SAP Community Privacy Statement - Update

This Privacy Statement was updated on Dec 23, 2024.

Overview

Protecting the individual's privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter "We", "SAP", "Us" or "Our") to the individual`s right to data protection and privacy. It outlines how We handle information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”).  Processing in the context of this Privacy Statement means any collection, use, transmission, disclosure, erasure or any other similar operation based on Personal Data (hereinafter “Processing” or “Process”).

SAP is processing information including Personal Data about the users of SAP Community using cookies or similar technologies for the purposes set out in the Cookie Statement. You will find further information and have the option to exercise your cookie preferences under the following link: [Link TBD].

To view the previous version of this Privacy Statement, click here.

General information

Who is the responsible SAP Entity?

This Privacy Statement applies to the collection and processing of Personal Data:

  •  during the central operation of this website and other globally operated SAP business activities by
    • SAP SE, Dietmar-Hopp-Allee 16 Walldorf 69190, Germany if you are in a member state of the European Union (EU) or the European Economic Area (EWR) or in any of the countries of Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, Switzerland, or the United Kingdom or by
    •  SAP America Inc., 3809 West Chester Pike, Suite 200, Newtown Square, PA 19073, USA if you are in any other country, or
    • a specific SAP group entity as may be stated in the “Additional Country and Regional Specific Provisions” at the end of this Privacy Statement.
  • in the context of a registration form where SAP Community is directly collecting personal data for the purpose of registering to the community or community-hosted event and is therefore presented as the relevant controller on this registration page or website by reference to this privacy statement.

You can reach SAP Group’s data protection officer any time at privacy@sap.com.

For what purposes does SAP process your Personal Data and based on what legal basis?

Depending on the applicable law, the Processing of Personal Data is subject to a justification, sometimes referred to as legal basis.

SAP’s compliance with statutory obligations

  • SAP and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. Applicable export laws, trade sanctions, and embargoes issued by these countries oblige SAP to prevent organizations, legal entities and other parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through SAP’s websites or other delivery channels (e.g. the European Union Sanctions List, the US sanctions lists including the Bureau of Industry and Security’s (BIS) Denied Persons Lists (DPL), the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (SDN-List) and the US DOCs Bureau of Industry and Security’s Entity Lists and the United Nations Security Council Sanctions). SAP processes personal data to the extent necessary to comply with these legal requirements. Specifically, SAP processes personal data to conduct automated checks against applicable sanctioned-party lists, to regularly repeat such checks whenever a sanctioned-party list is updated or when a user updates his or her information. In case of a potential match, SAP will block the access to SAP’s services and systems and contact the user to confirm his or her identity.
  • SAP Community processes your personal data for the purpose of ensuring an adequate level of technical and organizational security of SAP's products, services, online events, facilities, and premises. For this, SAP will take the measures necessary to verify or maintain the quality and safety of a product or service which is owned, manufactured by or for, or controlled by SAP. This may comprise the use of personal data for sufficient identification and authorization of designated users, internal quality control through auditing, analysis, and research, debugging to identify and repair errors that impair existing or intended functionality, account and network security, replication for loss prevention, detecting security incidents, protection against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such kind of activity.
  • SAP processes Personal Data (name, surname, country, IP address) to the extent necessary to fulfil sanctions and embargo requirements under European Economic Area (“EEA”) laws to which SAP is subject, and laws and regulations extraterritorial to the EEA (based on SAP’s legitimate interest).
  • If necessary, SAP uses personal data to prevent or prosecute criminal activities such as any form of cybercrime, the illegal use of our products and services or fraud, to assert our rights or defend SAP against legal claims.
  • To comply with data protection and unfair competition law related requirements. Depending on the country in which the relevant SAP Group company operates, and whether you have expressly consented to or opted out of receiving commercial information, SAP may process personal data necessary to accommodate your data protection and privacy choices for the receipt of such information and, when necessary to ensure compliance, exchange such information with the other entities of the SAP Group.
  • When ensuring compliance, SAP processes your Personal Data if and to the extend necessary to fulfill legal requirements under European Union or EU Member State law to which SAP is subject, and laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations).

