Rights and Obligations

Individuals rights

The GDPR has implemented new rights for individuals. Your main rights under the GDRP are:

  • Right to be informed

Individuals have a right to to be informed in a clear and transparent way on how their personal data is processed

  • Right to access

Individuals have a right to access the personal data that is being processed.

  • Right to rectification

Individuals have the right to ensure that data is correct.

  • Right to restrict processing

Individuals may have the right to restrict the processing of their personal data where they have a particular reason, according to law, for wanting the restriction.

  • Right to object

Individuals have the right to object to processing of their personal data in certain circumstances.

  • Right to erasure

Where data is no longer necessary for the purpose which it originally was collected, or the processing is based on consent that is withdrawn, individuals may have the right to erasure.

  • Right to data portability

If processing is based on individuals consent or contract, individuals have right to obtain and reuse  personal data for their own purpose

These individual rights can be brought towards the controller. Meaning that if an employee at a firm that uses Visma Expence wants to exercise the right to access data stored in Expence, the employee must be brought to his/her employer as controller, not Visma as processor.    


Customer's Obligation

 Customer is controller and Visma processor for nearly all services Visma offers. This means that you are the owner of the data that is processed by Visma, thus some obligations are imposed on you as a controller.

1. Transparency

Personal data must be processed lawfully, fairly and in a transparent manner.

2. Lawful purpose 

Personal data must be only collected for specified, explicit and legitimate purposes.

3. Data minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the intended purpose.

4. Accuracy

Personal data must be accurate and, where necessary, kept up to date

5. Storage limitation

Personal data must not be kept in a form which permits identification for any longer than necessary for the given purpose.

6. Confidentiality

Personal data must be processed in a manner which ensures its appropriate security

7. Accountability

The party that processes personal data must be able to demonstrate compliance with applicable privacy principles.


What you as a controller should do before processing data.


  • Overview

Get an overview of the data protection legislation and the principles for processing mentioned above.

  • Categorize data

Identify and classify the different categories of data that you plan to process. Identify in particular if you plan to process sensitive personal data.

  • Identify purpose

Define a clear purpose for why you need to process personal data. Processing one certain category of personal data can have several different purposes. According to GDPR, the purpose must be specific and explicit.

  • Identify lawful basis

You must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing outlined in GDPR article 6. Processing sensitive personal data triggers even more requirements, thus separate conditions outlined in article 9 in the GDPR applies.

  • Obligation to inform

Individuals have the right to be informed about the collection and use of their personal data. You must provide individuals with information on how their personal data is processed, purposes for processing, retention periods, and who the data will be shared with.

  • Data protection by design and default

Appropriate technical and organisational measures to protect data shall be implemented from the design state through the products lifecycle.

  • Data processing agreement

Any use of a processor to process personal data on your behalf requires a need to enter into a data protection agreement, according to the GDPR.

  • Data protection impact assessment (DPIA)

A DPIA must be conducted if processing of personal data is likely to result in a high risk to individuals.

  • Internal audits

You need to be able to show that you have implemented GDPR compliant policies and adhered to them. Internal audits can be a helpful tool to evaluate your organization's GDPR compliance.

  • Internal control

You need to be able to show that you have mechanismen in place to document that you continuously evaluate your organization's GDPR compliance and efforts.

  • Incident management

Prepare for an incident and how you as a controller shall comply with the requirements to manage privacy incidents towards authorities and individuals according to article 33 and 34 in the GDPR.

  • Document your processing activities

You must maintain records of several activities,  such as processing purposes, data sharing and retention according to the GDPR article 30.


We use cookies to collect information on your interaction with our website and combine this with the data you provide us to build a profile so we can show you content tailored to your interests. By accepting, you allow us to collect and process your personal information as described here.