Data Privacy Overview
This guide discusses how CAP helps applications to comply with data privacy regulations imposed by various laws and standards.
Warning
SAP does not give any advice on whether the features and functions provided to facilitate meeting data privacy obligations are the best method to support company, industry, regional, or country/region-specific requirements. Furthermore, this information should not be taken as advice or a recommendation regarding additional features that would be required in specific IT environments. Decisions related to data protection must be made on a case-by-case basis, considering the given system landscape and the applicable legal requirements.
Introduction to Data Privacy
Data protection is associated with numerous legal requirements and privacy concerns, such as the EU's General Data Protection Regulation. In addition to compliance with general data protection and privacy acts regarding personal data, you need to consider compliance with industry-specific legislation in different countries/regions.
CAP supports applications in their obligations to comply to data privacy regulations, by automating tedious tasks as much as possible based on annotated models. That is, CAP provides easy ways to designate personal data, as well as out-of-the-box integration with SAP BTP services, which enable you to fulfill specific data privacy requirements in your application. This relieves application developers of these tedious tasks and related efforts.
For general information about data protection and privacy (DPP) on SAP BTP, see the SAP BTP documentation under Data Protection and Privacy.
In a Nutshell
The most essential requests you have to answer are those in the following table. The table also shows the basis of the requirement and the corresponding discipline for the request:
| Question / Request | Obligation | Solution |
|---|---|---|
| What data about me do you have stored? | Right of access | Personal Data Mgmt |
| Delete all personal data about me! | Right to be forgotten | Data Retention Mgmt |
| When was personal data stored/changed? | Transparency | Audit Logging |
Annotating Personal Data
The first and frequently only task to do as an application developer is to identify entities and elements (potentially) holding personal data using @PersonalData annotations. These are used to automate CAP-facilitated audit logging, personal data management, and data retention management as much as possible.
Learn more in the Annotating Personal Data chapter
Automatic Audit Logging
The Transparancy obligation, requests to be able to report with whom data stored about an individual is shared and where that came from (for example, EU GDPR Article 15(1)(c,g)).
The SAP Audit Log Service stores all audit logs for a tenant in a common, compliant data store and allows auditors to search through and retrieve the respective logs when necessary.
Learn more in the Audit Logging guide
Personal Data Management
The Right of Access to personal data "gives people the right to access their personal data and information about how this personal data is being processed".
The SAP Personal Data Manager allows you to inform individuals about the data you have stored regarding them.
Learn more in the Personal Data Management guide
Data Retention Management
The Right to be Forgotten gives people "the right to request erasure of personal data related to them on any one of a number of grounds [...]".
The SAP Data Retention Manager allows you to manage retention and residence rules to block or destroy personal data.
Personal Data stored by CAP
CAP doesn't store or manage any personal data on its own with some exceptions, which are mandatory to operate the applications properly:
Log outputs on verbose level might contain personal data such as user names and IP addresses. Connect an adequate logging service to meet compliance requirements such as SAP Application Logging Service.
Draft-enabled entities store user information for the time periods when drafts are created or modified.
When using the managed aspect, you decided to store metadata such as who created or modified an entity instance.
Messages temporarily written to transaction outbox might contain personal data. If necessary, applications can process these messages by standard CAP functionality (CDS model
@sap/cds/srv/outbox).
Also refer to related guides of most important platform services:
SAP Cloud Identity Services - Configuring Privacy PoliciesSAP HANA Cloud - Data Protection and Privacy