SAP Community Privacy Statement( previous-version)
This Privacy Statement was updated on Oct 26, 2022.
Protecting the individual's privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter "We", "SAP", "Us" or "Our") to the individual`s right to data protection and privacy. It outlines how We handle information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”).
Who do we mean when we say SAP in this Privacy Statement?
This Privacy Statement applies to the collection and processing of Personal Data:
- during the central operation of this website and other globally operated SAP business activities by
- in the context of a registration form where SAP Community is directly collecting personal data for the purpose of registering to the community or community-hosted event and is therefore presented as the relevant controller on this registration page or website by reference to this privacy statement.
You can reach SAP Group’s data protection officer any time at privacy[@]sap.com.
For what purposes does SAP process your Personal Data?
When conducting business and operating our various web presences and other communication channels, SAP Community processes the personal data of the people it interacts with, including customers, partners, suppliers, vendors, candidates, and any other people with whom we interact.
In any of these cases, SAP may process personal data for one or more of the following business purposes:
1: To provide access to SAP Community and operate web offerings, or other online events - When operating its internet pages, web offerings or other online events ("Web-Services"), SAP processes your Personal Data for the following purposes:
- Creating user profiles
The SAP Community (which has forums, groups, blogs, networks, etc.) requires you to register and create a user profile. Through the user profile you can share personal information about yourself with other users, such as your name, photo, social media accounts, postal or email address, telephone number, personal interests, skills, and basic information about your company. The user profiles serve to personalize the interactions between the users (for example, by way of messaging or follow functionality) and to allow SAP to foster collaboration and quality of communication through such offerings. The profile settings of the relevant web offering allow you to determine which information you want to share.
- Identity service
The user profile may be specific to SAP Community, but it also allows you to access other web offerings of SAP or of other entities of the SAP Group. It is your choice whether or not to use any of these additional web offerings. If you do, SAP will make your Personal Data available to such other web offering to provide you with initial access. Kindly note that without your consent for SAP to create such user profiles, SAP will not be able to offer such services to you where your consent is a statutory requirement that SAP can provide these services to you.
- Event profiling
If you register for an event, seminar, or webinar of SAP Community, SAP Community may share basic participant information (your name, company, and email address) with other participants of the same event, seminar, or webinar to promote the interaction between the participants and to stimulate the communication and the exchange of ideas. SAP Community will use personal data to assign badges and points to your account based on your participation.
- Cookies and similar tools
SAP Community processes personal data about the users of SAP Community websites and other web offerings using cookies or similar technologies for the purposes set out in SAP’s Cookie Statement. By visiting the “Cookie Preferences” link in the footer of the community.sap.com homepage, you will find further information and have the option to exercise your cookie preferences in SAP Community.
- User experience improvement
SAP Community processes information that relates to your visit to our web offerings to improve your user experience, identify your individual demand, and to personalize the way we provide you with the information you are looking for.
- Feedback requests and surveys
To the extent allowed by applicable law, SAP Community may contact you for feedback regarding the improvement of the relevant material, or service. SAP Community may also invite you to participate in questionnaires and surveys. These will generally be designed so you can participate without having to provide information that identifies you as a participant. If you nonetheless provide your Personal Data, SAP will use it for the purpose stated in the questionnaire or survey or to improve its products and services.
- To keep you up to date on the content you are following
Within an existing business relationship between you and SAP Community, SAP Community processes your Personal Data to inform you about content that you are following based on your communication preferences. SAP will inform you by email or Inbox feature about such news only as far as it is allowed by law and as maintained by you in preferences in your profile. You are entitled to object to SAP’s use for this purpose at any time by selecting the opt-out option available in your profile.
- Identify superstars
SAP is collecting and processing personal data to identify high-caliber participants in the community for recognition (sharing of badges/ assigning points etc.)
- Maintain a high standard of content moderation
We aim to keep providing the best services to the customers to support that SAP community SAP is collecting and processing data to run reports to review and evaluate the quality/effectiveness of all content moderators by looking at Replies, Solutions Authored, and other metrics.
- To promote community usage
SAP is collecting and processing data for community analytics. SAP holds partners and their consultants accountable to actively use Partner Delivery Groups as a best practice for many reasons. Community Analytics functionality is used to help SAP Partner Management teams drive this accountability and to promote community usage.
- To communicate
SAP Community is collecting and processes personal data to keep the users informed about any policy and platform changes in the community.
2: To ensure compliance with laws and regulations
SAP Community processes personal data to comply with statutory obligations.
