Rights and Obligations

Individuals rights

The GDPR has implemented new rights for individuals. Your main rights under the GDRP are:

  • Right to be informed

Individuals have a right to to be informed in a clear and transparent way on how their personal data is processed

  • Right to access

Individuals have a right to access the personal data that is being processed.

  • Right to rectification

Individuals have the right to ensure that data is correct.

  • Right to restrict processing

Individuals may have the right to restrict the processing of their personal data where they have a particular reason, according to law, for wanting the restriction.

  • Right to object

Individuals have the right to object to processing of their personal data in certain circumstances.

  • Right to erasure

Where data is no longer necessary for the purpose which it originally was collected, or the processing is based on consent that is withdrawn, individuals may have the right to erasure.

  • Right to data portability

If processing is based on individuals consent or contract, individuals have right to obtain and reuse  personal data for their own purpose

These individual rights can be brought towards the controller. Meaning that if an employee at a firm that uses Visma Expence wants to exercise the right to access data stored in Expence, the employee must be brought to his/her employer as controller, not Visma as processor.    


Customer's Obligation

 Customer is controller and Visma processor for nearly all services Visma offers. This means that the customer are the owner of the data that is processed by Visma, thus some obligations are imposed on you as a controller.

1. Transparency

Personal data must be processed lawfully, fairly and in a transparent manner.

2. Lawful purpose 

Personal data must be only collected for specified, explicit and legitimate purposes.

3. Data minimisation

Personal data must be adequate, relevant and limited to what is necessary in relation to the intended purpose.

4. Accuracy

Personal data must be accurate and, where necessary, kept up to date

5. Storage limitation

Personal data must not be kept in a form which permits identification for any longer than necessary for the given purpose.

6. Confidentiality

Personal data must be processed in a manner which ensures its appropriate security

7. Accountability

The party that processes personal data must be able to demonstrate compliance with applicable privacy principles.


Five steps you as a controller should take before
processing data


1. Get an overview

As a controller you should always have an overview of the data you process. According to the GDPR it the controllers duty to document processing activities. This includes have an overview of: what kind of data you are processing, the purpose behind processing, the legal basis for processing (contract, consent, legitimate interest), the sub contractors you share personal data with and where these sub contractors are located are located

2. Get to know the rights of the individuals

According to the GDPR, individuals have several rights. Before processing personal data, you as the controller need to be aware of these and prepare for how you are going to comply with these rights.


3. What have you promised the customer

A controller always needs to act within the promises and information provided to the individuals. Meaning that the controller continuously needs to reflect upon whether the current processing of personal data, particularly what the personal data is used for, lays within the promises made to the individual.  

4. Data processing agreement

Make sure that you have a data processing agreement with companies that process data on behalf of you as a controller. A data processing agreement is an agreement that regulates the boundaries for such processing.  

5. Incidents

Make sure that you have sufficient routines for incident management. This includes, technical abilities to handle an incident, and routines for complying with requirements to notify customers and supervisory authority.