Your rights and obligations

Individual rights

The GDPR has implemented specific rights for individuals. These individual rights can be brought towards the Controller. For example, if an employee at a firm that uses Visma Expense wants to exercise the right to access data stored in Expense, the employee must go to the Controller (in this case his/her employer), not the Processor (in this case Visma).

Your main rights are:

Right to be informed
Individuals have the right to be informed in a clear and transparent way on how their personal data is processed.

Right to access
Individuals have the right to access their personal data that is being processed.

Right to rectification
Individuals have the right to ensure their data is correct.

Right to restrict processing
Individuals may have the right to restrict the processing of their personal data when they have a particular reason, according to law, for wanting the restriction.

Right to object
Individuals have the right to object to the processing of their personal data in certain circumstances.

Right to erasure
Individuals may have the right to erasure of their data. This can occur where the data is no longer necessary for the purpose for which it was originally collected, or the processing is based on consent that has since been withdrawn.

Right to data portability
If processing is based on individuals' consent or contract, these individuals have the right to obtain and reuse their personal data for their own purpose.

Customer's Obligation

For nearly all of Visma products, services and data, the customer is the Controller and Visma is the Processor. This means that the customer is the owner of the data that is processed by Visma. Therefore, some obligations are imposed on you as a Controller.


Personal data must be processed lawfully, fairly and in a transparent manner.

Lawful purpose
Personal data must only be collected for specified, explicit and legitimate purposes.

Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the intended purpose.

Personal data must be accurate and, where necessary, kept up to date.

Storage limitation
Personal data must not be kept in a form that permits identification for any longer than necessary for the given purpose.

Personal data must be processed in a manner that ensures its appropriate security.

The party that processes personal data must be able to demonstrate compliance with applicable privacy principles.

5 steps you should take as a Controller, before processing data


  1. Get an overview
    As a Controller you should always have an overview of the data you process. According to GDPR, it is the Controller's duty to document processing activities. This includes having an overview of: what kind of data you process, the purpose behind processing, the legal basis for processing (contract, consent, legitimate interest), any sub-contractors you share personal data with, and where these sub-contractors are located.

  2. Get to know the rights of the individuals
    According to GDPR, individuals have numerous rights, as listed above. Before processing personal data, you as the Controller need to be aware of these and prepare for how you are going to comply with these rights.

  3. Keep your promises
    A Controller always needs to act in accordance with the promises made and information provided to individuals. This means the Controller needs to continuously reflect upon whether the data processing, particularly what the personal data is used for, is in accordance with the promises made to the individual.

  4. Have a data processing agreement
    Make sure you have a data processing agreement with companies that process data on your behalf. A data processing agreement regulates the boundaries for such processing.

  5. Keep routines in case of incidents
    Make sure that you have sufficient routines for incident management. This includes technical abilities to handle an incident, as well as routines for complying with requirements to notify individuals or supervisory authorities.