Skip to content

Privacy policy

Personal data processing and protection policy

At MT Højgaard Holding, of which MT Højgaard is a part, we respect the privacy rights of our customers, employees and business partners and recognise the need to establish adequate security measures for the processing of personal data.

1 INTRODUCTION

1.1 The Executive Management of MT Højgaard Holding owns and approves this policy on behalf of MT Højgaard.

1.2 At MT Højgaard Holding, we respect the privacy rights of our customers, employees and business partners and recognise the need to establish adequate safeguards for the processing of personal data.

1.3 Personal data protection legislation regulates all matters relating to companies’ use of information about natural persons, including customers, employees and suppliers, and protects these persons against unauthorised storage and processing of their personal data.

1.4 This policy describes MT Højgaard Holding’s overall strategic objectives for MT Højgaard Holding’s processing and protection of personal data. The policy also contains guidelines for reporting to management regarding non-compliance with this policy. In this connection, violating the policy may have consequences under employment law.

1.5 The policy contains provisions on the Group’s risk profile and the desired risk and compliance level for the personal data area in MT Højgaard Holding.

2 PURPOSE AND SCOPE

2.1 It is MT Højgaard Holding’s objective to secure and protect personal data. MT Højgaard Holding will do this by, among other things:

(i) ensuring that all processing of personal data takes place in accordance with the principles of lawful processing of personal data,

(ii) complying with the guidelines and practices that are regularly published by relevant actors, including the Danish Data Protection Agency, and

(iii) ensure that employees receive relevant training in the processing of personal data.

2.2 The individual companies in MT Højgaard Holding process personal data about e.g. customers, website users, suppliers and employees in the Group. The purpose of this policy is to ensure that MT Højgaard Holding protects the security of personal data and complies with the legislation in force at any given time in order to protect all personal data held by the companies in MT Højgaard Holding.

3 DEFINITIONS

3.1 MT Højgaard Holding uses definitions of terms in the field of personal data found in the applicable legislation.

3.2 Personal data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.3 Sensitive personal data is defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

3.4 Data subjects refers to the natural persons to whom personal data processed by the individual companies of MT Højgaard Holding relates.

3.5 A data controller is a natural or legal person, public authority, institution or other body which alone or jointly with others determines the purposes for which and the means by which personal data may be processed. The individual companies in MT Højgaard Holding are data controllers in relation to the processing of personal data and determine the purposes for which and the means by which the personal data concerned may be processed. This will typically be the case with regard to e.g. processing of employee data as part of personnel administration in the individual companies. It is the data controller who is responsible for ensuring that the processing of personal data complies with the rules of the data protection legislation and thus, in the worst case, may be liable for fines.

3.6 A data processor is a natural or legal person, public authority, institution or other body that processes personal data on behalf of the controller.

3.7 A third country is a country that is not a member of the European Union (EU) or an EEA country. An insecure third country is a third country where the European Commission has not decided that the third country has an adequate level of protection.

3.8 When referring to “Personal Data Protection” in this policy, this means all technical as well as organisational security measures aimed at ensuring the confidentiality, availability and reliability of personal data.

4 PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA

4.1 All companies and employees of MT Højgaard Holding must comply with the principles for processing personal data. This means, among other things, that personal data must be processed lawfully, fairly and in a transparent manner, and personal data may only be collected for explicitly stated and legitimate purposes.

4.2 Similarly, personal data shall only be processed if it is relevant and limited to what is necessary in relation to the purposes for which it is processed. Each group company shall have procedures in place which, in addition to helping to ensure that personal data is accurate and up to date, ensure that personal data is stored in such a way that it is not possible to identify data subjects for longer than is necessary for the purposes for which the personal data was collected and processed.

4.3 There shall also be procedures to ensure that personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

5 BASIS FOR PROCESSING AND INCLUDING CONSENT

5.1 All processing of personal data by MT Højgaard Holding must be based on a lawful basis for processing. Therefore, it must always be decided which basis for processing applies to a processing operation.

5.2 Consent is one of the legal bases that can be used when MT Højgaard Holding processes personal data about natural persons.

5.3 When MT Højgaard Holding obtains consent to the processing of personal data, it is important to ensure that the consent is freely given, specific, informed and constitutes an unambiguous indication that the natural person consents to the processing of their personal data.

5.4 If an individual has given consent for companies in MT Højgaard Holding to process data about him or her, the data subject may withdraw his or her consent at any time. It is important to MT Højgaard Holding that it is always respected that a data subject chooses to withdraw their consent to processing.

5.5 If a data subject withdraws consent for an explicit purpose, this will mean that there can be no subsequent processing of personal data about the data subject for that purpose.

6 RIGHTS OF THE DATA SUBJECTS

6.1 It is important to MT Højgaard Holding that all data subjects are informed of their rights in relation to the processing of personal data.

6.2 It is also an important focus for MT Højgaard Holding to ensure compliance with the rights of all data subjects. All employees involved in the processing of personal data at MT Højgaard Holding must therefore be informed about the scope of the data subjects’ rights and how to handle requests from the data subjects. This is described in specific guidelines prepared by the individual companies.

6.3 All data subjects have the right to obtain access to the processing of their personal data if they so request. As a general rule, data subjects have the right to be informed about the purposes for which personal data is processed, what categories of personal data are processed about them, and who receives the personal data. However, there may be exceptions, which in specific situations mean that there may be restrictions to this right.

