When an organization offers e.g. digital services to its customer, the contract between the organization and the customer must specify e.g. the goal of the service and the schedule related to its delivery.
The organization must ensure that personal data processed on behalf of the customer is processed only for the purposes stated in the customer's written instructions.
The customer must also be offered the opportunity to verify the organization's operation in relation to the instructions. This ensures that the organization and its subcontractors process personal data only for the purposes indicated by the customer.