The GDPR defines two roles that are subject to different legal obligations:
The Controller; a legal unit or similar that determines the purposes and means of the processing of personal data
The Processor; a legal unit or similar which processes personal data on behalf of the Controller.
The nature of business in Visma makes us both Controller and Processor. Thus, Visma must comply with the legislation concerning both of these roles. We are a Controller when we process data about our own employees and customer contacts/users. We are a Processor when we provide cloud services (SaaS) or other hosted IT services to our customers and sometimes also when we provide consulting services. In addition we are a vendor of software that customers install and operate themselves, but this does not make Visma a Processor. When Visma act as Processor or software vendor, the customer using the service/software is the Controller.
The next chapters will explain what Visma is doing to comply with the GDPR in the Controller and Processor roles.