Privacy Statement
Version 1
SAP ID Service Privacy Statement
1. When does this Privacy Statement apply?
SAP SE (“SAP”) provides a user authentication service (the “SAP ID Service”) which allows users to access various websites, apps and cloud services across the SAP Group with, depending on the type of user, one (S or P) user ID (each an “ID”). This privacy statement applies to the creation of user IDs and the usage of the SAP ID Service and is in addition to any website, app or cloud service specific privacy statement.
2. Who is the data controller?
Data controller in case of the SAP ID Service is SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany (“SAP”), SAP’s data protection officer can be reached at (privacy@sap.com).
3. Which data categories are used by SAP and what are purposes and duration of data usage?
a. Creation and usage of an ID. If you register for a website, app or cloud service of an entity of the SAP Group for the first time that is using the SAP ID Service for authentication, depending on the platform that the user uses, a subset of the following information is collected: first name, last name, username, email address, country and company in order to create an ID which is unique to you (together your “Personal Data”). Once this registration pr ocess is completed, you can use your ID to get access to the relevant website, app or cloud service.
You can use your ID also to obtain access to other websites, apps and cloud services of the same or other entities of the SAP Group by simply entering your ID into the relevant websites, apps and cloud services. We therefore require your Personal Data in order to make the SAP ID Service and your ID available to you (performance of a contractual relationship, Article 6 para. 1 (b) EU General Data Protection Regulation (“GDPR”)).
b. Compliance with export laws. SAP and its products, technologies, and services are subject to the export laws, trade sanctions, and embargoes (“Export Laws”) of various countries including, without limitation, those of the European Union (“EU”), Germany and of the United States of America. Therefore, you acknowledge that, pursuant to the applicable Export Laws issued by these countries, SAP is required to
aa. take measures to prevent persons, entities and organizations listed on government-issued sanctioned party lists from accessing certain products, technologies, and services through SAP’s websites or other delivery channels controlled by SAP. This may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to SAP’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match; and
bb. ensure that no individuals from embargoed countries access its services. Therefore, when an existing user logs into a website, app or cloud service of an entity of the SAP Group from an embargoed country, the user’s registration data and IP address may be used by SAP to block the user’s access and to log access attempts from embargoed countries.
Any such usage of registration data and IP addresses (which, for the avoidance of doubt is also part of your Personal Data) by SAP is necessary for SAP’s compliance with applicable EU Export Laws (Article 6 para. 1 © GDPR) and SAP’s legitimate interest to comply with non-EU Export Laws (Article 6 para. 1 (f) GDPR).
Kindly note that, although any provisioning of Personal Data is voluntarily to you, without your Personal Data, SAP cannot provide you with access to the SAP ID Service or create any IDs. SAP will only store your Personal Data for as long as it is required for providing you with access to the SAP ID Service, as long as you use the SAP ID Service and for the purposes of SAP’s compliance with applicable Export Laws plus in each case, where applicable, any additional periods under applicable laws during which SAP has to retain your Personal Data
4. Who receives my Personal Data?
As part of a global group of companies, SAP uses affiliates and third-party service providers within as well as outside of the European Economic Area (the “EEA”). As a consequence, whenever SAP is using or otherwise processing your Personal Data for the purposes set out in this Privacy Statement, SAP may transfer your Personal Data to countries outside of the EEA including to such countries in which a statutory level of data protection applies that is not comparable to the level of data protection within the EEA. Whenever such transfer occurs, it is based on the Standard Contractual Clauses (according to EU Commission Decision 914/2021/EC or any future replacement) in order to contractually provide that your Personal Data is subject to a level of data protection that applies within the EEA. You may obtain a redacted copy (from which commercial information and information that is not relevant has been removed) of such Standard Contractual Clauses by sending a request to privacy@sap.com. You may also obtain more information from the European Commission on the international dimension of data protection here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
5. What are my rights as a data subject?
a. Right to access, correct and delete personal data. You can at any time access, correct and delete your Personal Data used by SAP for the purposes of using your ID as an authentication mean in the SAP ID Service’s Account feature. Furthermore, you can also request from SAP at any time information about which Personal Data SAP processes about you and the correction or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. Kindly note further that if you request that SAP deletes your Personal Data, you will not be able to continue to use the SAP ID Service which means that you will be not able any more to access any services which use the SAP ID Service for user authentication.
