Supplier Enablement and Risk Assessment

Data Processing enablement is required if your company is providing services to SAP SE and/or SAP affiliated companies or their respective resellers or customers which require the processing of personal data or access to systems that may contain personal data. Data Processing enablement is included in the overall Third Party Risk Assessment.

The Contractor Agreement on the Commissioned Processing of Personal Data (“CDPA”) is our global standard agreement used with all SAP contractors processing or accessing personal data on behalf of SAP and/or SAP affiliates or SAP resellers or customers to ensure a consistent level of data protection across the complete processing chain. 

This CDPA has been updated and is formerly known as Master Data Processing Agreement (MDPA). It reflects the General Data Protection Regulation (GDPR) and governs the processing of Personal Data of data subjects located in the EU as of May 2018 but is also intended to satisfy the requirements of non-EU data protection laws. SAP requires this global CDPA to achieve compliance with its global data protection standards (which are based on the GDPR) and to meet legal and contractual obligations under its customer agreements. Therefore, you will have to enter into this CDPA with SAP SE on behalf of its affiliates. 

The CDPA contains the New Standard Contractual Clauses (SCC) which have been published by the European Commission on June 7, 2021, reference 2021/914. SAP intends to apply the New Standard Contractual Clauses as defined hereunder with all new and the majority of existing SAP Customers and Partners as of September 27, 2021. For an interim period, Contractors need to comply both the Standard Contractual Clauses (2010) and the New Standard Contractual Clauses as laid down in this CDPA as not all SAP Customers and Partner have moved to the New Standard Contractual Clauses yet. Not entering into the CDPA with SAP may disqualify you as an SAP contractor for providing services related to the processing or accessing personal data on behalf of SAP and/or SAP affiliates or SAP resellers or customers.