Terms and Policies

You can review Upodi's privacy policy on this page.

1 Introduction

1.1 Scope and objective

This Privacy Policy sets out governing principles for privacy and data protection by specifying objectives, responsibilities, general rules and requirements for all processing of personal data in Upodi ApS that is part of the Visma group (hereafter Visma).

The objective of this Privacy Policy is to ensure that all Visma companies are subject to the same values and decisions, to ensure trust among our customers, partners and employees, and to fulfill applicable legislation and best practices.

The Privacy Guideline details out the topics from the overall Privacy Policy, in order to educate employees. It also covers topics such as legal basis for processing of personal data, classification of personal data, the use of sub-processors and the procedures for our internal control.

But I must explain to you how all this mistaken idea of denouncing pleasure and praising pain was born and I will give you a complete account of the system, and expound the actual teachings of the great explorer of the truth, the master-builder of human happiness

1.2 What is data protection and privacy?

Data protection is a broad term and involves protecting data in general. Privacy is more specific and relates to protecting information concerning living persons, such as names, addresses, date of birth, email addresses and social security numbers.

Visma considers strong data protection to be a competitive advantage, and shall strive for transparency in its approach to privacy.

But I must explain to you how all this mistaken idea of denouncing pleasure and praising pain was born and I will give you a complete account of the system, and expound the actual teachings of the great explorer of the truth, the master-builder of human happiness

1.3 Terms

The following are fundamental and introductory terms in privacy.

Personal data: Personal data is any data relating to or pertaining to an individual, or from which an individual can be identified.

Processing: Processing means any use of personal data, such as collection, registration, access, sharing, storing, analysis and similar.

Data controller: Whoever determines the purpose and means for the processing of personal data.

2 Responsibility for privacy in Visma

The responsibility to ensure that Visma acts according to applicable privacy legislation is delegated to the Data Protection Officer (DPO). The DPO appointed is a lawyer and Visma employee and is the main contact point for any data subject or customers in privacy matters. The DPO facilitates the privacy work within Visma.

All strategic decisions regarding privacy are made and governed by Council in order to ensure transparency and accountability. The Council consists of the DPO, CISO (Corporate Information Security Officer) and representatives from affected business areas.

All Visma companies are tied to a Data Protection Manger (DPM) resource which continuously reports and co-operates with the DPO to solve everyday tasks in their company. In addition, all companies report directly to the Council on a variety of issues to ensure progress and attention on strategic efforts. The Council reports to Visma group management and the Visma board.

In addition, each employee is responsible for abiding by and supporting the Privacy Framework in his or her daily work. The individual employee’s contribution is essential in order for Visma to succeed in its efforts to ensure data protection and privacy.

3 Processing of personal data

3.1 Visma as the data controller

In order to process personal data according to privacy legislation, the controller needs to establish a legal basis for processing personal data.

Legal basis of practical importance for processing in Visma: contract with data subject, consent from data subject, obligation according to law, legitimate interest.

Use of legitimate interest: The strategy for using legitimate interest as legal basis for processing personal data shall be decided by the Council.

Record of processing: Any data controller is required to keep a record of their processing of personal data. Vismas DPMs are responsible for keeping records of the processing of personal data in the company, in the role as data controller. This record shall be updated on a yearly basis and be approved by the DPO.

3.2 Visma as the data processor

All Visma companies acting as data processor shall strive to ensure that a data processing agreement is entered into with the data controller. The data controller is potentially our customer, partner, a third party or other Visma company.

Purpose for processing when Visma is processor: Visma shall not process personal data in any manner or for any other purpose than as authorised in the agreement with the data controller, hereunder in data processing agreements with customers.

3.3 Sharing personal data

All use of sub-processor’s, those being other Visma companies or external parties, shall be fully subject to the Visma Privacy Framework and applicable privacy legislation.

Data processing agreement: Sharing personal data with other legal entities, either within Visma or externally, should only be done after entering into a data processing agreement equivalent to the Visma standard.

Visma has, on a corporate level, entered into data processing agreements on behalf of all Visma entities with its strategic sub-processors. Visma companies will not have to enter into separate data processing agreements with these sub-processors.

Visma has, on a corporate level, entered into data processing agreements with and among all Visma companies. This internal corporate data processing agreement is included on the list mentioned above.

