SAP Privacy Statement

Last Update: November 27th, 2023.

We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter "We", "SAP", "Us" or "Our") to the individual`s right to data protection and privacy. It outlines how SAP processes information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”). Processing in the context of this Privacy Statement means any collection, use, transmission, disclosure, erasure or any other similar operation based on Personal Data (hereinafter “Processing” or “Process”).

SAP is processing information including Personal Data about the users of CAPire using cookies or similar technologies for the purposes set out in the Cookie Statement. You will find further information and have the option to exercise your cookie preferences in the Cookie Settings.

A. General Information

I. Who is the responsible SAP entity?

The controller of this CAP documentation is SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany. You can reach SAP Group’s data protection officer any time at privacy@sap.com.

II. For what purposes does SAP process your Personal Data and based on what legal basis?

Depending on the applicable law, the Processing of Personal Data is subject to a justification, sometimes referred to as legal basis. The legal basis varies depending on the applicable law and may be subject to deviations, limitations or exceptions resulting from applicable laws.

SAP’s compliance with statutory obligations

SAP processes your Personal Data for the purpose of ensuring an adequate level of technical and organizational security of SAP's products, services, online events, facilities, and premises. For this, SAP will take the measures necessary to verify or maintain the quality and safety of a product or service which is owned, manufactured by or for, or controlled by SAP. This may comprise the use of Personal Data for sufficient identification and authorization of designated users, internal quality control through auditing, analysis, and research, debugging to identify and repair errors that impair existing or intended functionality, account and network security, replication for loss prevention, detecting security incidents, protection against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such kind of activity. We may further process your name, likeness, and other contact or compliance related data when you visit a local SAP affiliate or lab in the context of access management and video surveillance to protect the security and safety of Our locations and assets.
SAP and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. Applicable export laws, trade sanctions, and embargoes issued by these countries oblige SAP to prevent organizations, legal entities and other parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through SAP’s websites or other delivery channels (e.g. the European Union Sanctions List, the US sanctions lists including the Bureau of Industry and Security’s (BIS) Denied Persons Lists (DPL), the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (SDN-List) and the US DOCs Bureau of Industry and Security’s Entity Lists and the United Nations Security Council Sanctions). SAP processes Personal Data to the extent necessary to comply with these legal requirements. Specifically, SAP processes Personal Data to conduct automated checks against applicable sanctioned-party lists, to regularly repeat such checks whenever a sanctioned-party list is updated or when a user updates his or her information. In case of a potential match, SAP will block the access to SAP’s services and systems and contact the user to confirm his or her identity.

If necessary, SAP uses Personal Data to prevent or prosecute criminal activities such as any form of cybercrime, the illegal use of Our products and services or fraud, to assert Our rights or defend SAP against legal claims. To comply with data protection and unfair competition law related requirements. Depending on the country in which the relevant SAP Group company operates, SAP may process Personal Data necessary to accommodate your data protection and privacy choices for the receipt of such information and, when necessary to ensure compliance, exchange such information with the other entities of the SAP Group.

When ensuring compliance, SAP processes your Personal Data if and to the extend to fulfill legal requirements under European Union or EU Member State law to which SAP is subject, and laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations).

SAP’s Web Services

SAP processes your Personal Data to operate web presences, web offerings, or online events (“Web Services”)

to provide the Web Services and functions, create and administer your online account, updating, securing, troubleshooting the service, providing support, improving, and developing the Web Services, answering and fulfilling your requests or instructions.
to manage and ensure the security of Our Web Services and prevent and detect security threats, fraud or other criminal or malicious activities and as reasonably necessary to enforce the Web Services terms, to establish or preserve a legal claim or defense, to prevent fraud or other illegal activities, including attacks on Our information technology systems.
to process information that relates to your visit to Our Web Services to improve your user experience, identify your individual demand and to personalize the way We provide you with the information you are looking for. For this purpose, We collect information regardless of whether you register with a user profile or not.

When operating SAP’s Web Services, SAP processes your Personal Data if and to the extent, SAP obtained your consent, if required by law, to process your Personal Data for this purpose, necessary to fulfill (pre-)contractual obligations with you, necessary to fulfill legal requirements applicable to SAP, necessary to pursue SAP’s legitimate interest to efficiently perform or manage SAP’s Web Services and business operation and assert or defend itself against legal claims. We believe that SAP’s interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain processing for such purpose. In any of these cases, We duly factor into Our balancing test: the business purpose reasonably pursued by SAP in the given case, the categories, amount and sensitivity of Personal Data that is necessarily being processed, the level of protection of your Personal Data which is ensured by means of Our general data protection policies, guidelines, and processes, and the rights you have in relation to the processing activity.

