Policy on the processing and protection of personal data in MTH GROUP
1.1 The Group management of MTH GROUP owns and has approved this policy.
1.2 At MTH GROUP, we respect the right to privacy of our customers, employees and business partners and acknowledge the need for adequate security measures for the processing of personal data to be put in place.
1.3 The laws on the protection of personal data govern all aspects related to companies’ use of data of natural persons, including customers, employees and suppliers, and protects such persons against unauthorised storage and processing of their personal data.
1.4 This policy describes MTH GROUP’s general strategic goals for the Group’s pro-cessing and protection of personal data. The policy also includes guidelines for reporting non-compliance with the policy to management. Infringement of the policy may have consequences under employment law.
1.5 The policy includes provisions on the Group’s risk profile and the desired risk and compliance levels for the personal data area in MTH GROUP.
2 PURPOSE AND SCOPE
2.1 It is MTH GROUP’s aim to secure and protect personal data. We will do that by, for example:
(i) ensuring that all processing of personal data complies with the principles on lawful processing of personal data,
(ii) observing the guidelines and practice that are regularly published by relevant players, including the Danish Data Protection Agency, and
(iii) ensuring that employees receive relevant training in the processing of per-sonal data.
2.2 The individual companies in MTH GROUP process personal data of individuals includ-ing customers, website users, suppliers and the Group’s employees. The purpose of this policy is to ensure that MTH GROUP safeguards the security of personal data and respects the applicable laws at all times with in order to protect all personal data in the possession of the Group’s companies.
3.1 MTH GROUP uses definitions of terms in the personal data area that are set out in the applicable laws.
3.2 ‘Personal data’ means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or in-directly, in particular by reference to an identifier or one or more factors (which, viewed in context, are) specific to the physical, physiological, genetic, mental, eco-nomic, cultural or social identity of the individual.
3.3 ‘Sensitive personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
3.4 ‘Data subject’ means the individual to whom personal data processed by the individual companies in MTH GROUP relates.
3.5 ‘Controller’ means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. The individual companies in MTH GROUP are deemed to be controllers in relation to the processing of personal data and determine the pur-poses and means of the processing of personal data. This will typically be the case with respect to tasks such as the individual companies’ processing of employee data in an HR context. The controller is responsible for ensuring that the processing of per-sonal data complies with the provisions in the data protection legislation and conse-quently, at worst, is liable to a fine.
3.6 ‘Processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
3.7 A third country is a country that is not a member of the European Union (EU) or is an EEC country. An ‘Insecure third country’ means a third country where the EU Com-mission has not formally declared that the country in question offers adequate data protection.
3.8 ‘Personal data protection’ means all technical and organisational security measures designed to ensure the confidentiality, accessibility and quality of personal data.
4 PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
4.1 All MTH GROUP companies and employees must adhere to the principles for pro-cessing personal data. This means, among other things, that personal data must be processed lawfully and in a fair and transparent manner and may only be collected for specified, explicit and legitimate purposes.
4.2 Likewise, personal data may only be processed if relevant and limited to what is nec-essary having regard to the purposes for which the data is processed. Each company in the Group must have procedures in place that – besides contributing to ensuring that personal data is correct and updated – ensure that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purpose for which the data is collected and processed.
4.3 Procedures must also have been implemented that ensure that personal data is pro-cessed in a manner that adequately safeguards the data, including against unauthor-ised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5 BASIS FOR PROCESSING, INCLUDING CONSENT
5.1 MTH GROUP must have a lawful basis in order to process personal data. It conse-quently applies to all processing that the applicable basis for processing must be de-termined before processing begins.
5.2 Consent is one of the bases for processing that MTH GROUP can apply when pro-cessing personal data of natural persons.
5.3 When obtaining consent for the processing of personal data, it is important for MTH GROUP to ensure that the consent is a freely given specific, informed and unambigu-ous indication of the data subject’s wishes by which the data subject signifies his/her agreement to personal data relating to him/her being processed.
5.4 Individuals who have consented to companies in MTH GROUP processing their per-sonal data are entitled to withdraw such consent at any time. It is important for MTH GROUP to always respect any such withdrawal of consent for processing.
5.5 If a data subject withdraws their consent for processing for an express purpose, their personal data must no longer be processed for that purpose.
6 THE RIGHTS OF DATA SUBJECTS
6.1 It is important for MTH GROUP to inform all data subjects of their rights in relation to the processing of personal data.
6.2 Another important focus for MTH GROUP is to ensure that the rights of all data sub-jects are respected. All employees working with processing of personal data in MTH GROUP must consequently be informed about the scope of data subjects’ rights and how to handle requests from data subjects. This must be described in specific guide-lines to be prepared by each company.
6.3 All data subjects are entitled to request access to the processing of their personal data. Data subjects in principle have the right to be informed about the purpose for which their personal data is processed, the categories of data processed and the re-cipients of such data. However, there may be exceptions which, in special instances, may mean that this right will be restricted.