SAP Community processes your personal data for the purpose of ensuring an adequate level of technical and organizational security of SAP's products, services, online events, facilities, and premises. For this, SAP will take the measures necessary to verify or maintain the quality and safety of a product or service which is owned, manufactured by or for, or controlled by SAP. This may comprise the use of personal data for sufficient identification and authorization of designated users, internal quality control through auditing, analysis, and research, debugging to identify and repair errors that impair existing or intended functionality, account and network security, replication for loss prevention, detecting security incidents, protection against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such kind of activity.
SAP and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. Applicable export laws, trade sanctions, and embargoes issued by these countries oblige SAP to prevent organizations, legal entities and other parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through SAP’s websites or other delivery channels (e.g. the European Union Sanctions List, the US sanctions lists including the Bureau of Industry and Security’s (BIS) Denied Persons Lists (DPL), the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (SDN-List) and the US DOCs Bureau of Industry and Security’s Entity Lists and the United Nations Security Council Sanctions). SAP processes personal data to the extent necessary to comply with these legal requirements. Specifically, SAP processes personal data to conduct automated checks against applicable sanctioned-party lists, to regularly repeat such checks whenever a sanctioned-party list is updated or when a user updates his or her information. In case of a potential match, SAP will block the access to SAP’s services and systems and contact the user to confirm his or her identity.
If necessary, SAP uses personal data to prevent or prosecute criminal activities such as any form of cybercrime, the illegal use of our products and services or fraud, to assert our rights or defend SAP against legal claims.
To comply with data protection and unfair competition law related requirements. Depending on the country in which the relevant SAP Group company operates, and whether you have expressly consented to or opted out of receiving commercial information, SAP may process personal data necessary to accommodate your data protection and privacy choices for the receipt of such information and, when necessary to ensure compliance, exchange such information with the other entities of the SAP Group.
What categories of Personal Data does SAP process?
SAP Community processes personal data about the users interacting with SAP Community for operation purposes. It comprises the following types of personal data-
- Contact Data
SAP processes the following categories of personal data as contact data: first name, last name, username, email addresses, postal address/location (country, state/province, city), telephone numbers, and your relationship history with SAP.
- Data generated through your use of, or participation in, SAP's internet pages, web, or online offerings
How long does SAP store your Personal Data
SAP processes your personal data only for as long as it is required:
- to make SAP Community services available to you
- to fulfill SAP’s legitimate business purposes as further described in this Privacy Statement, unless you object to SAP’s use of your personal data for these purposes;
- until you revoke your consent by deleting your account.
- or if the account is inactive for a duration of 2 years
Who are the recipients of your personal data?
Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:
- Companies within the SAP Group
- Third-party service providers for provision of the website
- SAP Group entities
SAP may transfer your Personal Data to the locally relevant SAP group entity for the purpose and to the extent necessary to conduct a business relationship. Other entities of the SAP Group may also receive or gain access to Personal Data either when rendering group internal services centrally and on behalf of SAP SE and the other SAP group entities or when Personal Data is transferred to them on a respective legal basis. In these cases, these entities may process the Personal Data for the same purposes and under the same conditions as outlined in this Privacy Statement. The current list of SAP Group entities can be found here.
- Other third parties
SAP Community may transfer your registration data based on your consent or as otherwise indicated by your request to companies listed on the registration page of an SAP seminar, webinar or event. These companies may receive your personal data as co-organizer or sponsors of the event and will use your registration data for the purposes of their participation in the event. They will provide you directly with any legally required information about their processing purposes and how you may exercise your rights.
SAP may transfer your Personal Data to partners. They will use the data to promote community usage via analyzing the data and providing feedback about partners and how well the community resources are used.
What are your data protection rights?
- Right to access, correct, and delete
You can access and edit your personal data at any time in SAP community. You have the option to make your account invisible or permanently delete it. However once permanently deleted your account cannot be recovered and account deletion means you will not be able to use SAP community services with that account. If you have requested for account deletion in SAP Community (Public- community.sap.com), your account will be removed from SAP Community upon reviewing your request.
- Right to obtain a copy of Personal Data
You can access and download your personal data that the SAP community uses via the download feature available in your profile.
- Right to restrict
You can remove your account to restrict SAP Community to further processing your Personal Data
- Right to object
If and to the extent SAP is processing your personal data based on SAP's Legitimate Interest, specifically where SAP pursues its legitimate interest to engage in direct marketing or to apply profiling in relation to direct marketing, you have the right to object to such a use of your personal data at any time. When you object to SAP's processing of your personal data for direct marketing purposes, SAP will immediately cease to process your personal data for such purposes. In all other cases, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP’s compelling legitimate grounds for continued use of the information, which may override your interest in objecting, or if SAP requires the information for the establishment, exercise, or defense of legal claims.
