like Dark Web Monitoring, Credit Monitoring products, Social Media Monitoring products, Identity Theft Preventing Systems etc.

Oftentimes, for all these products and services- security product offering companies outsourcing with few other third party threat intelligence companies like 4IQ, TRAPX etc. 

I have noticed Company X shares PII /PCT-DSS data of their customers with their TP partners and outsourced companies, of course with customer consent to provide the service.

Does it fall under any other GDPR (let's say this is a global product offering)? What precautions should be taken from the product offering company point of view? 

For instance if company X shares all the profile pictures of it's customers with a TP Threat intelligence company to identify impersonators or fake accounts, does it pose any threat to Company X from privacy and data protection compliance or legal obligation point of view?

your suggestions and thoughts much appreciated.

Thanks