SAP Community

When conducting business and operating our various web presences and other communication channels, SAP Community processes the personal data of the people it interacts with, including customers, partners, suppliers, vendors, candidates, and any other people with whom we interact.

In any of these cases, SAP may process personal data for one or more of the following business purposes:

To provide access to SAP Community and operate web offerings, or other online events - When operating its internet pages, web offerings or other online events ("Web-Services"), SAP processes your Personal Data for the following purposes:

  • Creating user profiles

The SAP Community (which has forums, groups, blogs, networks, etc.) requires you to register and create a user profile. Through the user profile you can share personal information about yourself with other users, such as your name, photo, social media accounts, postal or email address, telephone number, personal interests, skills, and basic information about your company. The user profiles serve to personalize the interactions between the users (for example, by way of messaging or follow functionality) and to allow SAP to foster collaboration and quality of communication through such offerings. The profile settings of the relevant web offering allow you to determine which information you want to share.

  • Identity service

The user profile may be specific to SAP Community, but it also allows you to access other web offerings of SAP or of other entities of the SAP Group. It is your choice whether or not to use any of these additional web offerings. If you do, SAP will make your Personal Data available to such other web offering to provide you with initial access. Kindly note that without your consent for SAP to create such user profiles, SAP will not be able to offer such services to you where your consent is a statutory requirement that SAP can provide these services to you.

  • Event profiling

If you register for an event, seminar, or webinar of SAP Community, SAP Community may share basic participant information (your name, company, and email address) with other participants of the same event, seminar, or webinar to promote the interaction between the participants and to stimulate the communication and the exchange of ideas. SAP Community will use personal data to assign badges and points to your account based on your participation.

  • Cookies and similar tools

SAP Community processes personal data about the users of SAP Community websites and other web offerings using cookies or similar technologies for the purposes set out in SAP’s Cookie Statement. By visiting the “Cookie Preferences” link in the footer of the community.sap.com homepage, you will find further information and have the option to exercise your cookie preferences in SAP Community.

  • User experience improvement

SAP Community processes information that relates to your visit to our web offerings to improve your user experience, identify your individual demand, and to personalize the way we provide you with the information you are looking for. For this purpose, We collect information regardless of whether you register with a user profile or not.

  • Feedback requests and surveys

To the extent allowed by applicable law, SAP Community may contact you for feedback regarding the improvement of the relevant material, or service. SAP Community may also invite you to participate in questionnaires and surveys. These will generally be designed so you can participate without having to provide information that identifies you as a participant. If you nonetheless provide your Personal Data, SAP will use it for the purpose stated in the questionnaire or survey or to improve its products and services.

  • To keep you up to date on the content you are following

Within an existing business relationship between you and SAP Community, SAP Community processes your Personal Data to inform you about content that you are following based on your communication preferences. SAP will inform you by email or Inbox feature about such news only as far as it is allowed by law and as maintained by you in preferences in your profile. You are entitled to object to SAP’s use for this purpose at any time by selecting the opt-out option available in your profile.

  • Identify superstars

SAP is collecting and processing personal data to identify high-caliber participants in the community for recognition (sharing of badges/ assigning points etc.)

  • Maintain a high standard of content moderation

We aim to keep providing the best services to the customers to support that SAP community SAP is collecting and processing data to run reports to review and evaluate the quality/effectiveness of all content moderators by looking at Replies, Solutions Authored, and other metrics.

  • To promote community usage

SAP is collecting and processing data for community analytics. SAP holds partners and their consultants accountable to actively use Partner Delivery Groups as a best practice for many reasons. Community Analytics functionality is used to help SAP Partner Management teams drive this accountability and to promote community usage.

  • To communicate

SAP Community is collecting and processes personal data to keep the users informed about any policy and platform changes in the community.

What categories of Personal Data does SAP process?

