Well, if you're in the EU then GDPR [1] will be enforceable from 25 May 2018, so it is my noob understanding that the vendor you're dealing with will, sooner or later, be the subject of regular periodic data protection audits and will be forced to have a Data Protection Officer. Not sure if necessary, but you may contact ENISA [2] to be advised on how to proceed.