If you pay a third party to do your marketing, you are both responsible for complying with GDPR and the Privacy & Electronic Communication Regulations.
If the ICO were to take enforcement action, they would usually take it against the ‘instigator‘. If a specialist subcontractor deliberately ignored the rules they might also consider taking action against them.
Whatever the situation it is a legal requirement to have a written GDPR compliant agreement in place, with suppliers that have access to your personal data. It needs to set out your contractor’s responsibilities and if possible, guarantees of compliance.