    SAP Community processes personal data about the users interacting with SAP Community for operation purposes. It comprises the following types of personal data-

    • Contact Data
      • SAP processes the following categories of personal data as contact data: first name, last name, username, email addresses, postal address/location (country, state/province, city), telephone numbers, and your relationship history with SAP.
    • Data generated through your use of, or participation in, SAP's internet pages, web, or online offerings
      • Usage data

        • SAP processes certain user-related information, e.g., info regarding your browser, operating system, or your IP address when you visit SAP’s web properties. The content you are creating/following/unfollowing/like/dislike etc.

      • Registration data

        • SAP may process your contact data as set out above and other information which you may provide directly to SAP if you register for any of SAP's events or other Web-Services.

      • Participation data

        • When you participate in webinars, virtual seminars, events, or other SAP Web-Services, SAP may process your interactions with the relevant webservice to organize the event including its sessions, polls, surveys, or other interactions between SAP and/or its participants. Depending on the event and subject to a respective notification of the participants, SAP may collect audio and video recordings of the event or session.

      If SAP processes special categories of Personal Data under applicable law, SAP will ask you for your consent in a specific declaration.

    From What Types of Third Parties does SAP obtain Personal Data?

    SAP generally aims to collect Personal Data directly from you. If you obliged by statutory law or contractual requirements to provide Personal Data to SAP and you fail to provide such Personal Data, then kindly note that SAP may not be able to provide you with the respective service and/or business relationship. If you or applicable law allows Us to do so, We may obtain Personal Data also from Third Party which may include:

    • your employer in the context of its business relationship with SAP and/or the SAP Group ,
    • Third Parties you directed to share your Personal Data with SAP

    When We collect Personal Data from Third Parties, established internal controls aim to ensure that the third-party source was permitted to provide this information to SAP and that We may use it for this purpose. SAP will treat this Personal Data according to this Privacy Statement and any additional restrictions imposed by the third party that provided the Personal Data to SAP or by applicable national law.

    How long does SAP store your Personal Data

    SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. SAP does only store your Personal Data for as long as it is required:

    • for SAP to comply with statutory obligations to retain Personal Data, resulting inter alia e.g. from applicable export, finance, tax or commercial laws
    • to make SAP Community services available to you
    • to fulfill SAP’s legitimate business purposes as further described in this Privacy Statement, unless you object to SAP’s use of your personal data for these purposes
    • until you revoke your consent by deleting your account
    • or if the account is inactive for a duration of 5 years

    Who are the recipients of your personal data?

    Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:

    1. Companies within the SAP Group
    2. Third-party service providers for provision of the website
    3. Partners
    • SAP Group entities

    SAP may transfer your Personal Data to the locally relevant SAP group entity for the purpose and to the extent necessary to conduct a business relationship. Other entities of the SAP Group may also receive or gain access to Personal Data either when rendering group internal services centrally and on behalf of SAP SE and the other SAP group entities or when Personal Data is transferred to them on a respective legal basis. In these cases, these entities may process the Personal Data for the same purposes and under the same conditions as outlined in this Privacy Statement. The current list of SAP Group entities can be found here.

    • Other third parties

    SAP Community may transfer your registration data based on your consent or as otherwise indicated by your request to companies listed on the registration page of an SAP seminar, webinar or event. These companies may receive your personal data as co-organizer or sponsors of the event and will use your registration data for the purposes of their participation in the event. They will provide you directly with any legally required information about their processing purposes and how you may exercise your rights.

    • Partners

    SAP may transfer your Personal Data to partners. They will use the data to promote community usage via analyzing the data and providing feedback about partners and how well the community resources are used.

    What are your data protection rights and how can you exercise them?

    SAP honors your statutory rights when it comes to the Processing of your Personal Data. To the extent provided by applicable data protection laws, you have the right to:

