The GDPR defines two roles that are subject to different legal obligations:
The Controller; a legal unit or similar that determines the purposes and means of the processing of personal data
The Processor; a legal unit or similar which processes personal data on behalf of the Controller.
The nature of business in Visma makes us both Controller and Processor. Thus, Visma must comply with the legislation concerning both of these roles.
Visma is a Controller when we process data about our own employees and customer contacts/users. Vismae is a Processor when we provide cloud services (SaaS) or other hosting services to our customers and sometimes also when we provide consulting services.
In addition we are a vendor of software that customers install and operate themselves. This does not make Visma a Processor or Controller. When Visma act as Processor or software vendor, the customer using the service/software is the Controller.