Now some maybe even most of those are necessary (eg relevant customer service providers, couriers, relevant IT service companies, plus the fraud, credit, banking aspects), but let's pick some others that nobody has expressly consented to: Business consultancy service companies, data brokers,advertising partners including social media partners. Have a look under the section How we collect your information, and particularly consider the section From your use of our services. You did agree to them sharing all your browsing data, your call data, your device data and your programme history, with in essence anybody that wants it?
Put your hand up if you provided the clear, unambiguous consent that is required? Ermmm...anybody? C'mon may one of VM's 5 million odd customers was actually asked and then said "yes, I'd really like you to play fast and loose with everything you can possibly collect about me and my data and sell it all off to scumbag data brokers, scumbag social media companies, ad firms, and anybody who can claim to be a consultancy service company"? Oh, so that's no one.
On so many levels this appears to be a wanton breach of GDPR. To become complaint VM need to contact every single customer, seeking express permission, with an opt out for any category of third party who is not strictly and legally necessary to provide the service, or for compliance with law or regulation. When can I expect to be contacted?