    • access your Personal Data that we have on you, or have it updated.
    • Data portability of the Personal Data you provided to SAP, if SAP uses your Personal Data based on your consent or to perform a contract with you. In this case, please contact [please add contact email address] and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best be fulfilled.
    • Delete your Personal Data we hold about you. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. If you request from SAP to delete your Personal Data, you may not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.
    • Right to object against SAP further processing your Personal Data, if and to the extent SAP is processing your Personal Data based on its Legitimate Interest. When you object to SAP's processing of your Personal Data, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP’s compelling legitimate grounds for continued use of the Personal Data, which may override your interest in objecting, or if SAP requires the information for the establishment, exercise, or defense of legal claims.
    • Right to object to direct marketing or to apply profiling in relation to direct marketing. When you object to SAP's processing of your Personal Data for direct marketing purposes, SAP will immediately cease to process your personal data for such purposes.
    • Revoke consent, wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required or permitted to do so (e.g. if your Personal Data is needed by SAP to assert or defend against legal claims). In case SAP is required or permitted to retain your Personal Data for other legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law or fulfil the other purpose. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal. Furthermore, if your use of an SAP offering requires your prior consent, SAP will no longer be able to provide the relevant service, offer or event to you after your revocation.
    • Not to be subject to a decision based solely automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way.
    • You can request from SAP to restrict your Personal Data from further processing in any of the following events: 
      • you state the Personal Data about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data, 
      • there is no legal basis for SAP to process your Personal Data and you demand SAP to restrict your Personal Data from further processing, 
      • SAP no longer requires your Personal Data, but you state you require SAP to retain such data to claim or exercise legal rights or to defend against third party claims, or
      • in case you object to the processing of your Personal Data by SAP based on SAP’s legitimate interest, subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
    • Lodge a complaint to the competent supervisory authority if you are not satisfied with how SAP is processing your Personal Data. Your competent supervisory authority can be found in the country specific section.

    Depending on applicable local data protection laws, your rights may be subject to deviations, limitations, or exceptions as set out in the country specific section “B. Additional Country and Regional Specific Provisions”. Please be aware, that SAP honors your statutory rights when it comes to the Processing of your Personal Data to the extent provided by applicable data protection laws.

    How can you exercise your data protection rights?

    Please direct any requests to exercise your rights to sapcommunity@sap.com. SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise.  When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.

    SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.

    How will SAP verify requests to exercise data protection rights?

    SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.

    SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.

    Can you use SAP’s services if you are a minor?

    Children. In general, SAP Community is not directed to users below the age of 16 years, or the equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use SAP Community.

    Automated responses in enhanced search capabilities through SAP Consulting Capability 

    SAP Consulting Capability processes data generated from your interaction with SAP’s internet pages, websites, and online offerings. This includes user-related information such as the content you create (e.g. blog posts, Q&A’s, tutorials, learning journeys and videos), follow, unfollow, like, dislike etc., when you participate in SAP online communities. This information may be utilized to generate search results and create generative responses on a range of SAP-specific topics to allow for SAP Consulting Capability end- users to receive immediate answers to their queries. 

    The data processed through SAP's Consulting Capability is confined to information available specifically on:

    • SAP Community
    • Community Groups on Khoros
    • Developer tutorials from developers.sap.com
    • Learning content on the SAP Learning site from the SAP Learning platform at learning.sap.com

     The SAP Consulting Capability focuses solely on the published content, not on individual authors.

    Additional Country and Regional Specific Provisions

    Where SAP is subject to privacy requirements in the EU/EEA or a country with national laws equivalent to the GDPR

    • Who is the relevant Data Protection authority?

    You may find the contact details of your competent data protection supervisory authority here. SAP’s lead data protection supervisory authority is in Germany, the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg and can be reached at Lautenschlagerstraße 20, 70173 Stuttgart.

    • What are the legal permissions for SAP to process Personal Data?

    SAP is processing your Personal Data for the business purposes set out above based on the following legal permissions:

    Where We refer to GDPR Article 6.I (f), consequently SAP’s legitimate business interest as Our legal permission to process your Personal Data, SAP is pursuing its legitimate business interests

      • to efficiently manage and perform its business operations,
      • to maintain and operate intelligent and sustainable business processes in a group structure optimized for the division of labor and in the best interest of Our employees, customers, partners, and shareholders,
      • to operate sustainable business relationships with SAP customers and partners including you (each of which as further set out below),
      • serve you with the best possible user experience when using SAP Community,
      • comply with extraterritorial laws and regulations, or
      • assert or defend itself against legal claims.

