Preparing for GDPR as Processor
Visma provides a wide range of cloud-based software (SaaS) to our customers and also provide several hosting services as well as consulting services. These occasions except for pure hire of consultants makes Visma a Processor. This means that Visma is responsible for only processing the personal data as instructed by the Controllers (the customers). Since most of our software is delivered in a one to many relation, giving the Controllers (the customers) the freedom to continuously give us instructions on how to process their personal data is not possible. This underlines the importance of agreeing with the Controller (the customer) on what these instructions are, typically in the Terms of Service or in a dedicated DPA.
When a customer hires a consultant from Visma and his/her work is supervised by the customer, Visma is not a Processor, and therefore, a DPA is not necessary. Depending on the nature of the assignment, it may be wise for the parties to enter into a non-disclosure agreement though.
As a software vendor, we also take responsibility for certain things that the Controllers themselves will have difficulties controlling. This will typically be the design of the software regarding features for correcting and erasing personal data and implementation of information security measures to safeguard data confidentiality, integrity and availability.
Being a provider of cloud services also mean that we use a range of subcontractors to deliver the services, and we have certain transparency obligations in this regard, as well as making sure that sufficient data processing agreements are in place. We are doing this to ensure privacy and trust throughout the chain of companies involved in processing our customers' data. Visma’s business is based on earning this trust from our customers.
Our main efforts making sure that we are compliant as Processor, are around these initiatives:
Assessing our cloud services against the Privacy by Design and Default principles set out in the GDPR.
Making Privacy Impact Assessments for all products/services designed to process sensitive personal data.
Preparing for increased transparency regarding the use of subcontractors and security breach incidents that may occur.
Ensuring that agreements with our subcontractors and partners commit to GDPR preparations and compliance
Updating Terms of Service (ToS) documents to reflect the obligations of both Controllers (our Customers) and Visma imposed by the GDPR
Further, we have published the Trust Center on visma.com. This site provides customers information needed to document their processing activities as a Controller. In the months to come, we will consecutively provide more information in the Trust Center. In summary, this information seeks to outline the privacy skills and abilities of our cloud services and software products. The aim with this information is to enable Controllers (our customers) to fulfill its duties according to GDPR to safeguard privacy when using a Processor (Visma) to process personal data on their behalf.
On request, a customer may also access more detailed privacy information particularly concerning security measures applied and agreements with subcontractors. Such requests may be subject to fees and non-disclosure agreements.