Data ethics policy

Introduction

This policy applies to CRH Denmark A/S (CRH).

The data ethics policy describes CRH’s approach to good data ethics and the principles governing how CRH processes data in an ethical and responsible manner.

The policy was published on 22 June 2026 on CRH Denmark’s website, where it will remain accessible for as long as it is in force.

Purpose

The purpose of the policy is to describe CRH’s view on data ethics and to ensure transparency regarding how CRH approaches the data that the company stores and processes — including personal data.

Principles for CRH’s data ethics

Fundamental principles

CRH complies with the rules on data protection. These rules form the basis of CRH’s work on data ethics.

It is a core value of CRH to safeguard and protect the data that comes into our possession, whether this is personal data from employees, customers, suppliers and applicants, or other forms of data.

CRH seeks to limit the amount of data as much as possible, so that it only encompasses data that is necessary for developing and operating the business and fulfilling our obligations to the outside world.

CRH has likewise established systems and procedures that restrict access to this data, so that only those employees who have a need to access it are actually able to do so.

CRH wishes to communicate openly about how the company handles and processes personal data. CRH’s privacy policy for customers and suppliers, as well as the privacy policy for job applicants, are available on CRH’s website, whilst the privacy policy applicable to the company’s employees can be accessed on CRH’s intranet.

CRH’s employees can at any time safely report to management if they experience behaviour that may be in breach of the data ethics framework and internal procedures. In serious cases, CRH’s Hotline may be used if full anonymity is desired.

Storage of data

CRH safeguards the security of the data in its possession. CRH has therefore implemented a number of organisational, technical and physical measures to protect data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

CRH is connected to the parent company’s IT systems, but organisational, technical and physical measures and procedures ensure that the parent company does not have unrestricted access to the data for which the company is responsible.

Disclosure of data

CRH does not sell data of any kind. This applies to personal data, data relating to customers and suppliers, and other types of data.

CRH discloses data to the authorities when CRH is legally obliged to do so, or where it is a prerequisite for the fulfilment of the company’s obligations in general.

CRH’s privacy policy contains examples of the authorities to which CRH discloses personal data.

Data processors

CRH has entered into data processing agreements with all data processors that CRH makes use of.

New technology

CRH continuously introduces new technologies and IT systems with a view to improving the efficiency of current production and administrative processes and to protecting data.

When technologies and IT systems are introduced, this is done in accordance with a fixed procedure to ensure that data remains secure.

Training and development

All salaried employees complete an online course in the processing of personal data upon commencing employment.

All salaried employees likewise regularly undertake training and development in data handling, the requirements the company places on them in this regard, and the expectations otherwise held of them. Training takes place as online sessions, and for selected employee groups as face-to-face training.

All employees with access to a work computer must continuously complete short online courses in data security.

Responsibility and follow-up

The management board is responsible for the preparation and updating of this policy. The management board continuously assesses, and at least once a year, whether the policy needs to be updated.

Updated: June 2026