1. Parties: Identification of the Controller (Verantwortlicher) and Processor (Auftragsverarbeiter) with full legal details
2. Background: Context of the processing relationship and reference to the main service agreement
3. Definitions: Key terms used in the agreement, including those from GDPR Article 4 and additional contract-specific terms
4. Subject Matter and Duration: Scope, purpose, and duration of the processing activities
5. Nature and Purpose of Processing: Detailed description of processing operations and legitimate purposes
6. Types of Personal Data and Categories of Data Subjects: Specification of personal data types and affected data subject groups
7. Obligations and Rights of the Controller: Controller's responsibilities, including instructions, monitoring rights, and audit powers
8. Processor's General Obligations: Core obligations under GDPR Article 28, including processing only on documented instructions
9. Technical and Organizational Measures: Security measures implemented to ensure appropriate data protection
10. Sub-processing: Conditions and procedures for engaging sub-processors
11. Data Subject Rights: Processor's assistance in responding to data subject requests
12. Personal Data Breach: Notification obligations and breach handling procedures
13. Audit Rights and Cooperation: Controller's audit rights and processor's cooperation obligations
14. Data Return and Deletion: Obligations regarding data handling upon agreement termination
15. Liability and Indemnification: Allocation of liability and indemnification obligations
16. Term and Termination: Duration of the agreement and termination provisions
17. Governing Law and Jurisdiction: Specification of Austrian law and competent courts
