A subcontractor is a sub-supplier that your primary vendor engages to deliver part of the contracted service. In information security and data protection this is relevant because subcontractors may gain access to data or systems. The GDPR refers to “sub-processors” and requires the controller to be informed about their engagement. In your ISMS you document subcontractors in the supplier register and ensure contractual security requirements flow down to them. Regular reviews minimise supply-chain risk.