7 USE OF DATA PROCESSORS

7.1 The individual companies in the MTH GROUP use a number of subcontractors, and personal data may be transferred to our subcontractors as part of their provision of services to MT Højgaard Holding. If the subcontractors process personal data on behalf of companies in MT Højgaard Holding, this must always be done in accordance with MT Højgaard Holding’s instructions, as these suppliers thus act as data processors. When we allow subcontractors to process personal data as data processors, this is only done after a written data processing agreement has been entered into in accordance with applicable legislation and in accordance with the procedures established for this in MT Højgaard Holding. In this way, we ensure a high level of protection of personal data that matches the requirements of these guidelines.

7.2 When MT Højgaard Holding companies choose to enter into an agreement with a data processor, a prior investigation of the data processor is always carried out in accordance with the internal guidelines referred to in the document: “Guidelines on the use of data processors”. This examination must ensure that the data processor can provide the necessary guarantees that they can maintain appropriate technical and organisational measures in such a way that the processing carried out on behalf of companies in the MTH GROUP at least complies with the applicable legislation on the protection of personal data.

7.3 Prior examination of a new data processor involves a risk assessment that takes into account the risks posed by the processing, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.

8 TRANSFER TO THIRD COUNTRIES

8.1 Special rules apply if personal data is to be processed in an insecure third country. If MT Højgaard Holding companies use a data processor in an unsafe third country or need to transfer personal data to a recipient in an unsafe third country, it must therefore always be ensured that the necessary transfer basis exists before the transfer takes place.

8.2 It is important for MT Højgaard Holding to ensure that the recipient of the personal data provides the necessary guarantees as to how personal data for which MT Højgaard Holding companies are data controllers is processed when it is transferred to a recipient in an unsafe third country.

9 RISK ASSESSMENT AND SECURITY

9.1 Group management is responsible for ensuring that an overall risk assessment is carried out of the threat scenario in the personal data area for MT Højgaard Holding.

9.2 In the risk assessment, MT Højgaard Holding must assess the risks to the rights and freedoms of data subjects associated with the processing of personal data and assess the likelihood of the risk materialising and the severity of the risk. The risk is assessed on the basis of the nature, scope, context and purposes of the processing and evaluated on the basis of objective criteria, after which it is determined whether the processing of personal data involves a low risk or a high risk.

9.3 The risk assessment shall take into account the risks inherent in the processing of personal data, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, which could result in particular in physical, material or non-material damage.

9.4 The overall risk picture must result in an indication of specific measures that can be implemented in the companies in MT Højgaard Holding to ensure an adequate level of security for data protection. The specific measures may aim both to prevent the risk in question from materialising and to reduce the consequences of the risk materialising.

9.5 The overall risk assessment must be updated at least once a year and cover all significant areas of personal data protection, including in particular

  • System capabilities
  • Data governance
  • Critical processes for processing personal data
  • Policies and procedures
  • Governance of data processing agreements
  • Management of consent forms and contractual basis
  • Data classification model
  • Management of personal data breaches
  • Knowledge of the personal data area in the organisation

9.6 This risk assessment must serve as a basis for reassessing the efforts in the personal data area.

10 ADDITIONAL SPECIFIC GUIDELINES AND PROCEDURES

10.1 In addition to this policy, MT Højgaard Holding and/or the individual companies in MT Højgaard Holding have prepared specific guidelines and procedures for the processing of personal data, including the following:

(i) Instructions to employees

(ii) Deletion policy

(iii) Compliance with HR disclosure obligations

(iv) Inventory of personal data processing activities

(v) Procedures for handling access requests and compliance with other rights

(vi) Procedures for handling security breaches

(vii) Policy on the use of data processors etc.

(viii) Standard data processing agreement (template)

(ix) Technical security measures, including guidelines for employees’ handling of IT

10.2 In addition, further specific guidelines and/or policies will be developed as appropriate following assessment of local processing activities.

11 POLICY COMPLIANCE AND CONTACT PERSONS

11.1 This policy is intended to ensure that all companies in MT Højgaard Holding have established clear guidelines as stated in section 10.1 regarding the processing and protection of personal data, and that the purpose of the use of personal data is clearly defined in all processing situations.

11.2 To ensure anchoring and implementation of this policy, all companies in MT Højgaard Holding have appointed a unit responsible for ensuring compliance with the guidelines in the individual company:

(i) MT Højgaard HR

(ii) Enemærke & Petersen HR

(iii) Scandi Byg HR

(iv) Ajos HR

11.3 If questions arise about the content or compliance with the guidelines, the unit is obliged to contact Group Management.

11.4 In addition, non-compliance with specific guidelines and policies may result in sanctions against individual employees in accordance with the local guidelines established based on this policy.

12 REPORTING

12.1 Group management must be informed by the individual group companies if the guidelines in this policy are not complied with and if matters arise in relation to this policy that are of importance to the assessment of MT Højgaard Holding’s risk profile in the personal data area.

12.2 The Board of Directors is informed at the ordinary board meetings if the guidelines in this policy are not complied with and if matters arise in relation to this policy that affect the Board of Directors’ overall assessment of MT Højgaard Holding’s risk profile in the personal data area.

13 SUBMISSIONS

13.1 Group Management is authorised to review this policy when deemed relevant and at least once a year.