    We believe that Our interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain from processing for such purpose. In any of these cases, We duly factor into Our balancing test:

      • the business purpose reasonably pursued by SAP in the given case,
      • the categories, amount and sensitivity of Personal Data that is necessarily being processed,
      • the level of protection of your Personal Data which is ensured by means of Our general data protection policies, guidelines, and processes, and
      • the rights you have in relation to the processing activity.

    To comply with statutory obligations

    When ensuring compliance with applicable laws and regulations, SAP and local SAP group entities may process your Personal Data based on

      • GDPR Article 6.I (c) if necessary, to fulfill legal requirements under European Union or EU Member State law to which SAP is subject,
      • GDPR Article 6.I (f) if necessary, to fulfill laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations),
      • or the equivalent articles under other national laws, when applicable.

    To operate SAP internet pages, web-offerings, or other online events

    When operating Web-Services") and depending on the respective operating purpose, SAP is processing your Personal Data on the basis of the following legal permissions:

      • GDPR Article 6.I (b) and (f) to provide the Web-Services and functions, create and administer your online account, updating, securing, troubleshooting the service, providing support, improving, and developing the Web-Services, answering and fulfilling your requests or instructions, (legitimate interest to efficiently perform or manage SAPs business operation)
      • GDPR Article 6.I (c) and (f) to manage and ensure the security of Our Web-Services and prevent and detect security threats, fraud or other criminal or malicious activities and as reasonably necessary to enforce the Web-Services terms, to establish or preserve a legal claim or defense, to prevent fraud or other illegal activities, including attacks on Our information technology systems (legitimate interest to efficiently perform or manage SAP’s business operation and assert or defend itself against legal claims)
      • GDPR Article 6.I (a) if it is necessary that We ask you for your consent to process your Personal Data
      • or equivalent legal permissions under other relevant national laws, when applicable

    To use Cookies and similar tracking technologies

    When tracking and evaluating the usage behavior of users of Our Web-Services by means of cookies or similar technologies, SAP is processing your Personal Data on the basis of the following legal permissions:

      • GDPR Article 6.I (a) if it is necessary that We ask you for your consent to process your Personal Data,
      • GDPR Article 6.I (b) if necessary to fulfill (pre-)contractual obligations with you,
      • GDPR Article 6.I (f) if necessary to fulfill (pre-)contractual obligations with the company or other legal body you represent as a customer contact (legitimate interest to efficiently perform or manage SAP’s business operation),
      • or equivalent legal permissions under other relevant national laws, when applicable.

    To provide access to SAP Community and operate web offerings, or other online events

    SAP is processing your Personal Data on the basis of the following legal permissions:

    Where SAP is subject to privacy requirements in Australia.

    Where SAP is subject to the requirements of the Privacy Act 1988 (Cth) (‘Privacy Act’), the following applies:

    SAP may store your Personal Data in paper-based files or as an electronic record in the Cloud or on physical devices e.g. computer systems. Your Personal Data will likely be held and stored by the SAP Group located in another country for our general business purposes including outsourcing and data processing. We will only do this where it is necessary or appropriate to achieve the purposes set out in this Privacy Statement. We take reasonable steps to protect your personal information from misuse, interference and loss and from unauthorized access, modification or disclosure.

    You can contact Us either by the telephone number +61 2 9935 4939 or via email at [please add contact email address] to exercise the following rights:

    • You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it.

    • Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal.

    • In Australia, a complaint should first be made to SAP in writing as required by law. You can find more information about privacy and the protection of Personal Data on the Office of the Australian Information Commissioner website.

    Where SAP is subject to the requirements of the Brazilian General Data Protection Law (“LGPD”).

    SAP has appointed a Data Protection Officer for Brazil. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to:

    Paulo Nittolo Costa

    Email: webmaster[@]sap.com

    Address: Avenida das Nações Unidas 14171 - Marble Tower – 7th Floor - São Paulo-SP, Brazil 04794-000 

    Where SAP is subject to privacy requirements in Canada.

