1. Parties: Identification of the data controller and data processor, including full legal names and registered addresses
2. Background: Context of the agreement, relationship between parties, and purpose of the data processing arrangement
3. Definitions: Definitions of key terms used in the agreement, including terms from GDPR Article 4 and other relevant terminology
4. Scope and Purpose of Processing: Detailed description of the processing activities, categories of data, and purposes of processing
5. Duration of Processing: Term of the processing activities and conditions for termination
6. Obligations of the Processor: Processor's duties under GDPR Article 28, including processing only on documented instructions, confidentiality, security measures, and sub-processor requirements
7. Obligations of the Controller: Controller's responsibilities, including providing documented instructions and ensuring lawful basis for processing
8. Sub-processing: Conditions and requirements for engaging sub-processors, including authorization process and obligations
9. Technical and Organizational Measures: Security measures implemented to ensure appropriate level of data protection
10. Data Subject Rights: Procedures for handling data subject requests and processor's assistance obligations
11. Data Breach Notification: Procedures and timeframes for notifying controller of any personal data breaches
12. Audit Rights: Controller's rights to audit and processor's obligations to demonstrate compliance
13. Return or Deletion of Data: Obligations regarding personal data upon termination of services
14. Liability and Indemnification: Allocation of liability between parties and indemnification provisions
15. Governing Law and Jurisdiction: Specification of German law as governing law and jurisdiction for disputes
