Data protection and privacy

Understand how SAP respects and protects individual privacy rights.
Two people talking and looking at a tablet

Safeguarding data protection and privacy at SAP

placeholder

We uphold data protection and privacy by employing advanced security protocols and fostering a culture of trust to ensure that our customers' information is always safeguarded. Learn more about how we prioritize data protection and privacy.

Data protection and privacy

We respect the privacy of every individual. Our policies and data processing agreements help us abide by relevant laws worldwide and provide a trusted foundation for our customers to operate their businesses in a compliant way.

placeholder

Our commitment to data protection and privacy

We monitor the global regulatory landscape to implement safeguards to protect the fundamental rights of anyone whose data is processed by SAP, including customers, suppliers, partners, prospects, employees, and applicants.

Data protection and privacy by design

SAP is continuously focused on improving its product development standards. We embed data protection and privacy features in our products and services by design and by default.

Artificial intelligence (AI) at SAP

Our use of AI and its development is governed by SAP’s global AI ethics policy and applicable laws.

Read the global AI ethics policy 

Data protection management system (DPMS)

SAP has implemented a DPMS with respect to its internal data protection and privacy controls in accordance with internally recognized industry standards.

Learn more 
placeholder

General Data Protection Regulation (GDPR)

In Europe, an individual’s right to data privacy is a human right. As a German-based company, SAP has a long-standing commitment to these data privacy and protection principles.

EU Standard Contractual Clauses

Find out how SAP implements the EU Standard Contractual Clauses (EU SCC) as published by the European Commission following the Schrems II decision.

Read the document 

Transfer impact assessments

Our FAQ supports customers with common questions related to transfer impact assessments when they are using cloud services from SAP.

Read more 

EU Cloud Code of Conduct (EU Cloud CoC)

Approved by the European Data Protection Board, SAP has sought a "Declaration of Adherence" to the EU Cloud CoC for certain cloud services.

Read the EU Cloud CoC reports 

Product Development Schedule

The Product Development Schedule sets out terms on how SAP may use customer data for general product research and development.

Learn more 

Technical and organizational measures (TOMs)

SAP constantly improves upon TOMs to protect the data we process on behalf of customers against unauthorized access, change, or deletions.

Read the TOMs 

5 years of GDPR

The GDPR's 5th anniversary provides an opportunity to reflect on its accomplishments and its role in the development of future technologies. 

Learn more 
placeholder

Global data protection and privacy compliance

Find out how SAP monitors and stays compliant with the always-evolving global data protection and privacy requirements applicable to SAP's products and services.

California Privacy Rights (CCPA/CPRA)

SAP supports California Privacy Rights initiatives, which grants California residents more control over their personal data and imposes heightened compliance obligations on businesses who share and sell such information.

Learn more 

The Brazil General Data Protection Act (LGPD)

Largely inspired by the General Data Protection Regulation, SAP is well positioned to meet the compliance requirements introduced by the LGPD.

Learn more 

"Important Data" under China Data Security Law

On January 13, 2022, Guidelines for Identification of Critical Data was released by the National Information Security Standardization Technical Committee.

Learn more 

The Health Insurance Portability and Accountability Act (HIPAA)

Under certain circumstances, SAP enters into a Business Associate Addendum (BAA) as a covered entity and business associate to enable compliance for those SAP customers that intend to process Personal Health Information (PHI).

Learn more 

Vietnam's Personal Data Protection Decree

Vietnam issued Decree 13 on Personal Data Protection (PDPD). Vietnam will become the fifth country in the ASEAN region with an omnibus set of data protection regulations.

Learn more 

The India Digital Personal Data Protection Act

Find out more about India's first comprehensive data protection and privacy law.

Learn more 

The Philippines Data Processing Systems and Data Protection Officers registrations

Find out about SAP's Philippines Data Processing Systems and Data Protection Officers registrations and seals.

Learn more 
placeholder

Data processing at SAP

SAP protects the rights of individuals whose data we process. We strive to continuously strengthen our reputation as a trusted and reliable business partner in the market.

Data processing agreements (DPAs)

SAP signs DPAs with each of our customers. DPAs enable us and our customers to comply with applicable laws when SAP processes personal data on behalf of customers.

Learn about Data Processing Agreements at SAP 
View the DPA for cloud services from SAP 
View the DPA for support and professional services  

Technical and organizational measures (TOMs)

SAP constantly improves upon TOMs to protect the data we process on behalf of customers against unauthorized access, change, or deletions.

Read the TOMs 

Subprocessors

SAP use of subprocessors may require access to and transfer of customer data to subprocessors for the hosting of customer data and related infrastructure support.

