Imagine you set up a seperate GDPR compliant site to keep the regulators happy, then behind the scenes transferred the customer info to the standard site and just continued to do all the stuff the GDPR tells you not to.

Thats what they are alleging here, and why the supposedly seperate company is just a trick.