    Your Personal Data may be processed globally. If personal data is processed across country borders, SAP complies with laws of the transfer of Personal Data between countries to keep your personal data protected. It may, however, based on the laws of such countries be subject.

    Where SAP is subject to privacy requirements in Colombia.

    Where SAP is subject to the requirements of the Columbian Statutory Law 1581 of 2012 and Decree 1377 of 2013, the following applies:

    Within Colombia you have the right to:

    • access, update and rectify your Personal Data.

    • Request evidence of your consent.

    • Upon request, receive information about how SAP Processes your Personal Data.

    • Lodge a complaint with the Superintendence of Industry and Commerce (“SIC”) about a violation of the applicable laws.

    • Revoke your consent and/or request the deletion of your Personal Data, provided that there is no supervenient legal or contractual obligation that allows SAP to keep your Personal Data in SAP’s databases.

    SAP Colombia S.A. may Process your Personal Data by itself or on behalf of the SAP Group, with its main office located at Carrera 9 No 115 – 06, Edificio Tierra Firme Of. 2401 Bogotá D.C., Colombia. You can contact Us either by the telephone number +57-6003000 or via email at privacy@sap.com. SAP will be responsible to answer any requests, questions, and complaints that you might have to your right to access, update, correct and delete your Personal Data, or revoke your consent.

    Where SAP is subject to privacy requirements in India .

    Where SAP is subject to the requirements of the Digital Personal Data Protection Act, 2023 (‘DPDPA’) the following applies:

    As part of a global group of companies operating internationally, SAP has affiliates (the SAP Group) and third party service providers outside of the Indian region and will transfer your Personal Data to countries outside the India region, subject to any restrictions as may be notified by the Central Government in this regard.

    You have the right to:

    • request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction, completion, update or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. If you request from SAP to delete your Personal Data, you may not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.

    • Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain your Personal Data for legal reasons, your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal.

    • request from SAP the right to have readily available means of grievance redressal provided by SAP in respect of any act or omission of SAP regarding the performance of SAP’s obligations in relation to your Personal Data or your exercise of rights in relation thereto.

    • nominate, any other individual, who shall, in the event of your death or incapacity, exercise your data protection rights.

    Please direct any requests/queries to exercise your rights to privacy@sap.com. In India, after exhausting the opportunity of redressing the right of grievance, you may lodge a complaint to the Data Protection Board of India.

    Where SAP is subject to privacy requirements in the Kingdom of Saudi Arabia (KSA).

    Where SAP is subject to the requirements of the Personal Data Protection Law (PDPL) the following applies:

    • SAP processes your Personal Data by using electronic means for collecting, storing and other processing as described above.

    • SAP destroys your Personal Data by using electronic means as appropriate for the purposes described above.

    • Your Personal Data will be held and stored by SAP or the SAP Group which may be located in another country outside of Saudi Arabia for our general business purposes including outsourcing and data processing.

    • Depending on the purpose, Personal Data may be shared regularly or occasionally.

    • Compensation can only be claimed if the courts determined that you were harmed by material or moral damage as a result of any violation stipulated in the PDPL and its Implementing Regulations.

    If SAP does not comply with the PDPL you can file a complaint to the contact provided under section A of this document.

    If you are not satisfied with how we process your complaint you can file a complaint at the competent authority:

    Saudi Data and Artificial Intelligence Authority (SDAIA), Digital City, Riyadh, 12382, Kingdom of Saudi Arabia, Website: sdaia.gov.sa

    Where SAP is subject to privacy requirements in Malaysia.

    Where SAP is subject to the requirements of the Personal Data Protection Act (PDPA) of Malaysia, the following applies:

    Written inquiries, requests or complaints can be sent to the Data Protection and Privacy Coordinator for Malaysia via email privacy@sap.com or can be reached via phone +60 3-2202 6000. SAP has implemented technology, security features and strict policy guidelines to safeguard the privacy of users’ Personal Data.

    Please direct any enquiries or requests via email at privacy@sap.com or via phone at +82-2-2194-2279.

    Where SAP is subject to privacy requirements of Mexico.

