The controller and processor may choose to use an individual contract or standard contractual clauses that are adopted either directly by the EU Commission or by a data protection supervisory authority in accordance with the consistency mechanism and then adopted by the EU Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under EU or member state law to which the processor is subject. Processors also have obligations in relation to processing personal data and security. In terms of security, the processor (as controller) should consult technical standards-setting organizations, which sometimes have guidelines and standards in terms of technical security. It is also important that the organization undertakes ongoing assessments and checks regarding the operation of the data processing undertaken by the processor.