(81) In order to ensure compliance with the requirements of this Regulation in the case of processing to be carried out by a processor on behalf of the controller, the controller should, when entrusting processing activities to a processor, use only processors that provide sufficient guarantees - in particular in terms of expertise, reliability and resources - of the implementation of technical and organizational measures that meet the requirements of this Regulation, including the security requirements of the processing. The processor's use of an approved code of conduct or an approved certification mechanism may serve as an element demonstrating compliance with the controller's obligations. Processing by a processor should be governed by a contract or other legal instrument that is subject to Union or Member State law, binds the processor to the controller, specifies the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, and which should take into account the specific tasks and obligations of the processor in the context of the intended processing and the risk of violation of the rights or freedoms of the data subject. The controller and the processor may decide to use an individual contract or standard contractual clauses that have been adopted directly by the Commission or that have been adopted by the supervisory authority in accordance with the consistency mechanism and subsequently adopted by the Commission. Upon termination of processing on behalf of the controller, the processor should, as decided by the controller, return or delete the personal data, unless Union law or the law of the Member State to which the processor is subject imposes an obligation to retain the personal data.