Data Ethics Policy

1. Introduction

1.1 This policy describes our data ethics and the principles that Nic. Christiansen Group uses to process data ethically, responsibly and transparently.

1.2 Our data ethics policy aims to clarify how the group works with data ethics and data use, and to establish a framework for data ethical conduct. The policy must support and supplement the group’s CSR and privacy policy.

2. Background

2.1 On 1 January 2021, new legislation came into force for large and listed companies in Denmark with a duty to report on data ethics. The aim of the legislation is to create transparency in the way companies work with data and to encourage companies to take responsibility for how they process personal data and data.

2.2 The Nic. Christiansen Group’s activities primarily focus on the import, distribution, sale and servicing of cars, and the leasing and financing of these. Data collected through the use of vehicles, including connectivity, is not processed by the Nic. Christiansen Group.

3. Use

3.1 Nic. Christiansen Group increasingly processes data in line with the digitisation and transformation of the auto industry. The group’s policy for data ethics is therefore not limited to the processing of personal data, but generally applies to all types of data that are processed. This policy applies to all Nic. Christiansen Group’s companies and obligates all employees.

4. Principles of data ethical processing

4.1 The Nic. Christiansen Group is committed to being aware of its social responsibility and works diligently to mature and drive the automobile industry in a responsible direction. The Nic. Christiansen Group recognises that data ethics develops in parallel with values in wider society, which is why the principles must be assessed and revised on an ongoing basis to avoid conduct that is not in accordance with data ethical principles.

4.2 The guiding principles for data ethics, as described below, set the ethical standard for the use of data in the Nic. Christiansen Group and are based on the Charter Of Fundamental Rights Of The European Union.

4.2.1 Self-determination

People’s self-determination must be a priority in all data processes. Nic. Christiansen Gruppen’s work with the ethically correct processing of data will always be based on individuals having control when data is transferred to us and that transparency can be achieved in the individual data processes. Transparency and self-determination must be design requirements in all new data processes.

Data processes must be designed for transparency and with the possibility of accessing data – “transparency and data access must be design requirements in our solutions”.

4.3 Privacy

The processing of data is executed with respect for the customer’s privacy and under the protection of personal data. Nic. Christiansen Group processes personal data in accordance with our privacy policy and only processes data that is necessary to fulfil the purpose of the processing.

Data must be processed in ways that are consistent with the originating party’s intentions, expectations and understanding. For example, personal data may not be processed for new purposes that are incompatible with the purposes for which the personal data was originally collected.

Data processes must respect the customer’s privacy and comply with personal data legislation - “what we say is also what we do”.

4.3.1 Human dignity

Nic. Christiansen Group will always ensure the dignity of the individual. We do not use data brokers and do not sell personal data to third parties. We do not use sensitive personal data ("data concerning racial, ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a natural person’s sex life or sexual orientation") in connection with marketing.

Data processes must ensure the dignity of the individual - “we do not use data brokers and do not sell personal data”.

4.3.2 Responsibility

Being responsible is to show due diligence when using new technology to ensure integrity in everything that we do. Everyone at the Nic. Christiansen Group will contribute to the responsible and ethical processing of data. This means we work with risk assessments that not only address personal data legal requirements, but also include an assessment of ethical responsibility.

Data processes must be risk assessed and assessed in relation to ethical responsibility - “we comply with legal requirements for personal data, including the data ethics policy”.

4.3.3 Safety

A “best practice” level of security must be implemented in and around the technologies used for the processing of data. Security measures must include both technical and organisational measures, and the necessary level of security must be determined on the basis of a risk assessment of the specific processing activity and the technology used for the processing of data with the individual in focus.

Nic. Christiansen Group does not use artificial intelligence, as artificial intelligence is not an integral part of our business strategy or business activities.

Data processes must have a sufficient level of security that we can document them and that at all stages they comply with the individual in focus - “we use ‘best practice’ to protect data, and our data processor does not contain artificial intelligence”.

4.3.4 Equality and necessity

Nic. Christiansen Group only uses data that is necessary, factual and legitimate in relation to the individual, and is in the individual’s interest, without exposing the individual to discrimination or stigmatisation.

Nic. Christiansen Group uses profiling and automated decisions that could have significant consequences for the individual, based on well-defined values that have been cleared of stereotypes, sensitive personal data and 'bias'.

Data processes must be designed to support equality and necessity - “we do not discriminate against individuals using data, and we only use data when necessary and in the individual’s interest”.

5 Responsibilities and follow-up

5.1 The Board of Directors is responsible for the preparation and updating of this policy. The Board of Directors regularly and at least once a year, assesses whether the policy should be updated.

5.2 The day-to-day work with data ethics takes place in the group’s relevant business areas. The reporting of the group’s work with data ethics is carried out by the Head of Process, Privacy & Risk, who reports significant risks to the group’s executive board.

Revised 18 February 2022