Purpose and application

At MT Højgaard Holding and its subsidiaries (hereinafter “the Group”), we strive to protect the
personal data we process as a group. When the group’s websites are used or customers and
partners otherwise contact or interact with the group, it processes personal data as the data
controller, based on the Personal Data Act and the GDPR, using definitions and concepts from this
legislation.

This privacy policy provides an overview of how the group collects, registers, discloses, or
otherwise processes personal data, the reasons for collecting information, and what we use it for.

The target audience for the groups Privacy policy includes employees of MT Højgaard Holding and
its subsidiaries.

Focus areas

The focus of the processing of personal data is primarily the administration of customer relationships, including the provision of agreed services and obligations.

Administration of customer relationships

The group processes information regarding customers when a customer relationship is established
or when there is any other contact with the group, such as via a contact form on the website, and
when we receive information about a person from a third party. For all processing of personal data,
it applies that they are processed to be able to handle and respond to the inquiry. All processing is
carried out in accordance with the guidelines and frameworks set by data protection legislation.

Fulfilment of contracts and invoicing

When a contract is agreed upon with customers, partners, or suppliers, the group creates a case.
Various personal data are registered here. We register, among other things, identification information, including name, job title, contact role, department, as well as contact information, including phone numbers, email addresses, and activity history.

The reason for processing the aforementioned information is our legitimate interest in being able to
fulfil the contract, including being able to engage in dialogue regarding deliveries and the products/services that have been agreed upon. Similarly, contact information is used for invoicing.

Statistics and reporting

Personal data provided to the group in relation to entering of contracts or other inquiries may be
used in combination with information concerning other customers, partners, suppliers, website
visitors, etc. The purpose of this is to create various forms of statistics and reports.

Personal data can also be used as part of optimizing the group’s current services or developing
new ones, for example, by compiling statistics on received inquiries or anonymizing received
inquiries to be able to use them later.

Personal data to and from third parties

The group does not generally disclose personal data to third parties without consent unless we are
obligated by law, or it is necessary to fulfill a contract.

In certain cases, personal data may be disclosed to our external lawyers or insurance companies for the resolution of a specific case. For example, this may occur if the group needs legal assistance in a case and the relevant personal data must be used by our lawyer.

If the group receives personal data from third parties, information may be registered in IT systems
or other places as a potential lead. The information is used as contact information when making an
offer or as part of optimizing our services.

The legal basis for processing this information is our legitimate interest in potential sales of our
products and/or services, as well as our interest in being able to contact the company from which
the personal data originates.

Deletion of personal data

Personal data can only be processed if there is an explicit and specific purpose for the processing.
When there is no longer a purpose or legal basis, the data must be deleted. Deletion is defined as the point in time when personal data is no longer accessible in any way. There will be different deletion deadlines depending on the type of personal data.

The group ensures procedures that guarantee the deletion of data when there is no longer a
purpose or legal basis for processing.

Right of access

All registered individuals have the right to access the processing of their personal data if
they request it. Generally, registered individuals have the right to be informed about the
purposes for which personal data are processed, the categories of personal data processed about them, and who receives the personal data. However, there may be
exceptions that, in specific situations, entail limitations to this right.

Right to complain

You have the right to file a complaint with a supervisory authority if you are dissatisfied with the way the group processes personal data. The supervisory authority can be The Danish Data Protection Agency or the Danish Business Authority, depending on the types of personal data involved. The Danish Data Protection Agency’s contact information is available on Data Protection Agency and information regarding the Danish Business
Authority can be found at Danish Business Authority.

Storage of Personal Data with Data Processors

Certain information is stored with the group’s data processors in connection with operational and IT
security tasks (e.g., backup, website hosting, etc.). The storage of information with our data processors is subject to the rules of the General Data Protection Regulation (GDPR) and the Danish Data Protection Act. Data processing agreements have been made with the data processors to ensure that personal data does not fall into unauthorized hands.

Reporting and monitoring

Group Legal Affairs is responsible for implementing measures related to the enforcement of the
personal data legal framework and monitors the policy’s implementation in individual companies,
as well as collects reports on data breaches.

Various initiatives have been established across the group to monitor and follow up on the handling
of personal data. If you have any clarifying questions regarding our handling of personal data, you
can contact the group at persondata@mth.dk.

The Privacy policy is approved by the executive management of MT Højgaard Holding and is revised once a year.