For the purposes of Article 28 of the Regulations, a contract between a Data Controller and a Data Processor must set out, at a minimum:

(A) the subject matter and duration of the Processing;
(B) the nature and purpose of the Processing;
(C) the type of Personal Data and categories of Data Subjects; and
(D) the obligations and rights of the Data Controller.

The contract must also set out that the Data Processor:

(E) must not Process the Personal Data, or transfer it outside the QFC, unless instructed in writing by the Data Controller, or required by law to do so;
(F) must ensure that persons authorised to Process the data have undertaken to maintain its confidentiality or are under an appropriate statutory obligation of confidentiality;
(G) must take all the measures required by Article 29 of the Regulations;
(H) must comply with the conditions referred to in Article 28(2) and (6) of the Regulations for engaging another Data Processor;
(I) taking into account the nature of the Processing, must assist the Data Controller to fulfil the Data Controller’s obligation to respond to requests by Data Subjects to exercise their rights, by implementing appropriate technical and organisational measures;
(J) must assist the Data Controller to comply with the Data Controller’s obligations under Articles 27, 29 and 31 of the Regulations, taking into account the nature of the Processing and the information available to the Data Processor;
(K) after completing the services relating to Processing, must delete all the Personal Data or return it to the Data Controller (at the Data Controller’s choice), and must delete any copy unless an applicable law requires it to be retained;
(L) must make available to the Data Controller all information necessary to show that the Data Processor has complied with the obligations laid down in the Regulations; and
(M) must allow for, and assist with, audits and inspections by the Data Controller or an auditor appointed by the Data Controller.