Alm Brand Group’s IT environment must be secure and comply with applicable standards, including relevant areas from internationally recognized standards such as DORA, ISO 27001, ITIL, SOC 2, and similar, to be robust and able to withstand cyberattacks.
Alm. Brand Group focuses on handling personal data securely and properly in accordance with applicable legislation. We are transparent about the forms of personal information we collect, how we do it, the specific purposes, and the legal basis for processing. The information collected is used solely for the purposes for which it was collected. This is further detailed in the privacy policies for each legal entity under Alm. Brand Group. These privacy policies also provide information on the rights of data subjects, including the right to access their information, request deletion when customer data is no longer relevant, and more.
Additionally, we have business processes and workflows in place to handle data breaches promptly and in compliance with regulations. If there is a risk to the rights or freedoms of data subjects, we report the breach to the Danish Data Protection Agency (Datatilsynet) and inform the affected individuals, granted it is assessed the breach poses a high risk.
Alm. Brand Group processes and shares customer information only with companies, authorities, or organizations when consent is given or when there is another legal basis. We do not sell customer information.
When processing is based on consent, we ensure that the consent meets the conditions for valid consent.
Access to customer data and personal information is strictly controlled through IT user rights management, ensuring that only employees with a legitimate work-related need can access such information.
Alm. Brand Group prioritise ensuring that all employees are knowledgeable about data protection regulations, including the General Data Protection Regulation (GDPR) and the Data Protection Act. To ensure all employees hold the required knowledge regarding correct use of personal data, all Alm. Brand employees and contractors complete an e-learning course on GDPR. The training takes place on appointment and once annually thereafter.
Data protection is a significant focus for Alm. Brand Group, and as an extension of this, we have established a set of data ethics principles outlined in the board-approved Policy and Guidelines for Data Ethics.
In compliance with GDPR, Alm. Brand Group has appointed a Data Protection Officer. The Data Protection Officer is an integral part of our 2nd line of defense control functions and acts independently. The Data Protection Officer reports to the Board of Directors at least twice yearly on compliance with requirements and legislation related to data protection in addition to reports to the Executive Management.
As part of the annual operational audit plan approved by the board, we conduct audits of IT in general, including information security and cybersecurity activities. These risk-based audits target various areas. Third-party auditors review general IT controls in critical systems essential for Alm. Brand Group’s financial reporting annually, ensuring that IT systems provide valid data for consolidated financial statements and annual reports.
The above underlines Alm. Brand Group’s commitment to act responsibly in accordance with our values also when handling data.