Contracts must set out:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the controller’s obligations and rights.
Contracts must also include specific terms or clauses regarding:
- processing only on the controller’s documented instructions;
- the duty of confidence;
- appropriate security measures;
- using sub-processors;
- data subjects’ rights;
- assisting the controller;
- end-of-contract provisions; and
- audits and inspections.