Individuals have a right to to be informed in a clear and transparent way on how their personal data is processed
Individuals have a right to access the personal data that is being processed.
Individuals have the right to ensure that data is correct.
Right to restrict processing
Individuals may have the right to restrict the processing of their personal data where they have a particular reason, according to law, for wanting the restriction.
Individuals have the right to object to processing of their personal data in certain circumstances.
Where data is no longer necessary for the purpose which it originally was collected, or the processing is based on consent that is withdrawn, individuals may have the right to erasure.
Right to data portability
If processing is based on individuals consent or contract, individuals have right to obtain and reuse personal data for their own purpose
These individual rights can be brought towards the controller. Meaning that if an employee at a firm that uses Visma Expence wants to exercise the right to access data stored in Expence, the employee must be brought to his/her employer as controller, not Visma as processor.
Customer is controller and Visma processor for nearly all services Visma offers. This means that the customer are the owner of the data that is processed by Visma, thus some obligations are imposed on you as a controller.
Personal data must be processed lawfully, fairly and in a transparent manner.
2. Lawful purpose
Personal data must be only collected for specified, explicit and legitimate purposes.
3. Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the intended purpose.
Personal data must be accurate and, where necessary, kept up to date
5. Storage limitation
Personal data must not be kept in a form which permits identification for any longer than necessary for the given purpose.
Personal data must be processed in a manner which ensures its appropriate security
The party that processes personal data must be able to demonstrate compliance with applicable privacy principles.
Five steps you as a controller should take before
1. Get an overview
As a controller you should always have an overview of the data you process. According to the GDPR it the controllers duty to document processing activities. This includes have an overview of: what kind of data you are processing, the purpose behind processing, the legal basis for processing (contract, consent, legitimate interest), the sub contractors you share personal data with and where these sub contractors are located are located
2. Get to know the rights of the individuals
According to the GDPR, individuals have several rights. Before processing personal data, you as the controller need to be aware of these and prepare for how you are going to comply with these rights.
3. What have you promised the customer
A controller always needs to act within the promises and information provided to the individuals. Meaning that the controller continuously needs to reflect upon whether the current processing of personal data, particularly what the personal data is used for, lays within the promises made to the individual.
4. Data processing agreement
Make sure that you have a data processing agreement with companies that process data on behalf of you as a controller. A data processing agreement is an agreement that regulates the boundaries for such processing.
Make sure that you have sufficient routines for incident management. This includes, technical abilities to handle an incident, and routines for complying with requirements to notify customers and supervisory authority.