SAP PRIVACY STATEMENT

This Privacy Statement was updated on 24.05.2023.

Click here for a printable version of this Privacy Statement.

Protecting the individual's privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter "We", "SAP", "Us" or "Our") to the individual`s right to data protection and privacy. It outlines how We handle information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”).

A. General information

I. Who do We mean when We say SAP in this Privacy Statement

This Privacy Statement applies to the collection and processing of Personal Data to assign you to a mailing list by

You can reach SAP Group’s data protection officer any time at privacy[@]sap.com.

II. For what purposes does SAP process your Personal Data?

To provide you with access to SAP mailing lists.
We require your Personal Data to assign you to offered mailing lists. Any provision of this information is entirely voluntarily for you. However, without this information it will unfortunately not be possible for SAP to assign you to a mailing list.

A mailing list tracks the email addresses of all its subscribed members. The purpose of that is twofold: (1) to distribute new posts to all list members using email, and (2) to implement authorization procedures such as allowing list members to submit posts to the list.

III. What categories of Personal Data does SAP process?

Contact Data:
SAP processes the following categories of Personal Data as contact data:
Name and Email address of subscribed members of a mailing list.

IV. How long does SAP store your Personal Data

SAP does only store your Personal Data for as long as it is required to make the subscribed mailing list(s) available to you.

SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.

V. Who are the recipients of your Personal Data?

Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:

VI. What are your data protection rights?

Right to access, correct and delete

You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. If you request from SAP to delete your Personal Data, you may not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.

Right to obtain a copy of Personal Data

If SAP uses your Personal Data based on your consent or to perform a contract with you, you can further request from SAP a copy of the Personal Data you provided to SAP. In this case, please contact privacy[@]sap.com and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best be fulfilled.

Right to restrict

You can request from SAP to restrict your Personal Data from further processing in any of the following events:

Right to object

If and to the extent SAP is processing your Personal Data based on SAP's Legitimate Interest, specifically where SAP pursues its legitimate interest to engage in sending emails to your email address a spart of your mailing list assignment, you have the right to object to such a use of your Personal Data at any time.

 

When you object to SAP's processing of your Personal Data for sending emails to your email address a spart of your mailing list assignment, SAP will immediately cease to process your Personal Data for such purposes. In all other cases, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP’s compelling legitimate grounds for continued use of the information, which may override your interest in objecting, or if SAP requires the information for the establishment, exercise, or defense of legal claims

Right to lodge a complaint

If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with your locally relevant data protection authority, specifically when you are located in an EEA country, or with the data protection authority of the country or state where SAP has its registered seat.

 

VII. How can you exercise your data protection rights?

Please direct any requests to exercise your rights to privacy[@]sap.com.

VIII. How will SAP verify requests to exercise data protection rights?

SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise.  When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP. 

SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.

IX. Can you use SAP’s services if you are a minor?

Children. In general, mailing lists are not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use this mailing lists.

B. Additional Country and Regional Specific Provisions

I. Where SAP is subject to privacy requirements in the EU/EEA or a country with national laws equivalent to the GDPR

Who is the relevant Data Protection authority?

You may find the contact details of your competent data protection supervisory authority here ( https://edpb.europa.eu/about-edpb/about-edpb/members_en ). SAP’s lead data protection supervisory authority is in Germany, the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg and can be reached at Lautenschlagerstraße 20, 70173 Stuttgart.

What are the legal permissions for SAP to process Personal Data?

SAP is processing your Personal Data for the business purposes set out above based on the following legal permissions:

Where We refer to GDPR Article 6.I (f), consequently SAP’s legitimate business interest as Our legal permission to process your Personal Data, SAP is pursuing its legitimate business interests.

We believe that Our interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain processing for such purpose. In any of these cases, We duly factor into Our balancing test:

 

To provide you with access to SAP mailing lists.

When SAP adds your email address to mailing lists, SAP is processing your Personal Data on the basis of the following legal permissions:

 

How does SAP justify international data transfers?

As a global group of companies, SAP has group affiliates and uses third party service providers also in countries outside the European Economic Area (the “EEA”). SAP may transfer your Personal Data to countries outside the EEA as part of SAP’s international business operations. If We transfer Personal Data from a country in the EU or the EEA to a country outside the EEA and for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require the data importer to ensure a level of data protection consistent with the one in the EEA to protect your Personal Data. You may obtain a copy (redacted to remove commercial or irrelevant information) of such standard contractual clauses by sending a request to privacy[@]sap.com. You may also obtain more information from the European Commission on the international dimension of data protection here ( https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_fr ).

