Third-Party Service Provider

External vendors that perform functions or provide services on behalf of an organization, potentially involving access to or processing of personal data. Common examples include: cloud hosting providers, payment processors, email service providers, CRM platforms, analytics tools, marketing automation services, and IT support vendors. Third-party service providers can function as either processors (processing data solely on behalf of the organization) or third parties (using data for their own purposes), with significant compliance implications. Organizations should: carefully classify each vendor relationship, execute appropriate agreements (data processing agreements for processors, contracts with use restrictions for third parties), conduct due diligence on vendors' security and compliance capabilities, implement least-privilege access controls, maintain vendor inventories, monitor vendor compliance, establish breach notification requirements, and plan for vendor transitions. The line between processor and third party can blur—some vendors both process data as a service and use aggregated insights for their own purposes, requiring careful contractual drafting.