“Vendor” means a company that participates in the delivery of digital advertising within a Publisher’s website, app, or other digital content, to the extent that the company is not acting as a Publisher or CMP (e.g. Complianz), and that either accesses an end user’s device or processes personal data about end-users visiting the Publisher’s content and adheres to the Policies. A Vendor may be considered under the GDPR to be a Controller, a Processor, or both, depending on specific circumstances. A Vendor will also be considered a Third-Party.
Source: IAB Europe Transparency & Consent Framework Policies
These companies are mostly unknown for the public as they act as an intermediary between publishers and advertisers. For transparency, every vendor should be listed with their privacy policy, legal bases and purposes when they collect data.