 

II. Where SAP is subject to privacy requirements in Colombia.

Colombia-Specific Provisions apply to citizens of the Republic of Colombia.

III. Where SAP is subject to the requirements of the Brazilian General Data Protection Law (“LGPD”)

SAP has appointed a Data Protection Officer for Brazil. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to:

Paulo Nittolo Costa
Email: privacy[@]sap
Address: Avenida das Nações Unidas 14171 - Marble Tower – 7th Floor - São Paulo-SP, Brazil 04794-000

 

IV. Where SAP is subject to privacy requirements in the Philippines.

Where SAP is subject to certain privacy requirements in the Philippines, the following also applies:

For individuals within the Philippines, you may exercise your rights as follows:

You can call or write to SAP to submit a request at:

Email: privacy[@]sap
Phone: +632-8705-2500
Address: SAP Philippines, Inc.
Attn: Data Protection Officer
27F Nac Tower, Taguig City 1632, Philippines

The following provisions apply to residents and citizens of the Philippines:

 

V. Where SAP is subject to privacy requirements in South Africa.

Where SAP is subject to the requirements of the Protection of Personal Information Act, 2013 (“POPIA”) in South Africa, the following also applies:

“Personal Data” as used in this Privacy Statement means Personal Information as such term is defined under POPIA.

“You” and “Your” as used in this Privacy Statement means a natural person or a juristic person as such term is used under POPIA.

Systems Applications Products (South Africa) Proprietary Limited with registered address at 1 Woodmead Drive, Woodmed (SAP South Africa) is subject to South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) and responsible party under the POPIA.

You may request details of personal information which We hold about you under the Promotion of Access to Information Act 2 of 2000 (“PAIA”). For further information please review the SAP PAIA manual, located here ( https://d.dam.sap.com/s/i/a/qW1sGy5 ).

Should you as an individual or a juristic person believe that SAP South Africa as responsible party has utilized your personal information contrary to POPIA, you undertake to first attempt to resolve any concerns with SAP South Africa.

Phone: 011 325 6000
Address: 1 Woodmead Drive, Woodmead, Johannesburg, South Africa 2148
Email: privacy[@]sap.com

If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator, using the contact details listed below:

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: complaints.IR[@]justice.gov.za
Enquires: inforeg[@]justice.gov.za

VI. Where SAP is subject to privacy requirements in the United States of America.

Where SAP is subject to certain privacy requirements in the United States, the following also applies:

U.S. Children’s Privacy. SAP does not knowingly collect the Personal Data of children under the age of 13. If you are a parent or guardian and believe SAP collected information about a child, please contact SAP as described in this Privacy Statement. SAP will take steps to delete the information as soon as possible. Given that SAP mailing lists are not directed to users under 16 years of age and in accordance with the disclosure requirements of the CCPA, SAP does not sell the Personal Data of any minors under 16 years of age.

VII. Where SAP is subject to privacy requirements in the State of California, USA.

Where SAP is subject to certain privacy requirements in the United States in the State of California, the following also applies:

You have the right:

 

In accordance with the disclosure requirements under the California Consumer Privacy Act (“CCPA”), SAP does not sell or share your Personal Data. In the course of our business activities we may share Personal Data with third parties, or permit third parties to collect data across various SAP websites.

 

Data Subject Access Requests: 

SAP receives Data Subject Access Requests from across the globe and works to ensure all valid requests where SAP is the Controller are responded to within the appropriate timeframe. In accordance with the verification process set forth in the CCPA, SAP will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If SAP must request additional information from you outside of information that is already maintained by SAP, SAP will only use it to verify your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.

 

 

In addition to contacting SAP at privacy[@]sap.com, you may also exercise your rights as follows: 

You can call toll-free to submit a request using the numbers provided here ( https://www.sap.com/about/legal/impressum.html ). You can also designate an authorized agent to submit requests to exercise your data protection rights to SAP. Such authorized agent must be registered with the California Secretary of State and submit proof that you have given authorization for the agent to act on your behalf.”

 

VIII. Where SAP is subject to privacy requirements in Singapore.

Where SAP is subject to the requirements of the Singapore’s Personal Data Protection Act (“PDPA”), the following also applies:

SAP has appointed a Data Protection Officer for Singapore. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to:

Subject: Data Protection Officer

Email: privacy[@]sap.com

Address: Mapletree Business City, 30 Pasir Panjang Rd, Singapore 117440

Contact: +65 6664 6868