Who is the Data Controller? The data controller of www.sap.com is SAP SE, Dietmar-Hopp-Allee 16 Walldorf 69190, Germany (“SAP”). Where a registration form is presented on this website, the data controller may vary depending on the actual offering or the purpose of the data collection, but it is in any case displayed on the individual registration form’s privacy statement. The SAP Group’s data protection officer can be reached at firstname.lastname@example.org.
What Personal Data does SAP collect? When you visit SAP’s websites, SAP stores certain information about your browser, the operating system, and your IP address.
If you use a registration form, SAP will collect the information you provide to SAP, which consists of your first and last name, email addresses, telephone numbers, location (country, state/province, city), company name, job title and role, department and function, current relationship to SAP, and your company’s industry. If you provide a credit card number or bank details to order goods or services from SAP, then SAP will collect this information to process your payment for the requested goods or services.
Why does SAP need your Personal Data? SAP requires your Personal Data to provide you with access to this site; to deliver any ordered goods or services; and to comply with statutory obligations, including checks required by applicable export laws. Further information on why SAP needs your Personal Data can be found in Section B, below, if SAP’s use of your Personal Data is based on a statutory permission. Further information on why SAP needs your Personal Data can be found in Section C, below, if SAP’s use of your Personal Data is based on your consent. If SAP’s use of your Personal Data is based on consent, note that the information in this Privacy Statement on respective consent statements for certain types of Personal Data uses can also be found in the Consent Resource Center. As a general matter and although providing Personal Data is voluntary, SAP may not be able to perform or satisfy your request without it; for example, SAP might require your Personal Data to process an order you place, or to provide you with access to a web offering that you requested. In these cases, it is not possible for SAP to satisfy your request without certain Personal Data.
Kindly note that you can order goods or services without providing a consent into SAP’s further marketing operations.
From What Types of Third Parties does SAP obtain Personal Data? In most cases, SAP collects Personal Data from you. SAP might also obtain Personal Data from third parties, if the applicable national law allows SAP to do so. SAP will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided SAP with it or the applicable national law. These third-party sources include:
- SAP and/or SAP Group’s business dealings with your employer
- Third parties you directed to share your Personal Data with SAP
How long will SAP store my Personal Data? SAP will only store your Personal Data for as long as it is required:
- to make goods and services requested available to you, including use of sap.com;
- for SAP to comply with its statutory obligations resulting inter alia from applicable export laws;
- until you object against such use by SAP, if SAP’s use of your Personal Data is based on SAP’s legitimate business interest as further stated in this Privacy Statement;
- until you revoke your consent granted in this Privacy Statement, if SAP is processing your Personal Data based on your consent;
- by applicable mandatory law to retain your Personal Data longer or where your Personal Data is required for SAP to assert or defend against legal claims, SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.
Who are the recipients of your Personal Data and where will it be processed? Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:
- companies within the SAP Group
- Third-party service providers; e.g., for the provision of the website or newsletter dispatch, for consulting services and other additional related services.
As part of a global group of companies operating internationally, SAP has affiliates (the “SAP Group”) and third-party service providers outside of the European Economic Area (the “EEA”) and will transfer your Personal Data to countries outside of the EEA. If these transfers are to a country for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the EEA. You can obtain a copy (redacted to remove commercial or irrelevant information) of such standard contractual clauses by sending a request to email@example.com. You can also obtain more information from the European Commission on the international dimension of data protection here.
What are your data protection rights?
You can request from SAP: access at any time to information about which Personal Data SAP processes about you and the correction or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. Kindly note further that if you request that SAP deletes your Personal Data, you will not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.
If SAP uses your Personal Data based on your consent or to perform a contract with you, you can further request a copy of the Personal Data that you provided to SAP. To do so, please contact the email address below and specify the information or processing activities to which your request relates, the format in which you would like to receive this information, and whether the Personal Data should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best fulfill it.
Furthermore, you can request from SAP that SAP restricts your Personal Data from any further processing in any of the following events: (i) you state that the Personal Data SAP has about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data, (ii) there is no legal basis for SAP processing your Personal Data and you demand that SAP restricts your Personal Data from further processing, (iii) SAP no longer requires your Personal Data but you state that you require SAP to retain such data in order to claim or exercise legal rights or to defend against third party claims, or (iv) in case you object to the processing of your Personal Data by SAP based on SAP’s legitimate interest (as further set out below under Section C.), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
For individuals within the State of California, you instead have the right:
- to request from SAP access to your Personal Data that SAP collects, uses, discloses, or sells (if applicable) about you;
- to request that SAP delete Personal Data about you;
- to non-discriminatory treatment for exercise of any of your data protection rights; and
- in case of request from SAP for access to your Personal Data, for such information to be portable, if possible, in a readily usable format that allows you to transmit this information to another recipient without hindrance; and
- to opt-out of the sale of Personal Data. In accordance with the disclosure requirements under the California Consumer Privacy Act (“CCPA”), SAP is exempt from providing a notice to opt-out because it does not and will not sell your Personal Data.
Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. Kindly note further that if you request that SAP deletes your Personal Data, you will not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.
How can you exercise your data protection rights? Please direct any requests to exercise your rights to firstname.lastname@example.org.
For individuals within the State of California, you may also exercise your rights as follows:
You can call toll-free to submit a request using the numbers provided here. You can also designate an authorized agent to submit requests to exercise your data protection rights to SAP. Such authorized agent must be registered with the California Secretary of State and submit proof that you have given authorization for the agent to act on your behalf. If you are a person with a disability, contact SAP at the above address or toll-free phone number to access the Privacy Statement in an alternative format.
How will SAP verify requests to exercise data protection rights? SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
In accordance with the verification process set forth in the CCPA, SAP will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If SAP must request additional information from you outside of information that is already maintained by SAP, SAP will only use it for the purposes of verifying your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.
Right to lodge a complaint. If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country where you live or with the data protection authority of the country or state where SAP has its registered seat.
Can I use SAP’s goods and services if I am a minor or child?
Children. SAP websites and online services are not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16, you cannot register with and use this websites or online services.
U.S. Children’s Privacy. SAP does not knowingly collect the Personal Data of children under the age of 13. If you are a parent or guardian and believe SAP collected information about a child, please contact SAP as described in this Privacy Statement. SAP will take steps to delete the information as soon as possible. Given that SAP websites and online services are not directed to users under 16 years of age and in accordance with the disclosure requirements of the CCPA, SAP does not sell the Personal Data of any minors under 16 years of age.