7 USE OF PROCESSORS
7.1 The individual companies in MTH GROUP use a number of subsuppliers, and per-sonal data is occasionally transferred to our subsuppliers as part of their rendering of services to MTH GROUP. If such subsuppliers process personal data on behalf of companies in the MTH GROUP, this must always be carried out in accordance with MTH GROUP’s instructions, as the suppliers are thus acting as processors. Subsup-pliers must not process personal data as processors unless a written processor agreement has been entered into in accordance with applicable laws and the relevant MTH GROUP procedures. In this way we ensure a high level of protection of personal data that matches the requirements in these guidelines.
7.2 When companies in MTH GROUP elect to enter into agreements with processors, the processor is always subject to a prior check in accordance with the internal guidelines set out in the document: "Guidelines on the use of processors". This check is to en-sure that the processor is able to provide the necessary guarantees that they are able to maintain appropriate technical and organisational measures in such a way that the processing carried out on behalf of companies in MTH GROUP as a minimum com-plies with applicable laws on the protection of personal data.
7.3 A prior check of a new processor means that a risk assessment is performed that takes account of the risks that the processing constitutes, particularly in the event of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or ac-cess to personal data.
8 TRANSFER TO THIRD COUNTRIES
8.1 Special regulations apply to the processing of personal data in insecure third coun-tries. If companies in MTH GROUP make use of processors in insecure third coun-tries, or need to transfer personal data to a recipient in an insecure third country, they must always make sure that the necessary transfer basis is available prior to the transfer taking place.
8.2 When transferring personal data to a recipient in an insecure third country, it is im-portant for MTH GROUP to ensure that the recipient provides appropriate guarantees as to how personal data in relation to which companies in MTH GROUP are controllers will be processed.
9 RISK ASSESSMENT AND SECURITY
9.1 Group management is responsible for the performance of a general risk assessment of the threat landscape in the personal data area for MTH GROUP.
9.2 In connection with this risk assessment, MTH GROUP must consider, in relation to the rights – including freedoms – of data subjects, what risks are associated with the pro-cessing of personal data, and must assess the probability of those risks materialising and their severity. Risk must be assessed on the basis of the nature, scope, context and purpose of the processing and must be evaluated applying objective criteria, be-fore establishing whether the processing of personal data involves a low or a high risk.
9.3 In connection with the assessment of risk, account must be taken of the risks involved in the processing of personal data, such as accidental or unlawful destruction, loss, alteration or unauthorised disclosure of – or access to – personal data transferred, stored or otherwise processed, and which, in particular, may lead to physical damage, damage to property or non-pecuniary losses.
9.4 The general risk profile must result in specific measures being identified that can be implemented in the MTH GROUP’s companies to ensure an adequate security level in relation to data protection. The purpose of specific measures could be to avoid the risk in question materialising and reduce the consequences in the event of the risk materialising.
9.5 The general risk assessment must be updated at least annually and comprise all ma-terial areas of personal data protection, including especially:
- System capabilities
- Data governance
- Critical processes for the processing of personal data
- Policies and procedures
- Management of processor agreements
- Management of declarations of consent and contract basis
- Data classification model
- Management of personal data security breaches
- Knowledge of the personal data area in the organisation
9.6 This risk assessment must form the basis of a review of efforts in the personal data area.
10 FURTHER SPECIFIC GUIDELINES AND PROCEDURES
10.1 Besides this policy, MTH GROUP and/or individual companies in the Group have prepared specific guidelines and procedures for the processing of personal data, including the following:
(i) Instructions to employees
(ii) Erasure policy
(iii) Observation of disclosure obligations in the HR area
(iv) Record of personal data processing activities
(v) Procedures for the processing of access requests and observation of other rights
(vi) Procedures for handling security breaches
(vii) Policy on the use of processors etc.
(viii) Standard processor agreement (template)
(ix) Technical security measures, including guidelines for employees’ IT use
10.2 In addition, depending on the circumstances, further specific guidelines and/or policies will be prepared following assessment of local processing activities.
11 POLICY COMPLIANCE AND CONTACT POINTS
11.1 This policy is intended to ensure that all companies in MTH GROUP establish clear guidelines as stated in para 10.1 relating to the processing and protection of personal data. Furthermore, the purpose for which personal data is used must be clearly de-fined in all processing situations.
11.2 To ensure that this policy is embedded and implemented, each company in MTH GROUP has nominated a unit that is responsible for ensuring that the guidelines are adhered to by the individual company:
(i) MT Højgaard HR
(ii) Lindpro HR
(iii) Enemærke & Petersen HR
(iv) Scandi Byg HR
(v) Ajos HR
11.3 In the event of any questions relating to the content of or compliance with the guide-lines, the unit is under obligation to contact Group management.
11.4 In addition, non-compliance with specific guidelines and policies may lead to sanctions being imposed on specific employees in accordance with local guidelines defined on the basis of this policy.
12.1 The individual companies in the Group must brief Group management in the event of the guidelines in this policy not being respected or situations relating to this policy arising that are of relevance to the assessment of MTH GROUP’s risk profile in the personal data area.
12.2 The Board of Directors must be briefed at the ordinary Board meetings in the event of the guidelines in this policy not being complied with or situations relating to this policy arising that are of relevance to the Board’s overall assessment of MTH GROUP’s risk profile in the personal data area.
13.1 Group management is authorised to review this policy as appropriate and at least annually.