That's not how the GDPR works. Cariad may be a subcontractor (data processor in GDPR speak) for VW, but the driver does not have a contract with Cariad -- their contract is with VW (the data controller in GDPR speak). The data controller is always jointly liable with the processor for 3rd-party data breaches.