Roles and responsibilities

The Visma group consists of approximately 200 companies. Visma.com is governed by Visma Software International AS, which is also the controller for the personal data processed via the website. 

‍

Contact us

If you have any comments or questions about our Privacy Statement, or any privacy concerns, including regarding a possible breach of your privacy, please contact us by using the privacy request form. 

If you want to contact our Data Protection Officer for Visma Software International AS, please send an email to dpo.swint@visma.com.

‍

You can also contact our Head Office at: 

Karenslyst allé 56, 0277 Oslo, Norway

Telephone number: +47 46 40 40 00

‍

Processing activities

Use of cookies

See our Cookie Policy for a complete list of cookies that we use on Visma.com, storage time for each cookie, recipient of cookie-data, and purpose for using said cookie-data. 

In compliance with the ePrivacy Directive and national legislation that implements this, cookies will not be set unless you consent to this when interacting with the cookie banner that will pop-up when visiting our website, with the exception of cookies that are strictly necessary for the functionality of the website. Said consent is opt-in in accordance with the Planet-49 decision of the CJEU. 

For the further processing of cookie-data, which include certain personal data such as cookie-ID, IP-adress, activity on the website such as clicks, and similar, we rely on our legitimate interests, cf. GDPR article 6 nr. 1 f) as our legal basis. The legitimate interest is to analyse and improve the functionality and content of our website. 

To change cookie settings, and to use your right to protest cf. GDPR article 21, please  click “Cookies Settings” at the bottom of the webpage. 

‍

Handle requests

Privacy Contact form:

‍

If you contact us using the privacy request form, we will process the personal data that you include in the form. This will at minimum include contact details. 

‍

Our legal basis for this processing of personal data is our legal obligation to respect data subject’s rights under the GDPR to the extent the request concern such rights, cf. GDPR article 6 nr. 1 c), and our legitimate interests to store the requests and to the extent the privacy requests concern other matters, cf. GDPR article 6 nr. 1 f). The legitimate interest is to document the requests handled and respond to concerns raised by visitors to our website about privacy and other matters. 

‍

Requests and related correspondence are only stored as long as necessary to fulfil the purpose of processing, and no longer than 3 years after the last correspondence in relation to the request. When the request has been directed to another company in the Visma Group, the Visma company’s respective privacy statement will apply.

‍

Requests sent via email
To facilitate communication and support for our website visitors, we process questions and concerns received via email (e.g. visma@visma.com, security@visma.com, etc.). This processing involves the personal data you provide in your request, which will, at a minimum, include your contact details.

‍

Our legal basis for this processing of personal data is our legitimate interests, cf. GDPR article 6 nr. 1 f). The legitimate interest is to respond to questions and concerns raised by visitors on our website.

‍

Requests and related correspondence are only stored as long as necessary to fulfil the purpose of processing.

‍

Newsletter subscriptions

You can subscribe to Visma news and press releases here. If you subscribe, we will process your name and email address for this purpose. 

‍

Our legal basis for this processing of personal data is our legitimate interests to provide interested individuals with news about Visma, cf. GDPR article 6 nr. 1 f). 

‍

The personal data will be deleted when you unsubscribe to the newsletter. You can unsubscribe by clicking “Cancel subscription” at the bottom of the emails.  

Whistleblowing reports

Any employee or external may submit a whistleblowing report to us by following the procedure in our Visma Whistleblowing Channel.  You remain completely anonymous when submitting a report unless you voluntarily provide your own personal data. You are not obligated to provide any such personal data. A report may, however, include the personal data of others, and we will in turn have to process this personal data to handle the report. 

‍

Our legal basis for this processing of personal data is our legal obligation to offer a user friendly and easily accessible whistleblowing channel, and to process whistleblowing reports, cf. GDPR article 6 nr. 1 c) and article 9 nr. 2 b). 

‍

Reports and any related correspondence are deleted one year after the report is solved and closed. 

Recruitment

We publish open positions in most Visma companies on our website. Our companies use different tools to administer the recruitment process, and you may find dedicated privacy statements inside such tools as well. The Visma company that administers the recruitment process is the controller for any personal data received in this relation. Said companies may process this personal data in different ways in accordance with local legislation in the relevant jurisdictions. 

‍

Visma Community

Visma Community is an online community developed by Visma for its customers and others who want to gain knowledge about Visma's products and services and receive relevant professional information.

If you want to actively participate in the Community, you must register as a user. You will then have the opportunity to communicate with Visma and like-minded users about our products, services and professional topics. You can find more information about Visma Community and access a separate privacy statement for it here.

