Adding guidance related to vendor and GitLab controlled data

Why is this change being made?

We need guidance for controller-to-controller transfers where GitLab is the recipient of personal data from a vendor. An example of this would be GitLab's use of Meetup.com. When someone creates an account on Meetup.com, it becomes Meetup.com's data and they are the data controller. GitLab may view/use the data using Meetup.com, but it is still Meetup.com's data, not GitLab's. Therefore, a privacy and security review is not required.

Note: If GitLab hires a a vendor to collect data on our behalf, they would be considered a processor and a privacy and security review should be performed.

Author Checklist

• Provided a concise title for this Merge Request (MR)
• Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
  • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
• Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
  • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
  • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • The when to get approval handbook section explains the workflow in more detail
• If the changes affect team members, or warrant an announcement in another way, please consider posting an update in #whats-happening-at-gitlab linking to this MR
  • If this is a change that directly impacts the majority of global team members, it should be a candidate for #company-fyi. Please work with internal communications and check the handbook for examples.

---