How does Holm Security ensure GDPR-compliant processing of personal data on behalf of a customer?

Holm Security's processing of personal data fully complies with the GDPR and the stated contractual requirements.

When acting as a data processor, Holm Security processes personal data solely on documented instructions from the customer, as set out in the DPA or call-off contract, unless processing is required by applicable EU or member state law (article 28 3a). Holm Security does not process personal data for any purposes other than those explicitly defined by the Customer, and we ensure that all processing is limited to what is necessary to fulfill our contractual obligations, in line with the principles of purpose limitation and data minimization (article 5 1b–c).

Holm Security does not independently determine the purposes or means of processing when acting as a processor. Any processing of personal data relating to the customer’s administrators and end-users is strictly limited to what is necessary to provide and support the Services. Upon request, we can document and demonstrate how personal data is collected, used, stored, and minimized in accordance with GDPR requirements, including accountability obligations (article 5.2).

Where Holm Security determines the purposes and means of specific processing activities, we act as an independent data controller for those activities. In such cases, we clearly identify the relevant processing operations and establish a valid legal basis in accordance with article 6. We also ensure transparency towards data subjects and fulfill all applicable controller obligations under the GDPR.

Holm Security's technical and organizational measures, governance processes, and internal controls are designed to ensure a high level of data protection, confidentiality, and compliance with GDPR, including adherence to article 28 requirements for processor engagements.