The parties can negotiate their own contract or use standard contractual clauses adopted by the European Commission or a supervisory authority in accordance with the coherence mechanism. The Danish supervisory authority has adopted such a document. However, in this context, the standard contractual clauses must be distinguished from the standard contractual clauses of the European Commission, which are used for cross-border data transfers and which are of course the subject of a strong debate after Schrems II. “[Optional] The following EU/Member State legislation, applicable to the subcontractor, requires the storage of personal data after the end of processing services: ……………. The subcontractor undertakes to process the data exclusively for the purposes of this Act and under strictly applicable conditions. When a subcontractor uses another organization (i.e. a subcontractor) to help process personal data for a processing manager, it must have a written contract with that subcontractor. Note that DPA headminers also refers to the “rights and freedoms of the person concerned.” This is also in line with the EDPB`s recommendations. ☐ the subcontractor must delete all personal data (at the choice of the processing manager) at the end of the contract or return it to the processing manager, and the subcontractor must also delete existing personal data, unless the law requires its storage; and processing managers can only use subcontractors who can provide sufficient safeguards to take appropriate technical and organizational measures to ensure that their treatment complies with the requirements of the RGPD and protects the rights of those concerned.