Data security and privacy

At Nykredit we take information security and our customers' privacy seriously. We strive to have the highest information security possible and place great emphasis on protecting our customers' data.

Cyberrisici og it-sikkerhed

We have strong monitoring and control measures in place to protect our operations from cyber criminals. Our systems are constantly monitored and secured the highest level of protection. Nykredit's staff regularly complete training and testing programmes:

  • Nykredit's IT security level is determined by IT security policies, emergency response plans and business contingency plans, which are based on the ISO 27001 standard. The board of directors approves the Information Security Policy, and our internal auditors inspect and audit the policies and plans as well as compliance thereof. The plans are based on international best practice guidelines.
  • Nykredit's internal IT security function continuously performs IT security assessments, IT risk assessments and IT inspections to ensure a sufficiently high IT security level. It also communicates any weaknesses to management at least quarterly. Our internal auditors also carry out annual IT audits.
  • External tests of Nykredit's cybersecurity are conducted on a regular basis by means of annual penetration tests and Red Team tests (TIBER-DK) about every two years. Also, internal monthly vulnerability scans are carried out. Nykredit's mature process for detecting security incidents means that all incidents are managed according to standard procedures.
  • Nykredit applies the latest security technologies. This means that all internet solutions have two-factor authentication and all e-mails are encrypted with at least TLS version 1.2.
  • All employees receive annual mandatory training in IT security.


Nykredit processes personal data, and as data controller our focus is to ensure that our processing of personal data is in compliance with data protection legislation. Nykredit respects the individual's right to control which personal data to share with Nykredit and for what purpose, in accordance with the legal framework. Nykredit also respects the rights of the data subjects, including, for example, the right of data subjects to rectify incorrect personal data and the right to erase personal data, subject to the restrictions imposed by law.

Nykredit processes personal data with great care and solely for the legitimate purposes for which the personal data were collected and in compliance with the applicable data protection rules rules. We maintain focus on responsible processing of personal data after the customer and supplier relationships etc ends.

Nykredit shares personal data internally in the Nykredit Group or with our business partners if we are permitted to do so by law or authority of the data subject.

Read more about Nykredit's processing of personal data in our Privacy Policy:

In alignment with the responsibilities laid down by data protection legislation, Nykredit has implemented processes and a control framework for the purpose of internal control of compliance with data protection legislation. This means that we have, for example, established a process for risk assessment of our data processors.

When Nykredit uses data processors, we conclude a Data Processing Agreement with the relevant supplier, such as JN Data A/S or Bankernes EDB Central a.m.b.a, which are major IT suppliers to Nykredit. A data processor processes personal data on behalf of Nykredit and based on Nykredit's instructions in accordance with Nykredit's policies on personal data. This means having to follow the IT security requirements set for data processors.     

Training of staff

Nykredit regularly trains all members of staff to ensure that they possess the knowledge of personal data processing necessary to perform their duties. 

All Nykredit staff members, including permanent staff, staff paid by the hour and temporary staff employed under Nykredit contracts, complete personal data training prepared and maintained by Finanssektorens Uddannelsescenter. In addition, all members of staff complete a training module prepared by Nykredit to ensure that the staff members learn how Nykredit handles personal data, for example in the event of personal data breach.

Personal data breaches

Nykredit reports personal data breaches to the Danish Data Protection Agency and also notifies the data subjects without undue delay.

Read more about Nykredit's obligation to report and notify: