SAP.iO Privacy Statement

Protecting the individual’s privacy on the Internet is crucial to the future of Internet-based business and the move toward a true Internet economy. We have created this Privacy Statement to demonstrate our firm commitment to the individual’s right to data protection and privacy. This Privacy Statement outlines how we handle information that can be used to directly or indirectly identify an individual (“Personal Data”) that is provided to SAP in connection with SAP.iO programs, events or engagements.

A. General Information
B.  Processing based on a statutory permission
C. Processing based on consent
D. Cookies and similar tools
E. Country-Specific Provisions

A. General Information

When does this Privacy Statement apply? This Privacy Statement applies to Personal Data that you provide to SAP in connection with SAP.iO (including, SAP.iO programs and events, the SAP.iO website, or other engagements with SAP.iO) or which is derived from the Personal Data as outlined below.

Who is the Data Controller? The data controller for SAP.iO is SAP America, Inc., 3999 West Chester Pike, Newtown Square, PA 19073, USA (“SAP”). Where a registration form is presented on the SAP.iO website, the data controller may vary depending on the actual offering or the purpose of the data collection, but it is in any case displayed on the individual registration form’s privacy statement. The SAP Group’s data protection officer can be reached at privacy@sap.com..

What Personal Data does SAP collect? When you visit the SAP.iO website, SAP stores certain information about your browser, the operating system, and your IP address. If you provide SAP with information in respect of the application, registration or participation in an SAP.iO program or event, SAP will collect the information you provide to SAP.

Why does SAP need your Personal Data? SAP requires your Personal Data to provide you with access to the SAP.iO website; to provide SAP.iO programs or events; and to comply with statutory obligations, including checks required by applicable export laws.  Further information on why SAP needs your Personal Data can be found in Section B, below, if SAP’s use of your Personal Data is based on a statutory permission. Further information on why SAP needs your Personal Data can be found in Section C, below, if SAP’s use of your Personal Data is based on your consent.  As a general matter and although providing Personal Data is voluntary, SAP may not be able to perform or satisfy your request without it; for example, SAP might require your Personal Data to provide an SAP.iO program or event. In these cases, it is not possible for SAP to satisfy your request without certain Personal Data.

From What Types of Third Parties does SAP obtain Personal Data? In most cases, SAP collects Personal Data from you.  SAP might also obtain Personal Data from third parties, if the applicable national law allows SAP to do so.  SAP will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided SAP with it or the applicable national law. These third-party sources include:

  • SAP and/or SAP Group’s business dealings with your employer
  • Third parties you directed to share your Personal Data with SAP

How long will SAP store my Personal Data? SAP will only store your Personal Data for as long as it is required:

  • to provide the SAP.iO website;
  • to allow you to participate in an SAP.iO program or event;
  • for SAP to comply with its statutory obligations resulting inter alia from applicable export laws;
  • until you object against such use by SAP, if SAP’s use of your Personal Data is based on SAP’s legitimate business interest as further stated in this Privacy Statement;
  • until you revoke your consent granted in this Privacy Statement, if SAP is processing your Personal Data based on your consent; 
  • by applicable mandatory law to retain your Personal Data longer or where your Personal Data is required for SAP to assert or defend against legal claims, SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.

Who are the recipients of your Personal Data and where will it be processed? Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:

  • companies within the SAP Group        
  • Third-party service providers
  • for the provision of the SAP.iO website or newsletter dispatch, for consulting
  • services and other additional related services.

As part of a global group of companies operating internationally, SAP has affiliates (the “SAP Group”) and third-party service providers outside of the European Economic Area (the “EEA”) and will transfer your Personal Data to countries outside of the EEA. If these transfers are to a country for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the EEA. You can obtain a copy (redacted to remove commercial or irrelevant) of such standard contractual clauses by sending a request to privacy@sap.com. You can also obtain more information from the European Commission on the international dimension of data protection here.

What are your data protection rights? You can request from SAP: access at any time to information about which Personal Data SAP processes about you and the correction or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. Kindly note further that if you request that SAP deletes your Personal Data, you will not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.

If SAP uses your Personal Data based on your consent or to perform a contract with you, you can further request a copy of the Personal Data that you provided to SAP.  To do so, please contact the email address below and specify the information or processing activities to which your request relates, the format in which you would like to receive this information, and whether the Personal Data should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best fulfill it.

Furthermore, you can request from SAP that SAP restricts your Personal Data from any further processing in any of the following events: (i) you state that the Personal Data SAP has about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data, (ii) there is no legal basis for SAP processing your Personal Data and you demand that SAP restricts your Personal Data from further processing, (iii) SAP no longer requires your Personal Data but you state that you require SAP to retain such data in order to claim or exercise legal rights or to defend against third party claims, or (iv) in case you object to the processing of your Personal Data by SAP based on SAP’s legitimate interest (as further set out below under Section C.), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.

For individuals within the State of California, you instead have the right: 

  • to request from SAP access to your Personal Data that SAP collects, uses, discloses, or sells (if applicable) about you;
  • to request that SAP delete Personal Data about you;
  • to opt-out of the sale of Personal Data, if applicable;
  • to non-discriminatory treatment for exercise of any of your data protection rights; and  
  • in case of request from SAP for access to your Personal Data, for such information to be portable, if possible, in a readily usable format that allows you to transmit this information to another recipient without hindrance.

In accordance with the disclosure requirements under the CCPA, SAP is exempt from providing a notice to opt-out because it does not and will not sell your Personal Data. 

Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. Kindly note further that if you request that SAP deletes your Personal Data, you will not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.

How can you exercise your data protection rights? Please direct any requests to exercise your rights to sapio@sap.com. If you are located in the State of California, you can also call toll-free using the numbers provided here. You can also designate another person to submit requests to exercise your data protection rights to SAP. You can give authorization to such person by granting them a limited power of attorney to exercise your data protection rights on your behalf.

How will SAP verify requests to exercise data protection rights? SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise.  When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.  

In accordance with the verification process set forth in the California Consumer Privacy Act (“CCPA”), SAP will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data.   If SAP must request additional information from you outside of information that is already maintained by SAP, SAP will only use it for the purposes of verifying your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.

SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law. 

Right to lodge a complaint. If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country where you live or with the data protection authority of the country or state where SAP has its registered seat.

Use of the SAP.iO website by children. The SAP.iO website is not intended for anyone under the age of 16 years. If you are younger than 16, you may not register with or use the SAP.iO website.

Links to other websites. The SAP.iO website may contain links to foreign (meaning non-SAP Group companies) websites. SAP is not responsible for the privacy practices or the content of websites outside the SAP Group of companies. Therefore, we recommend that you carefully read the privacy statements of such foreign sites.

Use of Google Analytics. The Website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the SAP.iO website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You can see more information about how Google uses your data and opt-out options by visiting www.google.com/policies/privacy/partners.

B. Processing based on a statutory permission

Providing the requested programs or events. If you have requested to participate in an SAP.iO program or event, SAP will use the Personal Data that you provide to process your request and provide the program or event if your request is accepted by SAP (this may include your name, (email) address, telephone number, company name and address, your job title and role, and other information relevant to your participation in the program or event).

Processing to ensure compliance. SAP and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions, and embargoes issued by these countries, SAP is required to take measures to prevent entities, organizations, and parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through SAP’s websites or other delivery channels controlled by SAP. This could include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to SAP’s services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match. Any such use of your Personal Data is based on the permission to process Personal Data in order to comply with statutory obligations (Article 6(1) lit. c GDPR) and SAP‘s legitimate interest (Article 6(1) lit.  f GDPR).

Furthermore, you acknowledge that information required to track your data protection and privacy choices for processing your Personal Data, or for receipt of marketing materials (that is to say, depending on the country in which the relevant SAP Group company operates and whether you have expressly consented to or opted out of receiving marketing materials) may be exchanged among members of the SAP Group when necessary to ensure compliance.

Processing based on SAP’s legitimate interest. SAP can use your Personal Data based on its legitimate interest (Article 6(1), lit. f GDPR) as follows:

  • Fraud and Legal Claims. If required, SAP will use your Personal Data for the purposes of preventing or prosecuting criminal activities such as fraud and to assert or defend against legal claims.
  • Questionnaires and survey. SAP could invite you to participate in questionnaires and surveys. These questionnaires and surveys will be generally designed in a way that they can be answered without any data that can be used to identify you. If you nonetheless enter such data in a questionnaire or survey, SAP will use this Personal Data to improve its products and services.
  • Contract Performance. If you purchase or intend to purchase goods or services from SAP on behalf of a corporate customer or otherwise be the nominated contact person for the business relationship between a corporate customer (a “Customer Contact”) and SAP, SAP will use your Personal Data for this purpose. This includes, for the avoidance of doubt, such steps which are required for establishing the relevant business relationship. In case that an existing Customer Contact informs SAP that you are his replacement, SAP will, from the point in time of such notification, consider you to be the relevant Customer Contact for the respective customer until you object as further set out below.
  • Creation of anonymized data sets. SAP will anonymize Personal Data provided under this Privacy Statement to create anonymized data sets, which will then be used to improve its and its affiliates’ products and services.
  • Personalized Content. If you opt-in to receive marketing communications such as and including newsletters, brochures or white papers from SAP, SAP will collect and store details of how you interact with such content to help create, develop, operate, deliver and improve our communications with you.  This information is aggregated and used to help SAP provide more useful information and to understand what is of most interest. 
  • Recordings for quality improvement purposes. In case of telephone calls or chat sessions, SAP will record such calls (after informing you accordingly during that call and before the recording starts) or chat sessions to improve the quality of SAP’s services.
  • To keep you up-to-date or request feedback. Within an existing business relationship between you and SAP, SAP might inform you, where permitted in accordance with local laws, about its products or services (including webinars, seminars and events) which are similar or relate to such products and services you have already purchased or used from SAP. Furthermore, if you attend a webinar, seminar or event of SAP, download or view whitepapers, newsletters, videos, software free trials, or purchase products or services from SAP, SAP might contact you for feedback regarding the improvement of the relevant material, product or service.

Right to object. You may object to SAP using Personal Data for the above purposes at any time by delivering Your objection to sapio@sap.com. If you do so, SAP will cease using your Personal Data for the above purposes (that is to say, under a legitimate interest set out above) and remove it from its systems unless SAP is permitted to use such Personal Data for another purpose set out in this Privacy Statement or SAP determines and demonstrates a compelling legitimate interest to continue processing your Personal Data. 

IMPORTANT: Unsubscribe requests that you provide to SAP.iO will only be applied to SAP.iO related communications. Please submit unsubscribe requests for general SAP communications to https://www.sap.com/profile/unsubscribe.html. In addition, SAP.iO does not receive and will not apply any unsubscribe requests that you make for general SAP communications. Please send all unsubscribe requests relating to SAP.iO communications to sapio@sap.com.

Processing under applicable national laws. If the applicable national law allows SAP to do so, SAP will use information about you, some of which is Personal Data, for the following business purposes: 

  • to plan and host events
  • to host online forums or webinars
  • for marketing purposes such as to keep you updated on SAP’s latest products and services and upcoming events
  • to contact you to discuss further your interest in SAP services and offerings
  • to help SAP create, develop, operate, deliver and improve SAP services, products, content and advertising and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by SAP
  • to provide more personalized information to you
  • for loss prevention
  • for account and network security purposes
  • for internal purposes such as auditing, analysis, and research to improve SAP’s products or services
  • to verify your identity and determine appropriate services
  • to assert or defend against legal claims
  • detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • debugging to identify and repair errors that impair existing intended functionality
  • Undertaking internal research for technological development and demonstration
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by SAP

C. Processing based on consent

In the following cases, SAP will process your Personal Data if you granted prior consent to the specific proposed processing of your Personal Data (Article 6(1) lit. a GDPR).  If you re-open this Privacy Statement after you initially grant one or more consents, you will see the full Privacy Statement and not just information on the consents you granted.

