Article 29 - Processing under the authority of the controller or processor

Article 29 of the GDPR states that any personal-data processing carried out by a processor or by a controller on behalf of another controller must be governed by a written contract or other legal act that sets out the subject-matter, duration, nature and purpose of the processing, the type of personal data, and the obligations and rights of each party. The agreement must require the processor to act only on the controller's documented instructions and to implement appropriate security measures.