Only subcontractors who are compliant with privacy legislation and show that they understand and value data protection and privacy as a competitive advantage, should be used by Visma.

3.4 Privacy by design and default

All Visma companies shall embed data protection into their processing of personal data in all services, from development and design throughout the service operation lifecycle. This is part of the Privacy by design and default principles. These principles shall be central in all aspects of Vismas business.

Education of developers: in order to assist our customer in ensuring privacy, the developers of the software must understand and develop software according to the privacy principles.

Level of privacy and security: each Visma company shall implement and maintain security and privacy measures appropriate to the risk represented by the processing of personal data, taking into account the state of the art and the cost of implementation.

Tool: By taking part in Visma’s security and privacy regime, built on maintaining approved self assessments, all product teams shall ensure a sufficient security and privacy level for its service. These assessments are the basis for transparency towards customers and data subjects.

Surveillance: The above mentioned assessments shall always be subject to an independent, automatic monitoring tool that measures status and progress on risk mitigation.

A product owner should always be able to communicate security, privacy and risk details about a service to its customers.

4 Incident management

Reporting privacy incidents: Privacy incidents shall be fully embedded into the routines in Visma for crisis and incident management. Privacy and security incidents shall be reported to according to Visma procedure for privacy incident management outlined in the Privacy Guideline.

5 Marketing

Visma shall offer customers to opt-out of marketing that involves processing of their personal data. Leads, meaning non customers, shall opt-in before they are subject to marketing that involves processing their personal data.

Representative in Council: corporate marketing should always be represented in the Council.

Use of legitimate interest in marketing: the strategy for using legitimate interest as legal basis for processing personal data, hereunder as part of marketing automation, shall be decided by the Council.

New technology: new marketing technology shall be approved by the Council before taken into use.

6 Request for information or data

Requests from data subjects: if Visma is a controller, it's Visma’s responsibility to fulfill the data subjects request. If Visma is a processor, requests from data subjects should be forwarded to the controller, typically Visma’s customer.

Internal request: requests for data from within Visma shall always be directed to the DPM representing the company that owns the product and data in question. The DPM shall refer the request to the product owner.

Requests from authorities: requests from the police or authorities shall be forwarded to the DPM representing the company that owns the product and data in question. Visma can only share data with authorities based on a valid court order. The DPM shall always confer with DPO before responding to requests from authorities.

Requests from media: requests from the media regarding privacy or data protection shall be referred to and handled by the Corporate Communications.

7 Training of employees

A key criteria for obtaining effective and hands-on implementation of the Privacy Framework in Visma is awareness and competence among our employees. In order to succeed, Visma must enable its employees to take action in their day-to-day activities. All employees are required to take an online privacy course at the start of their employment in Visma

Visma shall prioritizes education of its employees within privacy and data protection, both in general and tied to specific roles.

8 Transparency

Transparency on how personal data is processed in Visma is essential in order to earn and maintain the trust among our customers, partners and employees. Visma should offer transparency in layers consisting of for instance;

Level 1 Trust centre
: the online Visma Trust Centre shall be the first line of information about Vismas products, services and processing of personal data, available to everyone, through this link.

Level 2 Non-public product-specific information: customer shall be able to request more specific information from Visma. This information is confidential and non-public information concerning the particular product, and should be made available to customers upon request and login etc.

Level 3 Restricted information: Visma shall be able to give a customer full transparency on request subject to a non-disclosure-agreement and potentially fees.

9 Enforcement

Any employee found to have violated this policy may be subject to disciplinary actions. Violation of this policy may lead to termination of employment.

Visma Privacy Policy v. 5.0

This Privacy Policy is part of the Visma Privacy Framework consisting of policies, decisions and procedures governed by the Visma Data Protection Council (Council).

The Privacy Policy is reviewed by Group Legal at least annually. Last approved by Council: 3 February 2022.

More Information

Hopefully, this Privacy Policy has clarified things for you, if there is something that you aren't sure about or you need more clarification, we highly encourage you to contact us through

Please post any questions regarding this agreement to our general legal counsel This includes questions regarding data compliance, privacy, terms of service, service level agreement or cookie policy. You can find additional information at

This agreement is owned and published by:

Upodi ApS Mariane Thomsens Gade 2F, 9. 1 8200 Århus C, Denmark CVR. 38558862 Version 19.0000