3.2. Customer Data
3.2.1. The Customer is the Data Controller for Customer Data, and agrees and/or guarantees as applicable that:
- the Customer hereby instructs Visma to Process the Customer Data only on behalf of the Customer, and only for the purpose of and to the extent necessary to provide the Software in a secure and professional manner, in accordance with and to fulfil the TOS and applicable data protection law;
- the Customer is the owner of or otherwise has the right to transfer the Customer Data, including Personal Data, to the Software for processing, and that the Customer has the responsibility for the accuracy, integrity, content, reliability and legality of such Data, including its Use;
- the Data Processing, where applicable, has been notified to the relevant supervisory authorities and/ or Data Subject, and that the Data Processing does not violate relevant provisions of law;
- it is the Customer’s duty as Data Controller to notify, to the extent required by applicable law, the relevant supervisory authorities and/ or Data Subject in the event of any Breach of Personal Data (see 3.2.2 below for Visma’s duty of notification to the Customer);
- Visma has provided sufficient and satisfactory information with respect to the security measures (see 3.5);
- the Customer shall maintain inter alia a record over the types and categories of Personal Data it Processes if and as required by applicable data protection law. This applies in particular where the Software is used by the Customer in a manner over which Visma has no control (such as where the system is configured by the Customer), or where Visma is otherwise incapable of having the necessary access (due to technical limitations, confidentiality and similar).
The Trust Centre includes an overview over the Customer’s duties as the Data Controller: https://www.visma.com/trust-centre/privacy/your-rights-and-obligations/.
Please read it carefully.
3.2.2. Visma is the Data Processor for Customer Data, and agrees and/ or guarantees as applicable:
- to Process the Customer Data only in accordance with the Customer’s instruction in 3.2.1 a) above;
- to abide by the advice and directives of the relevant supervisory authorities;
- that Visma has implemented technical and organisational security measures to protect the Data from loss and unauthorised processing, to ensure the confidentiality, integrity and availability of the Data, and that these measures represent a level of security appropriate to the risk presented by the processing, having regard to the state of the art and the cost of implementation;
- that Visma shall notify the Customer without undue delay after becoming aware of a Breach to a reasonable degree of certainty. (Any temporary non-availability of Data due to Software-unavailability is at all times published online according to 1.3.1.)
- that Visma shall, upon becoming aware of it, notify the Customer without undue delay of any Instruction or other Data Processing activity by the Customer which in Visma’s opinion infringes applicable law or other data protection provisions.
- that Visma, within its obligations as Data Processor under applicable data protection law, shall assist the Customer in its role as Data Controller, by appropriate technical and organisational measures, insofar as possible and taking into account the nature of the Processing and the information available to Visma, hereunder assisting the Customer in responding to requests for exercising the Data Subject’s rights, and by providing information necessary to demonstrate compliance with applicable data protection law. Visma reserves the right to charge its standard rates for such assistance.
- that when Visma’s legal basis for processing the Customer Data expires for whatever reason, such as termination of the customer relationship, Visma will return the Customer Data to the Customer and delete it from the systems, unless mandatory provisions of law require continued storage of the data by Visma. Please refer to 4.6.3 and 4.6.4.
- that Visma has no reason to believe that the legislation applicable to Visma prevents Visma from fulfilling the instructions received from the Customer;
- that Visma shall promptly notify the Customer of any request for the disclosure of data received directly from a Data Subject, and from governmental authorities, unless such notification is legally prohibited. Visma will not respond to such requests unless authorised by the Customer. Visma will only disclose Customer Data to governmental authorities to comply with legally binding requests, such as a court order or warrant;
- that Visma will not publish any comment, testimonial or similar made by a Customer or User without prior consent.