    Where SAP is subject to the requirements of the Mexican Federal Law for the Protection of Personal Data Held by Private Parties of 2010, the following applies:

    You have the right to file a complaint with the National Institute of Transparency Access to Information and Protection of Personal Data (INAI) to assert any disagreement related to the processing of your Personal Data by SAP.

    SAP reserves the right to change, modify, add or remove portions of this Privacy Statement at its sole discretion. In such case, SAP shall maintain available a complete version of SAP’s Privacy Statement. SAP will notify you of any change or modification to this Privacy Statement via the respective communication channel We have with you, e.g., at Our website.

    Where SAP is subject to privacy requirements in New Zealand.

    Where SAP is subject to the requirements of the Privacy Act 2020 (Privacy Act), the following applies:

    1. SAP is required to Process this Personal Data in accordance with [insert the particular law, e.g. tax or employment law] for which the collection of this information is authorized or required. The supply of this Personal Data by you is [voluntary or mandatory].

    2. If the Personal Data is not collected, we may not be able to [insert the consequences for the individual if the Personal Data is not collected].

    You have the right to:

    • request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it.

    Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal.

    Where SAP is subject to privacy requirements in the Philippines.

    Where SAP is subject to the Philippine Data Privacy Act and its Implementing Rules and Regulations, the following applies:

    • When you request to update or correct your Personal Data, SAP may deny the request if it is manifestly unfounded, vexatious, or otherwise unreasonable.

    • When requesting the data portability of the Personal Data you provided to SAP, you must additionally specify the commonly used electronic or structured format in which you would like to receive the Personal Data.

    • When you request to object against the processing of your Personal Data: (i) You may do so if SAP is processing based on its Legitimate Interest. SAP will carefully review your objection and cease further use of the relevant information, unless SAP has other lawful basis for processing in Sections 12 and 13 of the Data Privacy Act. (ii)You can also object to the processing of your Personal Data for direct marketing, profiling, or in cases of automated processing where your Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect you.

    • You can reach out via email at privacy@sap.com to exercise your data protection rights.

    • Compensation can only be claimed when National Privacy Commission or the courts determined that you sustained damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, considering any violation of your rights and freedoms. You may likewise seek redress from the National Privacy Commission, but it must be clearly shown that you are the subject of a privacy violation, Personal Data breach, or are otherwise personally affected by a violation of the Data Privacy Act.

    The contact details of your local Data Protection Officer/s are as follows:

    • Data Protection Officer, SAP Philippines Inc., 27th Floor NAC Tower, 32nd Street Bonifacio Global City, Taguig City, 1632; email: dpo_sap.ph@sap.com; telephone number:: +632-8705-2500

    • Data Protection Officer, Concur (Philippines) Inc., 7th Floor Alphaland Southgate Mall, Chino Roces, Makati City, email: dpo_concur.ph@sap.com; telephone number: +632-8705-2500

    • Data Protection Officer, SuccessFactors (Philippines) Inc.; 14th and 15th Floors Cyberscape Gamma,Topaz and Ruby Roads, Ortigas Center; Pasig City, email: dpo_successfactors.ph@sap.com,: telephone number +632-8705-2500

    Where SAP is subject to privacy requirements in Singapore.

    Where SAP is subject to the requirements of the Singapore’s Personal Data Protection Act (PDPA), the following applies:

    • You can request from SAP personal data about you that is in the possession or under the control of SAP and information about the ways in which such personal data has been or may have been used or disclosed by SAP within a year prior to this request. Please be informed that SAP is not obliged to accede to your request if any exceptions under the PDPA apply.

    • You may submit a request to have inaccurate/incomplete personal data corrected in our systems. Please be informed that SAP is not obliged to accede to your request if any exceptions under the PDPA apply.

    • Revoke consent, wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required or permitted to do so (e.g. if your Personal Data is needed by SAP to assert or defend against legal claims). In case SAP is required or permitted to retain your Personal Data for other legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law or fulfil the other purpose. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal. Furthermore, if your use of an SAP offering requires your prior consent, SAP will no longer be able to provide the relevant service, offer or event to you after your revocation.

