The appointment of external controllers is an obligation: there is no doubt and there are no exceptions. The controller, that is to say, the natural or legal person, authority, agency or other body that processes personal data on behalf of the controller, can and can only do so on the basis of a `contract or [d]a) other legal act under Union or Member State law`; which binds it to the controller and which, on the basis of the controller on behalf of the latter. But in reality, it is often and willingly the opposite that happens: it is not the holder, but the controller who unrolls the text of the DPA by imposing its use on the controller and, regardless of who creates the DPA, the default texts are preferred. Standardization even covers the pre-contractual phase, the verification by the person in charge of the possession of sufficient guarantees to take the appropriate technical and organizational measures to protect the rights of the persons concerned and replaced by a checklist that the manager must complete as a kind of self-declaration or self-certification, necessarily giving a virtuous image (under penalty of losing a contract). The problem may arise, for example.B. when the controller draws up the contract, which may not respond to all the requests of the data controller and is based only on what has already been done: if such a standard is proposed, the controller may comply with the measures identified by the controller and not the other way around. The paradox deserves careful consideration. In the best case, a standard established by a holder shall also indicate all the measures that the holder deems necessary to protect the personal data processed by the controller: it is easy to understand that the controller who wishes to accept the Office must adapt and accept the requests made by the holder, including with regard to security measures. A standard established by a controller will in no way meet the requirements and needs of the controller: it will generally contain the measures already taken by the controller and which will not necessarily be adapted to the processing of personal data that the controller entrusts to the controller. However, if he wants to appeal to the controller, it is likely that he will have to adapt in this case and accept the measures that the controller (and not the holder) has deemed sufficient. . . .