Vendor vs Subprocessor vs Third-Party Supplier
These three terms are often used interchangeably, but, are so very different. Highlighting the differences is necessary, especially for customers tailoring their processing agreements or preparing for GDPR.
Overall, in the context of business, vendors, third-party suppliers and sub processors are all entities that provide goods and services to another company. Now, let’s dive into some key differences among them.
In general, vendors are typically a third-party company or organization and are often associated with technology or software. But they can provide a wide range of products or services, including office supplies, furniture, raw materials and consulting services.
Vendors are often used to procure goods or services that are necessary for the operation of the company, but are not directly involved in the production or delivery of the company’s products or services.
For example, a vendor may provide cloud hosting services, software tools, or consulting services to an organization (or data controller for GDPR context). While the vendor may have access to personal data in order to provide these services, it does not process the data on behalf of the company that uses them.
A third-party supplier is a company or individual and is typically involved in the production or delivery of the purchasing company’s products or services.
Suppliers are often associated with manufacturing or production, but they can provide a wide range of products or services, including raw materials, equipment, components, or sub-assemblies that are used in the production of the final product, or they may provide services such as logistics, warehousing, or transportation.
A subprocessor is a third-party company or organization that processes personal data on behalf of an organization (or data controller for GDPR context), and is typically engaged by a vendor. For example, if a company (data controller) uses a cloud hosting vendor to store personal data, the vendor may engage a subprocessor to provide backup or database management services. The subprocessor would then process the personal data on behalf of the vendor, and by extension, on behalf of the organization/data controller.
- Vendors are organizations that provides services or products. Vendors are involved in the operation of an organization as opposed to the production and delivery aspects. Vendors may store, transmit data, but, do not process data on behalf of the organization
- Third-party suppliers are companies or individuals that are directly involved with the production or delivery of product/services.
- Subprocessors specifically, processes personal data on behalf of the organization.
Join the conversation