- Right to revoke consent
Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or by deleting your account
- Right to lodge a complaint
If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with your locally relevant data protection authority, specifically when you are located in an EEA country, or with the data protection authority of the country or state where SAP has its registered seat
How can you exercise your data protection rights?
You can exercise your data protection via the self-service feature available in the SAP community. You can also write to us at sapcommunity[@]sap.com
How will SAP verify requests to exercise data protection rights?
SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.
Can you use SAP’s services if you are a minor?
Children. In general, SAP Community is not directed to users below the age of 16 years, or the equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use SAP Community.
Additional Country and Regional Specific Provisions
Where SAP is subject to privacy requirements in the EU/EEA or a country with national laws equivalent to the GDPR
- Who is the relevant Data Protection authority?
You may find the contact details of your competent data protection supervisory authority here. SAP’s lead data protection supervisory authority is in Germany, the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg and can be reached at Lautenschlagerstraße 20, 70173 Stuttgart.
- What are the legal permissions for SAP to process Personal Data?
SAP is processing your Personal Data for the business purposes set out above based on the following legal permissions:
Where We refer to GDPR Article 6.I (f), consequently SAP’s legitimate business interest as Our legal permission to process your Personal Data, SAP is pursuing its legitimate business interests
- to efficiently manage and perform its business operations,
- to maintain and operate intelligent and sustainable business processes in a group structure optimized for the division of labor and in the best interest of Our employees, customers, partners, and shareholders,
- to operate sustainable business relationships with SAP customers and partners including you (each of which as further set out below),
- serve you with the best possible user experience when using SAP Community,
- comply with extraterritorial laws and regulations, or
- assert or defend itself against legal claims.
We believe that Our interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain from processing for such purpose. In any of these cases, We duly factor into Our balancing test:
- the business purpose reasonably pursued by SAP in the given case,
- the categories, amount and sensitivity of Personal Data that is necessarily being processed,
- the level of protection of your Personal Data which is ensured by means of Our general data protection policies, guidelines, and processes, and
- the rights you have in relation to the processing activity.
To comply with statutory obligations
When ensuring compliance with applicable laws and regulations, SAP and local SAP group entities may process your Personal Data based on
- GDPR Article 6.I (c) if necessary, to fulfill legal requirements under European Union or EU Member State law to which SAP is subject,
- GDPR Article 6.I (f) if necessary, to fulfill laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations),
- or the equivalent articles under other national laws, when applicable.
To operate SAP internet pages, web-offerings, or other online events
When operating Web-Services") and depending on the respective operating purpose, SAP is processing your Personal Data on the basis of the following legal permissions:
- GDPR Article 6.I (b) and (f) to provide the Web-Services and functions, create and administer your online account, updating, securing, troubleshooting the service, providing support, improving, and developing the Web-Services, answering and fulfilling your requests or instructions, (legitimate interest to efficiently perform or manage SAPs business operation)
- GDPR Article 6.I (c) and (f) to manage and ensure the security of Our Web-Services and prevent and detect security threats, fraud or other criminal or malicious activities and as reasonably necessary to enforce the Web-Services terms, to establish or preserve a legal claim or defense, to prevent fraud or other illegal activities, including attacks on Our information technology systems (legitimate interest to efficiently perform or manage SAP’s business operation and assert or defend itself against legal claims)
- GDPR Article 6.I (a) if it is necessary that We ask you for your consent to process your Personal Data
- or equivalent legal permissions under other relevant national laws, when applicable
When tracking and evaluating the usage behavior of users of Our Web-Services by means of cookies or similar technologies, SAP is processing your Personal Data on the basis of the following legal permissions:
- GDPR Article 6.I (a) if it is necessary that We ask you for your consent to process your Personal Data,
- GDPR Article 6.I (b) if necessary to fulfill (pre-)contractual obligations with you,
- GDPR Article 6.I (f) if necessary to fulfill (pre-)contractual obligations with the company or other legal body you represent as a customer contact (legitimate interest to efficiently perform or manage SAP’s business operation),
- or equivalent legal permissions under other relevant national laws, when applicable.
To provide access to SAP Community and operate web offerings, or other online events
SAP is processing your Personal Data on the basis of the following legal permissions:
Where SAP is subject to privacy requirements in Colombia.
Colombia-Specific Provisions apply to citizens of the Republic of Colombia.
Where SAP is subject to the requirements of the Brazilian General Data Protection Law (“LGPD”)
SAP has appointed a Data Protection Officer for Brazil. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to:
Paulo Nittolo Costa
Address: Avenida das Nações Unidas 14171 - Marble Tower – 7th Floor - São Paulo-SP, Brazil 04794-000
Where SAP is subject to privacy requirements in the Philippines.
