2. The rights and obligations of the Data Controller

The Data Controller shall be responsible to the outside world (including the data subject) for
ensuring that the processing of personal data takes place within the framework of the General
Data Protection Regulation and the Danish Data Protection Act.

The Data Controller shall therefore have both the right and obligation to make decisions about
the purposes and means of the processing of personal data.

The Data Controller shall be responsible for ensuring that the processing that the Data Processor
is instructed to perform is authorised in law.