Responsible Disclosure & Bug Bounty Program

We welcome security researchers to report vulnerabilities to Visma through our Responsible Disclosure & Bug Bounty Program to further secure our services. Reports can be submitted via our Visma Responsible Disclosure Program on Intigriti, our Public Bug Bounty Program on Intigriti or directly to security@visma.com. See the relevant Privacy Policy for Intigriti for when they act as a controller here: Intigriti Platform Privacy Policy. For valid, previously unknown vulnerabilities that trigger a code or configuration change, researchers will earn a spot in our Security Hall of Fame (HoF). 

‍

When you report to security@visma.com, we process contact information such as email, name and any other personal data included in your email if sent directly to security@visma.com. The Hall of Fame (HoF) may also store a name, but only if you include it in your entry.

‍

Our legal basis for this processing of personal data is our legitimate interests, cf. GDPR article 6 nr. 1 f). The legitimate interest is to maintain secure products and services for our users.

We will only store your personal information for as long as necessary to fulfil the purpose of processing. Information on our Hall of Fame (Hoc) will be stored as long as the page remains operational. 

Service improvement 

We continuously strive to improve and develop the quality, functionality, and user experience of our websites. The personal data we process includes user and web traffic information such as session ID, IP address and device information. 

Our legal basis for processing your personal data is our legitimate interest, cf. GDPR article 6 nr. 1 f). The legitimate interest is to ensure that we meet our visitors' expectations.

We will only store your personal information for as long as necessary to fulfil the purpose of processing, and your personal data will be deleted after three years.

‍

Security on the website

We process personal data in order to detect, mitigate, and prevent security threats and abuse, as well as perform necessary maintenance and debugging. The personal data involved includes user and web traffic data such as session ID, IP address and device information.

Our legal basis for this processing of personal data is our legitimate interests, cf. GDPR article 6 nr. 1 f). The legitimate interest is to maintain a secure website.

We will only store your personal information for as long as necessary to fulfil the purpose of processing, and your personal data will be deleted after one year.

‍

How your personal data may be shared

‍

Within the Visma Group

Visma Group consists of several subsidiaries. In order to maintain an overview and insight, we may share your personal data across companies in the Visma Group. The intention is to streamline operations and provide you with a more integrated and seamless experience.

‍

Outside of the Visma Group

We may also share your personal data with external third parties in the following contexts:

Processors 

We use processors to process personal data. These processors are typically providers of cloud-based services. When using processors, we enter into a data processing agreement in order to safeguard your privacy rights. If processors are located outside the EU/EEA, we ensure legal grounds for such international transfers on your behalf, such as by implementing EU Model Clauses. You are welcome to request more detailed information on our processors by contacting us as described in the section “Contact us”. 

Public authorities

The police and other authorities may request access to information from us. This can include both personal and non-personal data. 

In all such cases, we follow internal policies and procedures for assessing the access request, and confer with legal counsels. We only share information that is strictly required by law, and only on the basis of valid court orders or similar legal documents from public authorities.

To prevent unauthorised access to any information we process, we also implement technical measures such as encryption and access controls. The Visma Security Program ensures high security standards and confidentiality.  

Furthermore, we ensure legal obligations in contracts with our subcontractors that ensure they too enact organisational and security measures similar to ours. 

If we receive access requests from non-EEA authorities, we ensure our compliance with the Data Act article 32. Internal policies and routines are in compliance with this regulation. 

‍

Your rights

You can invoke the following rights in relation to our processing of your personal data:

• Access. You have the right to request a copy of personal data we process about you. 
• Rectification. You also have the right to request rectification of inaccurate personal data concerning you.
• Deletion. You can request deletion of personal data relating to you. 
• Restriction. You may ask us to restrict the processing of your personal data
• Portability.  You may ask us to provide you or others with your personal data in a structured, commonly used and machine-readable format.
• Object. You have the right to object to our processing of your personal data on the basis of legitimate interests or for direct marketing purposes. You also have the right to object to our processing of your personal data for the performance of tasks carried out in the public interests or in the exercise of official authority or based on legitimate interests. 

Please note that there may be certain exceptions or limitations to the abovementioned rights which could apply depending on the specific circumstances of your situation. In such cases, we will provide you with detailed information about the applicable exception or limitation and help you exercise your rights to the fullest extent possible, in accordance with applicable laws and regulations.

Please use this privacy request form to file requests as mentioned in this section.

Finally, you also have a right to file a complaint to the data protection authorities with regards to our processing of your personal data.

‍

Changes

We encourage you to review the Privacy Statement regularly. If we make significant changes to the Privacy Statement that materially alter our privacy practices, we will notify you of this.

‍