b. Right to data portability. To the extent SAP uses your Personal Data perform a contract with you (please see Section 3. a above), you can further request from SAP a copy of the Personal Data you provided to SAP. In this case, please contact the email address below and specify the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best be fulfilled.
c. Right to restrict processing. You can request from SAP to restrict your Personal Data from further processing in any of the following events: (i) you state the Personal Data about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data, (ii) there is no legal basis for SAP to process your Personal Data and you demand SAP to restrict your Personal Data from further processing, (iii) SAP no longer requires your Personal Data, but you state you require SAP to retain such data to claim or exercise legal rights or to defend against third party claims, or (iv) in case you object to the processing of your Personal Data by SAP based on SAP’s legitimate interest (as further set out below), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
d. Right to object. You may furthermore object against SAP’s usage of your registration data and IP address for the purposes of compliance with applicable non-EU Export Laws at any time. Kindly note, however, that in this case SAP, due to its continuing obligation to comply with these non-EU Export Laws, generally has a compelling ground to further use your Personal Data for this purpose which overrides your right to object. Therefore, if you do not agree to such usage of your registration data and IP address by SAP, please do not use the SAP ID Service or any website, app or cloud service that uses the SAP ID Service for user authentication.
Please direct any of the requests mentioned in this section to CIC Contact Us form.
SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match personal data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent or which are represented by third parties without duly representing respective authority.
Furthermore, if you take the view that SAP is not processing your Personal Data in accordance with the requirements in this privacy statement or under applicable data protection laws, you can at any time lodge a complaint with your locally relevant data protection authority, specifically when you are located in an EEA country, or with the data protection authority of SAP (the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart).
1. When does this Privacy Statement apply?
SAP SE (“SAP”) provides a user authentication service (the “SAP ID Service”) which allows users to access various websites, apps and cloud services across the SAP Group with, depending on the type of user, one (S or P) user ID (each an “ID”). This privacy statement applies to the creation of user IDs and the usage of the SAP ID Service and is in addition to any website, app or cloud service specific privacy statement.
2. Who is the data controller?
Data controller in case of the SAP ID Service is SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany (“SAP”), SAP’s data protection officer can be reached at (privacy@sap.com).
3. Which data categories are used by SAP and what are purposes and duration of data usage?
a. Creation and usage of an ID. If you register for a website, app or cloud service of an entity of the SAP Group for the first time that is using the SAP ID Service for authentication, depending on the platform that the user uses, a subset of the following information is collected: first name, last name, username, email address, country and company in order to create an ID which is unique to you (together your “Personal Data”). Once this registration pr ocess is completed, you can use your ID to get access to the relevant website, app or cloud service.
You can use your ID also to obtain access to other websites, apps and cloud services of the same or other entities of the SAP Group by simply entering your ID into the relevant websites, apps and cloud services. We therefore require your Personal Data in order to make the SAP ID Service and your ID available to you (performance of a contractual relationship, Article 6 para. 1 (b) EU General Data Protection Regulation (“GDPR”)).
b. Compliance with export laws. SAP and its products, technologies, and services are subject to the export laws, trade sanctions, and embargoes (“Export Laws”) of various countries including, without limitation, those of the European Union (“EU”), Germany and of the United States of America. Therefore, you acknowledge that, pursuant to the applicable Export Laws issued by these countries, SAP is required to
aa. take measures to prevent persons, entities and organizations listed on government-issued sanctioned party lists from accessing certain products, technologies, and services through SAP’s websites or other delivery channels controlled by SAP. This may include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to SAP’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match; and
bb. ensure that no individuals from embargoed countries access its services. Therefore, when an existing user logs into a website, app or cloud service of an entity of the SAP Group from an embargoed country, the user’s registration data and IP address may be used by SAP to block the user’s access and to log access attempts from embargoed countries.