News about SAP.iO programs and events. Subject to your consent, SAP may use your name, email and postal address, telephone number, job title and basic information about your employer (name, address, and industry) as well as an interaction profile based on prior interactions with SAP (prior participation in programs or events) in order to keep you up to date on SAP.iO programs and events.

Program and event promotional materials.  SAP may produce materials from programs and events that you participate in to promote its programs and events, such as videos, photographs, advertisements, and other media and materials (collectively, “Materials”). Subject to your consent, SAP may use the Materials, and transfer them for respective use to other entities in the SAP Group, including your name, likeness, photograph, voice, words, and any other information provided by you during the program or event (collectively, “Your Content”). Subject to your consent, SAP and other entities in the SAP Group may use, reproduce, publish, broadcast and distribute Your Content in whole or in part, worldwide and in translated form on the SAP intranet and the worldwide web, on SAP social media platforms and channels (such as Twitter, YouTube, Facebook, Instagram, LinkedIn), and in printed materials to promote SAP, its brand, products or services.

Program and event profiling. If you register for a program or event of SAP, SAP may share basic participant information (your name, job title, company, and email address) with other participants of the same program or event for the purpose of communication and the exchange of ideas.Special categories of Personal Data. In connection with the registration for and provision of access to an event or seminar, SAP may ask for information about your health for the purpose of identifying and being considerate of individuals who have disabilities or special dietary requirements throughout the event. Any such use of information is based on the consent you grant hereunder.
Kindly note that if you do not provide any such information about disabilities or special dietary requirements, SAP will not be able to take any respective precautions.

Forwarding your Personal Data to other SAP companies. SAP may transfer your Personal Data to other entities in the SAP Group. The current list of SAP Group entities can be found here. In such cases, these entities will then use the Personal Data for the same purposes and under the same conditions as outlined in this Section C. above.

Forwarding your Personal Data to other third Parties. At your request, as indicated by your consent, SAP will transfer your registration data to the companies listed on the registration page. The companies will use your registration data for the purposes of their participation in the event and are obliged to delete the data thereafter. If a company intends to use your data for any other purposes, they will contact you to explain how and for which other purposes they will use your registration data.

Revocation of a consent granted hereunder. You may at any time withdraw a consent granted hereunder by delivering Your withdrawal to direct any such request to sapio@sap.com. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of personal data by SAP up to the point in time of your withdrawal.

IMPORTANT: Unsubscribe requests that you provide to SAP.iO will only be applied to SAP.iO related communications. Please submit unsubscribe requests for general SAP communications to https://www.sap.com/profile/unsubscribe.html. In addition, SAP.iO does not receive and will not apply any unsubscribe requests that you make for general SAP communications. Please send all unsubscribe requests relating to SAP.iO communications to sapio@sap.com.

D. Cookies and similar tools

Information gathered by cookies or similar technologies, and any use of such information, is further described in SAP’s Cookie Statement. You can exercise your cookie preferences as outlined in SAP’s Cookie Statement.

E. Additional Country-Specific Provisions

Where SAP is subject to U.S. privacy requirements, the following also applies:

Do Not Track. Your browser may allow you to set a “Do not track” preference. Unless otherwise stated, our sites do not honor “Do not track” requests. However, you may elect not to accept cookies by changing the designated settings on your web browser or, where available, by referring to our Cookie Statement. Cookies are small text files placed on your computer while visiting certain sites on the Internet used to identify your computer. Please note that if you do not accept cookies, you may not be able to use certain functions and features of our site. This site does not allow third parties to gather information about you over time and across sites. 

Where SAP is subject to Brazil regulations, the following also applies:

Brazilian Law allows companies to send e-mails to potential customers conditioned to the inclusion of an opt-out mechanism and a link to a privacy statement. 

Russian-Specific Provisions apply to citizens of the Russian Federation.

Last Updated on March 30, 2020.