SAP CAP Web tracking is used to gain knowledge about frequency of usage, used browsers etc. to improve the development of the web page. We require your Personal Data to

provide feedback in order to improve the content offer
create anonymized data sets in order to improve products and services

When using https://cap.cloud.sap SAP processes your Personal Data if and to the extend

SAP obtained your consent, if required by law, to process your Personal Data for this purpose,
necessary to fulfill (pre-)contractual obligations with you,
necessary to fulfill legal requirements applicable to SAP,
necessary to pursue SAP’s legitimate interest to track webpage views on the CAP documentation.

III. What categories of Personal Data does SAP process?

SAP processes the following categories of Personal Data: Browser fingerprint, IP address, Usage tracking data.

If SAP processes special categories of Personal Data under applicable law, SAP will ask you for your consent in a specific declaration.

IV. From What Types of Third Parties does SAP obtain Personal Data?

SAP generally aims to collect Personal Data directly from you. If you are obliged to provide Personal Data to SAP and you fail to provide such Personal Data, kindly note that SAP may not be able to provide you with the respective service and/or business relationship. If you or applicable law allows Us to do so, We may obtain Personal Data also from Third Party which may include:

your employer in the context of its business relationship with SAP and/or the SAP Group

When We collect Personal Data from Third Parties, established internal controls aim to ensure that the third-party source was permitted to provide this information to SAP and that We may use it for this purpose. SAP will treat this Personal Data according to this Privacy Statement and any additional restrictions imposed by the third party that provided the Personal Data to SAP or by applicable national law.

V. How long does SAP store your Personal Data?

SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. SAP does only store your Personal Data for as long as it is required:

for SAP to comply with statutory obligations to retain Personal Data, resulting inter alia e.g. from applicable export, finance, tax or commercial laws.
to fulfill SAP’s legitimate business purposes as further described in this Privacy Statement, unless you object to SAP’s use of your Personal Data for these purposes.
to process your Personal Data for this purpose and SAP obtained your consent, if required by law.

VI. Who are the recipients of your Personal Data?

Your Personal Data is predominantly stored inside EEA, however your Personal Data may be processed globally. If Personal Data is processed by Third Parties, SAP complies with laws on the transfer of Personal Data between countries to keep your Personal Data protected. Your Personal Data will be transferred to or accessed by the following categories of third parties to process your Personal Data:

SAP Group entities: Other entities of the SAP Group may also receive or gain access to Personal Data either when rendering group internal services centrally and on behalf of SAP SE and the other SAP group entities or when Personal Data is transferred to them on a respective legal basis. In these cases, these entities may process the Personal Data for the same purposes and under the same conditions as outlined in this Privacy Statement. The current list of SAP Group entities can be found here.

VII What are your data protection rights and how can you exercise them?

SAP honors your statutory rights when it comes to the Processing of your Personal Data. To the extent provided by applicable data protection laws, you have the right to:

access your Personal Data that we have on you, or have it updated.
Data portability of the Personal Data you provided to SAP, if SAP uses your Personal Data based on your consent or to perform a contract with you. In this case, please contact privacy@sap.com and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best be fulfilled.
Delete your Personal Data we hold about you. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. If you request from SAP to delete your Personal Data, you may not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.
Right to object against SAP further processing your Personal Data, if and to the extent SAP is processing your Personal Data based on its Legitimate Interest. When you object to SAP's processing of your Personal Data, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP’s compelling legitimate grounds for continued use of the Personal Data, which may override your interest in objecting, or if SAP requires the information for the establishment, exercise, or defense of legal claims.
Right to object to direct marketing or to apply profiling in relation to direct marketing. When you object to SAP's processing of your Personal Data for direct marketing purposes, SAP will immediately cease to process your personal data for such purposes.
Revoke consent, wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required or permitted to do so (e.g. if your Personal Data is needed by SAP do assert or defend against legal claims). In case SAP is required or permitted to retain your Personal Data for other legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law or fulfil the other purpose. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal. Furthermore, if your use of an SAP offering requires your prior consent, SAP will no longer be able to provide the relevant service, offer or event to you after your revocation.
Not to be subject to a decision based solely automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way.
Lodge a complaint to SAP if you are not satisfied with how SAP is processing your Personal Data. Your competent supervisory authority can be found in the country specific section.

Depending on applicable local data protection laws, your rights may be subject to deviations, limitations, or exceptions as set out in the country specific section. Please be aware, that SAP honors your statutory rights when it comes to the Processing of your Personal Data to the extent provided by applicable data protection laws.