Where SAP is subject to certain privacy requirements in the Philippines, the following also applies:
For individuals within the Philippines, you may exercise your rights as follows:
You can call or write to SAP to submit a request at:
Address: SAP Philippines, Inc.
Attn: Data Protection Officer
27F Nac Tower, Taguig City 1632, Philippines
The following provisions apply to residents and citizens of the Philippines:
- You may claim compensation as finally awarded by the National Privacy Commission or the courts if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, considering any violation of your rights and freedoms.
- If you are the subject of a privacy violation or Personal Data breach, or are otherwise personally affected by a violation of the Data Privacy Act, you may file a complaint with the National Privacy Commission.
- Your Transmissibility Rights. Your lawful heirs and assigns may invoke your rights at any time after your death or when you are incapacitated or incapable of exercising your rights.
Where SAP is subject to privacy requirements in Russia
Russian-Specific Provisions apply to citizens of the Russian Federation
Where SAP is subject to privacy requirements in South Africa.
Where SAP is subject to the requirements of the Protection of Personal Information Act, 2013 (“POPIA”) in South Africa, the following also applies:
“Personal data” as used in this Privacy Statement means Personal Information as such term is defined under POPIA.
“You” and “Your” as used in this Privacy Statement means a natural person or a juristic person as such term is used under POPIA.
Systems Applications Products (Africa Region) Proprietary Limited & Systems Applications Products (South Africa) Proprietary Limited with registered address at 1 Woodmead Drive, Woodmead (SAP South Africa) is subject to South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) and responsible party under the POPIA.
Should you as an individual or a juristic person believe that SAP South Africa as responsible party has utilized your personal information contrary to POPIA, you undertake to first attempt to resolve any concerns with SAP South Africa.
Phone: 011 325 6000
Address: 1 Woodmead Drive, Woodmead, Johannesburg South Africa 2148
If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator, using the contact details listed below:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, P.O. Box 31533, Braamfontein, Johannesburg, 2017
You may request details of personal information which we hold about you under the Promotion of Access to Information Act 2 of 2000 (“PAIA”). For further information please review the SAP PAIA manual
Where SAP is subject to privacy requirements in the United States of America.
Where SAP is subject to certain privacy requirements in the United States, the following also applies:
U.S. Children’s Privacy. SAP does not knowingly collect the Personal Data of children under the age of 13. If you are a parent or guardian and believe SAP collected information about a child, please contact SAP as described in this Privacy Statement. SAP will take steps to delete the information as soon as possible. Given that SAP Community is not directed to users under 16 years of age and in accordance with the disclosure requirements of the CCPA, SAP does not sell the Personal Data of any minors under 16 years of age.
Where SAP is subject to privacy requirements in the State of California, USA.
Where SAP is subject to certain privacy requirements in the United States in the State of California, the following also applies:
You have the right:
- to request from SAP access to your Personal Data that SAP collects, uses, or discloses about you;
- to request that SAP delete Personal Data about you;
- to opt-out of the use or disclosure of your sensitive personal information;
- to non-discriminatory treatment for exercise of any of your data protection rights; and
- if you request access to your Personal Data, for such information to be portable, if possible, in a readily usable format that allows you to transmit this information to another recipient without hindrance.
In accordance with the disclosure requirements under the California Consumer Privacy Act (“CCPA”), SAP does not sell or share your Personal Data. In the course of our business activities we may share Personal Data with third parties, or permit third parties to collect data across various SAP websites.
Data Subject Access Requests:
SAP receives Data Subject Access Requests from across the globe and works to ensure all valid requests where SAP is the Controller are responded to within the appropriate timeframe. In accordance with the verification process set forth in the CCPA, SAP will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If SAP must request additional information from you outside of information that is already maintained by SAP, SAP will only use it to verify your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.
In addition to contacting SAP at sapcommunity[@]sap.com, you may also exercise your rights as follows:
You can call toll-free to submit a request using the numbers provided here. You can also designate an authorized agent to submit requests to exercise your data protection rights to SAP. Such authorized agent must be registered with the California Secretary of State and submit proof that you have given authorization for the agent to act on your behalf
Where SAP is subject to privacy requirements in Singapore.
Where SAP is subject to the requirements of the Singapore’s Personal Data Protection Act (“PDPA”), the following also applies:
SAP has appointed a Data Protection Officer for Singapore. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to:
Subject: Data Protection Officer
Address: Mapletree Business City, 30 Pasir Panjang Rd, Singapore 117440
Contact: +65 6664 6868