Any such usage of registration data and IP addresses (which, for the avoidance of doubt is also part of your Personal Data) by SAP is necessary for SAP’s compliance with applicable EU Export Laws (Article 6 para. 1 © GDPR) and SAP’s legitimate interest to comply with non-EU Export Laws (Article 6 para. 1 (f) GDPR).
Kindly note that, although any provisioning of Personal Data is voluntarily to you, without your Personal Data, SAP cannot provide you with access to the SAP ID Service or create any IDs. SAP will only store your Personal Data for as long as it is required for providing you with access to the SAP ID Service, as long as you use the SAP ID Service and for the purposes of SAP’s compliance with applicable Export Laws plus in each case, where applicable, any additional periods under applicable laws during which SAP has to retain your Personal Data
4. Who receives my Personal Data?
As part of a global group of companies, SAP uses affiliates and third-party service providers within as well as outside of the European Economic Area (the “EEA”). As a consequence, whenever SAP is using or otherwise processing your Personal Data for the purposes set out in this Privacy Statement, SAP may transfer your Personal Data to countries outside of the EEA including to such countries in which a statutory level of data protection applies that is not comparable to the level of data protection within the EEA. Whenever such transfer occurs, it is based on the Standard Contractual Clauses (according to EU Commission Decision 914/2021/EC or any future replacement) in order to contractually provide that your Personal Data is subject to a level of data protection that applies within the EEA. You may obtain a redacted copy (from which commercial information and information that is not relevant has been removed) of such Standard Contractual Clauses by sending a request to privacy@sap.com. You may also obtain more information from the European Commission on the international dimension of data protection here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
5. What are my rights as a data subject?
a. Right to access, correct and delete personal data. You can at any time access, correct and delete your Personal Data used by SAP for the purposes of using your ID as an authentication mean in the SAP ID Service’s Account feature. Furthermore, you can also request from SAP at any time information about which Personal Data SAP processes about you and the correction or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. Kindly note further that if you request that SAP deletes your Personal Data, you will not be able to continue to use the SAP ID Service which means that you will be not able any more to access any services which use the SAP ID Service for user authentication.
b. Right to data portability. To the extent SAP uses your Personal Data perform a contract with you (please see Section 3. a above), you can further request from SAP a copy of the Personal Data you provided to SAP. In this case, please contact the email address below and specify the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best be fulfilled.
c. Right to restrict processing. You can request from SAP to restrict your Personal Data from further processing in any of the following events: (i) you state the Personal Data about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data, (ii) there is no legal basis for SAP to process your Personal Data and you demand SAP to restrict your Personal Data from further processing, (iii) SAP no longer requires your Personal Data, but you state you require SAP to retain such data to claim or exercise legal rights or to defend against third party claims, or (iv) in case you object to the processing of your Personal Data by SAP based on SAP’s legitimate interest (as further set out below), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
d. Right to object. You may furthermore object against SAP’s usage of your registration data and IP address for the purposes of compliance with applicable non-EU Export Laws at any time. Kindly note, however, that in this case SAP, due to its continuing obligation to comply with these non-EU Export Laws, generally has a compelling ground to further use your Personal Data for this purpose which overrides your right to object. Therefore, if you do not agree to such usage of your registration data and IP address by SAP, please do not use the SAP ID Service or any website, app or cloud service that uses the SAP ID Service for user authentication.
Please direct any of the requests mentioned in this section to CIC Contact Us form.
SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match personal data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent or which are represented by third parties without duly representing respective authority.
Furthermore, if you take the view that SAP is not processing your Personal Data in accordance with the requirements in this privacy statement or under applicable data protection laws, you can at any time lodge a complaint with your locally relevant data protection authority, specifically when you are located in an EEA country, or with the data protection authority of SAP (the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg, Lautenschlagerstraße 20, 70173 Stuttgart).