Under Article 28(3)(a) the contract must say that the processor may only process personal data in line with the controller’s documented instructions (including when making an international transfer of personal data) unless it is required to do otherwise by EU or member state law.
The contract may include details of the instructions specified in Article 28(3), or those instructions may be provided separately.
An instruction can be documented by using any written form, including email. The instruction must be capable of being saved, so that there is a record of the instruction.
This contract term should make it clear that it is the controller, rather than the processor, that has overall control of what happens to the personal data.
If a processor acts outside of the controller’s instructions in such a way that it decides the purpose and means of processing, including to comply with a statutory obligation, then it will be considered to be a controller in respect of that processing and will have the same liability as a controller.