    • Lodge a complaint to the Personal Data Protection Commission (PDPC) if you are not satisfied with how SAP is processing your Personal Data.

    SAP has appointed a Data Protection Officer for Singapore. Written inquiries, requests or complaints to our Data Protection Officer can be send via post to Mapletree Business City, 30 Pasir Panjang Rd, #03-32, Singapore 117440 or email to privacy@sap.com with the subject “Data Protection Officer” or can be reached via phone +65 6664 6868.

    Where SAP is subject to privacy requirements in South Africa.

    Where SAP is subject to the requirements of the Protection of Personal Information Act, 2013 (“POPIA”) in South Africa, the following also applies:

    “Personal data” as used in this Privacy Statement means Personal Information as such term is defined under POPIA.

    “You” and “Your” as used in this Privacy Statement means a natural person or a juristic person as such term is used under POPIA.

    Systems Applications Products (Africa Region) Proprietary Limited & Systems Applications Products (South Africa) Proprietary Limited with registered address at 1 Woodmead Drive, Woodmead (SAP South Africa) is subject to South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) and responsible party under the POPIA.

    Should you as an individual or a juristic person believe that SAP South Africa as responsible party has utilized your personal information contrary to POPIA, you undertake to first attempt to resolve any concerns with SAP South Africa.

    sapcommunity[@]sap.com

    Phone: 011 325 6000

    Address: 1 Woodmead Drive, Woodmead, Johannesburg South Africa 2148

    If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator, using the contact details listed below:

    JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, P.O. Box 31533, Braamfontein, Johannesburg, 2017

    Email: complaints.IR[@]justice.gov.za

    Enquires: inforeg[@]justice.gov.za

    You may request details of personal information which we hold about you under the Promotion of Access to Information Act 2 of 2000 (“PAIA”). For further information please review the SAP PAIA manual.

    Where SAP is subject to privacy requirements in South Korea.

    Where SAP is subject to the requirements of the South Korea Personal Information Protection Act (“PIPA”), the following applies:

    Your personal data may be processed globally. When personal data is processed across country borders, SAP complies with laws on the transfer of personal data between countries to keep your personal data protected. Your personal data may be transferred to, accessed or processed by the categories of third-parties as described above.

    How can you exercise your data protection rights?

    SAP has appointed a local Chief Privacy Officer for South Korea.

    Where SAP is subject to privacy requirements in the United States of America.

    Where SAP is subject to the requirements of the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Acts of 2020 (CPRA), from hereon referred to as “CCPA” or where other US state laws have similar requirements, the following applies:

    You have the right to:

    • Know what personal information the business has collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer.

    • Delete personal information that the business has collected from the consumer, subject to certain exceptions.

    • Correct inaccurate personal information that a business maintains about a consumer.

    • Opt-out of the sale or sharing of their personal information by the business (where applicable).

    • Limit the use or disclosure of sensitive personal information by the business (subject to certain exceptions, where applicable).

    • Receive non-discriminatory treatment for the exercise of these rights.

    How you can exercise your Data Protection Right.

    To exercise these rights, or to limit the Sharing of your Personal Information, please contact us at [please add two contact methods such as contact email address, webform, postal address, phone etc.]. In accordance with the verification process set forth under US relevant state law (as appropriate), SAP may require a more stringent verification process for deletion requests (or for Personal Data that is considered sensitive or valuable) to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If SAP must request additional information from you outside of information that is already maintained by SAP, SAP will only use it to verify your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes. You can designate an authorized agent to submit requests to exercise your data protection rights to SAP. The agent must submit authorization to act on your behalf and, where required by relevant law, the agent must be appropriately registered.

    Financial Incentives. SAP does not offer financial incentives in return for your consent to share your personal information, nor limit service offerings where you opt-out of such sharing (unless sharing is practically necessary to perform the relevant service).

    Children’s Privacy. Given that [insert relevant SAP offering] is not directed to users under 16 years of age, SAP does not sell or share the personal information of any minors under 16. If you are a parent or guardian and believe SAP collected information about your child, please contact SAP. SAP will take steps to delete the information as soon as possible.