Under Article 28(3)(e) the contract must provide for the processor to take “appropriate technical and organisational measures” to help the controller respond to requests from individuals to exercise their rights.
This provision stems from Chapter III of the GDPR, which describes how the controller must enable data subjects to exercise various rights and respond to requests to do so, such as subject access requests, requests for the rectification or erasure of personal data, and objections to processing.