How you can exercise your data protection rights. Please direct any requests to exercise your rights to privacy@sap.com. SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP. SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.

VIII.Can you use SAP’s services if you are a minor?

In general, CAPire is not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use this CAP website.

B. Additional Country and Regional Specific Provisions

You may find the contact details of your competent data protection supervisory authority here. SAP’s lead data protection supervisory authority is the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg and can be reached at Lautenschlagerstraße 20, 70173 Stuttgart/Germany.

II. How does SAP justify international data transfers?

As a global group of companies, SAP has group affiliates and uses third party service providers also in countries outside the European Economic Area (the “EEA”). SAP may transfer your Personal Data to countries outside the EEA as part of SAP’s international business operations. If We transfer Personal Data from a country in the EU or the EEA to a country outside the EEA and for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require the data importer to ensure a level of data protection consistent with the one in the EEA to protect your Personal Data. You may obtain a copy (redacted to remove commercial or irrelevant information) of such standard contractual clauses by sending a request to privacy@sap.com. You may also obtain more information from the European Commission on the international dimension of data protection here.

III. Where SAP is subject to privacy requirements in Colombia

Where SAP is subject to the requirements of the Columbian Statutory Law 1581 of 2012 and Decree 1377 of 2013, the following applies:

Within Colombia you have the right to: • access, update and rectify your Personal Data. • Request evidence of your consent. • Upon request, receive information about how SAP Processes your Personal Data. • Lodge a complaint with the Superintendence of Industry and Commerce (“SIC”) about a violation of the applicable laws. • Revoke your consent and/or request the deletion of your Personal Data, provided that there is no supervenient legal or contractual obligation that allows SAP to keep your Personal Data in SAP’s databases.

SAP Colombia S.A. may Process your Personal Data by itself or on behalf of the SAP Group, with its main office located at Carrera 9 No 115 – 06, Edificio Tierra Firme Of. 2401 Bogotá D.C., Colombia. You can contact Us either by the telephone number +57-6003000 or via email at privacy@sap.com.

SAP will be responsible to answer any requests, questions, and complaints that you might have to your right to access, update, correct and delete your Personal Data, or revoke your consent.

IV. Where SAP is subject to the requirements of the Brazilian General Data Protection Law (“LGPD”)

SAP has appointed a Data Protection Officer for Brazil. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to: Email: privacy[@]sap.com Address: Avenida das Nações Unidas 14171 - Marble Tower – 7th Floor - São Paulo-SP, Brazil 04794-000

V. Where SAP is subject to privacy requirements in the Philippines

Where SAP is subject to certain privacy requirements in the Philippines, the following also applies:

Within the Philippines you have the right to: • Claim compensation as finally awarded by the National Privacy Commission or the courts if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, considering any violation of your rights and freedoms. • File a complaint with the National Privacy Commission, if you are the subject of a privacy violation or Personal Data breach, or are otherwise personally affected by a violation of the Data Privacy Act. • Your Transmissibility Rights. Your lawful heirs and assigns may invoke your rights at any time after your death or when you are incapacitated or incapable of exercising your rights.

For individuals within the Philippines, you may exercise your rights as follows: You can call or write to SAP to submit a request at: privacy@sap.com Phone:+632-8705-2500 Address: SAP Philippines, Inc., Attn: Data Protection Officer, 27F Nac Tower, Taguig City 1632, Philippines

VI. Where SAP is subject to privacy requirements in South Africa

Where SAP is subject to the requirements of the Protection of Personal Information Act, 2013 (“POPIA”) in South Africa, the following applies:

“Personal Data” as used in this Privacy Statement means Personal Information as such term is defined under POPIA. “You” and “Your” as used in this Privacy Statement means a natural person or a juristic person as such term is used under POPIA.

[Systems Applications Products (Africa Region) Proprietary Limited] [Systems Applications Products (South Africa) Proprietary Limited] with registered address at 1 Woodmead Drive, Woodmead (SAP South Africa) is subject to South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) and responsible party under the POPIA.

You may request details of personal information which We hold about you under the Promotion of Access to Information Act 2 of 2000 (“PAIA”). For further information please review the SAP PAIA manual, located here.

Should you as an individual or a juristic person believe that SAP South Africa as responsible party has utilized your personal information contrary to POPIA, you undertake to first attempt to resolve any concerns with SAP South Africa.

