Alm Brand Group’s IT environment must be secure and comply with applicable standards, including relevant areas from internationally recognized standards such as DORA, ISO 27001, ITIL, SOC 2, and similar, to be robust and able to withstand cyberattacks.
Alm. Brand Group focuses on handling personal data securely and properly in accordance with applicable legislation. We are transparent about the forms of personal information we collect, how we do it, the specific purposes, and the legal basis for processing. The information collected is used solely for the purposes for which it was collected. This is further detailed in the privacy policies for each legal entity under Alm. Brand Group. These privacy policies also provide information on the rights of data subjects, including the right to access their information, request deletion when customer data is no longer relevant, and more.
Additionally, we have business processes and workflows in place to handle data breaches promptly and in compliance with regulations. If there is a risk to the rights or freedoms of data subjects, we report the breach to the Danish Data Protection Agency (Datatilsynet) and inform the affected individuals, granted it is assessed the breach poses a high risk.
Alm. Brand Group processes and shares customer information only with companies, authorities, or organisations when consent is given or when there is another legal basis. We do not sell customer information.
When processing is based on consent, we ensure that the consent meets the conditions for valid consent.
Access to customer data and personal information is strictly controlled through IT user rights management, ensuring that only employees with a legitimate work-related need can access such information.
Alm. Brand Group prioritise ensuring that all employees are knowledgeable about data protection regulations, including the General Data Protection Regulation (GDPR) and the Data Protection Act. To ensure all employees hold the required knowledge regarding correct use of personal data, all Alm. Brand employees and contractors complete an e-learning course on GDPR. The training takes place on appointment and once annually thereafter.
Data protection is a significant focus for Alm. Brand Group, and as an extension of this, we have established a set of data ethics principles outlined in the board-approved Policy and Guidelines for Data Ethics.
In compliance with GDPR, Alm. Brand Group has appointed a Data Protection Officer. The Data Protection Officer is an integral part of our 2nd line of defence control functions and acts independently. The Data Protection Officer reports to the Board of Directors at least twice yearly on compliance with requirements and legislation related to data protection in addition to reports to the Executive Management.
The above underlines Alm. Brand Group’s commitment to act responsibly in accordance with our values also when handling data and regular supervision.
Audits of business ethics and anti-corruption
As part of the Board-approved, risk-based internal audit plan, the internal audit function conducts independent audits of business ethics and anti-corruption every three-year covering all operations and brands. The audit is conducted on Group-level and assess both:
- the governance framework, including policies, controls and oversight structures, and
- the practical implementation of ethical standards across the organisation.
Audit results, including identified deficiencies, are reported to executive management and the Audit Committee, and are subject to formal follow‑up through corrective action plans.
The most recent audit was conducted in 2024.
Audits of information security systems
The company’s use of IT and data systems is subject to annual independent external audit. The external audit assesses general IT controls, which are deemed significant in relation to the group’s ability to present annual accounts in accordance with the legislation. As such, the external audit covers several core IT systems across the organisation feeding into the ERP-system, which forms basis of the annual accounts.
The audit of general IT controls includes review of selected areas within the following:
- IT usage, including the IT organisation, IT security policy, and IT contingency plan
- Access to systems and data
- Development, maintenance, and implementation of new IT systems
- Operation, monitoring, and backup of IT systems and data
The audit of IT system usage is structured in such a way that it can serve as a basis for assessing whether the overall system, data, and operational security function reliably.
In addition, as part of the Board-approved internal audit plan, the internal audit function conducts IT audits on a risk-based approach on Group level. As such, the audits target various areas, including information security and cybersecurity activities across all operations.
Audit results, including identified deficiencies, are reported to executive management and the Audit Committee, and are subject to formal follow‑up through corrective action plans.
|
Audits of information security systems
|
Unit
|
2025
|
2024
|
|
External audits by EY
|
Number
|
1
|
1
|
|
Internal audits by Group Audit
|
Number
|
3
|
5
|