Phone: 011 325 6000 Address: 1 Woodmead Drive, Woodmead, Johannesburg, South Africa 2148 Email: privacy[@]sap.com

If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator, using the contact details listed below:

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, P.O. Box 31533, Braamfontein, Johannesburg, 2017 Email: complaints.IR[@]justice.gov.za Enquires: inforeg[@]justice.gov.za

VII. Where SAP is subject to privacy requirements in the United States of America.

Where SAP is subject to the requirements of the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Acts of 2020 (CPRA), from hereon referred to as “CCPA” or where other US state laws have similar requirements, the following applies:

You have the right to:

Know what personal information the business has collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer.
Delete personal information that the business has collected from the consumer, subject to certain exceptions.
Correct inaccurate personal information that a business maintains about a consumer.
Opt-out of the sale or sharing of their personal information by the business (where applicable).
Limit the use or disclosure of sensitive personal information by the business (subject to certain exceptions, where applicable).
Receive non-discriminatory treatment for the exercise of these rights.

How you can exercise your Data Protection Right. To exercise these rights, or to limit the Sharing of your Personal Information, please contact us at cap@sap.com or via privacy@sap.com.

In accordance with the verification process set forth under US relevant state law (as appropriate), SAP may require a more stringent verification process for deletion requests (or for Personal Data that is considered sensitive or valuable) to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If SAP must request additional information from you outside of information that is already maintained by SAP, SAP will only use it to verify your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes. You can designate an authorized agent to submit requests to exercise your data protection rights to SAP. The agent must submit authorization to act on your behalf and, where required by relevant law, the agent must be appropriately registered.

Financial Incentives. SAP does not offer financial incentives in return for your consent to share your personal information, nor limit service offerings where you opt-out of such sharing (unless sharing is practically necessary to perform the relevant service).

Children’s Privacy. Given that CAP is not directed to users under 16 years of age, SAP does not sell or share the personal information of any minors under 16. If you are a parent or guardian and believe SAP collected information about your child, please contact SAP. SAP will take steps to delete the information as soon as possible.

VIII. Where SAP is subject to privacy requirements in Singapore

Where SAP is subject to the requirements of the Singapore’s Personal Data Protection Act (“PDPA”), the following applies:

SAP has appointed a Data Protection Officer for Singapore. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to: Subject: Data Protection Officer Email: privacy[@]sap.com Address: Mapletree Business City, 30 Pasir Panjang Rd, Singapore 117440 Contact: +65 6664 6868

IX. Where SAP is subject to privacy requirements in Malaysia.

Where SAP is subject to the requirements of the Personal Data Protection Act (“PDPA”) of Malaysia, the following applies: Written inquiries, requests or complaints may be addressed to: Data Protection and Privacy Coordinator for Malaysia Phone No. 60 3-2202 6000 Email address: privacy@sap.com

SAP has implemented technology, security features and strict policy guidelines to safeguard the privacy of users’ Personal Data.

X. Where SAP is subject to privacy requirements in New Zealand

Where SAP is subject to the requirements of New Zealand, the following data protection rights apply:

Right to access and correct

You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it.

Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal.

Rules Reference

Parts of 2024

All of 2023

All of 2022

All of 2021

All of 2020

SAP Privacy Statement ​

A. General Information ​

I. Who is the responsible SAP entity? ​

II. For what purposes does SAP process your Personal Data and based on what legal basis? ​

SAP’s compliance with statutory obligations ​

SAP’s Web Services ​

III. What categories of Personal Data does SAP process? ​

IV. From What Types of Third Parties does SAP obtain Personal Data? ​

V. How long does SAP store your Personal Data? ​

VI. Who are the recipients of your Personal Data? ​

VII What are your data protection rights and how can you exercise them? ​

VIII.Can you use SAP’s services if you are a minor? ​

B. Additional Country and Regional Specific Provisions ​

I. Where SAP is subject to privacy requirements in the EU/EEA or a country with national laws equivalent to the GDPR Who is the relevant Data Protection Authority? ​

II. How does SAP justify international data transfers? ​

III. Where SAP is subject to privacy requirements in Colombia ​

IV. Where SAP is subject to the requirements of the Brazilian General Data Protection Law (“LGPD”) ​

V. Where SAP is subject to privacy requirements in the Philippines ​

VI. Where SAP is subject to privacy requirements in South Africa ​

VII. Where SAP is subject to privacy requirements in the United States of America. ​

VIII. Where SAP is subject to privacy requirements in Singapore ​

IX. Where SAP is subject to privacy requirements in Malaysia. ​

X. Where SAP is subject to privacy requirements in New Zealand ​

Right to access and correct ​

Right to revoke consent ​