Read about subprocessors 

Government requests to access customer data

SAP receives few requests from government agencies requiring SAP to produce or disclose information that contains or includes any customer data.

Read the document 

Data Subject Rights

Submit a request to exercise your data subject rights.

Complete the form 
placeholder

Data protection and privacy certifications

SAP has a wide range of third-party audit reports, certifications, and attestations that demonstrate our compliance with data protection and privacy requirements.

Audit reports and certifications

SAP maintains multiple industry-standard, third-party certifications, and audit reports in support of the TOMs described in our DPAs.

View certifications 

Industry-specific attestations

SAP has a variety of sector-specific attestations and authorizations for certain products and services to meet the needs of customers in various industries, including FedRAMP and PCI DSS.

View attestations 

EU Cloud CoC reports

SAP has sought a Declaration of Adherence to the EU Cloud CoC for certain cloud services to demonstrate GDPR compliance in the SAP product and services portfolio.

View EU Cloud CoC reports 

Data protection management system (DPMS)

SAP has implemented a DPMS with respect to its internal data protection and privacy controls in accordance with internationally recognized industry standards.

Learn more 

Additional access to support documents

Available for SAP customers and partners with a valid SAP user ID.

placeholder

DPA amendment signature self-service

SAP customers located in the EU/EEA have the option to sign a DPA amendment that includes the EU SCCs (Standard Contractual Clauses). It’s available in several languages for SAP customers with a valid SAP user ID. SAP customers located in the UK have the additional option to sign a DPA amendment that includes the international data transfer addendum to the EU SCCs for international data transfers (the “UK IDTA”). It’s available in English for SAP UK customers with a valid SAP user ID. More information about this service can be found in the FAQ document.

Disclaimer: Please note that the pre-signed DPA amendments are available only for the respective customers located in the EU/EEA or in the UK. The provided DPA amendment must be signed by a person who is authorized to sign it.

Access the DPA amendment

Data protection and privacy FAQs

Frequently asked questions

As a business-to-business enterprise application provider, SAP receives few requests from government agencies or similar parties (“Requesting Party”) requiring SAP to produce or disclose information that contains or includes any customer data (“Request”). In all cases where SAP receives Requests, SAP will advise the Requesting Party that all customer data stored in any SAP customer cloud system belongs to the customer, not to SAP, and that such data is confidential, and that SAP cannot and will not produce or disclose any such information to the Requesting Party without first complying with its contractual obligation to provide notice to the customer about the Request to give the customer an opportunity to consent or to object and seek an appropriate protective order.

 

If the Requesting Party prohibits SAP from providing such notice to the customer, then SAP will try to challenge the Request if it is invalid or unlawful. If the competent court issues a ruling that compels SAP to comply with a Request without prior notice to the customer, SAP will challenge such ruling to the extent recourse is available and SAP has a good faith basis under existing applicable law to challenge the ruling. If no such recourse exists, or if SAP’s attempt to challenge the ruling on appeal is not successful, SAP will make all reasonable efforts to narrow the scope of the Request to the extent permitted under applicable laws before complying with it.

SAP carefully evaluates the security, privacy, and confidentiality practices of a subprocessor prior to retention. All SAP subprocessors enter into a written agreement with SAP that includes data privacy and security terms. SAP also provides lists with subprocessors by SAP product or services, which customers can access on a self-service basis at any time through the SAP Trust Center site. These lists include details on the location and country of each subprocessor per product or service. Customers can subscribe to subprocessor lists and receive e-mail notifications of changes.

The determination of whether to conduct a DPIA or TIA rests with the controller of personal data. SAP acts as processor within the scope of its provision of SAP products and services to customers. However, SAP will cooperate with customers as necessary and provide customers with reasonable information to assist the customer in its completion of a DPIA or TIA.

The supplementary measures identified in the final recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data—as issued by the European Data Protection Board (EDPB)—are designed to enable transfer mechanisms (such as the SCCs) to provide an “essentially equivalent” protection.

 

The EDPB’s recommendations divide supplementary measures into three groups—technical, organizational, and contractual measures. SAP implements appropriate technical and organizational measures (TOMs) to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration.

 

SAP has implemented controls, policies, and procedures, as further described in SAP’s TOMs that are part of its DPAs, which can be found in SAP Trust Center. SAP also maintains multiple industry-standard, third-party certifications, and audit reports as described in SAP’s DPAs, which customers can request at any time on a self-serve basis through SAP Trust Center.

 

The EDPB guidance also describes the need for contractual commitments to provide transparency about, for example, processing locations, applicable laws, and government demands for data. These requirements are addressed in SAP’s existing agreements and were enhanced in SAP’s updated DPAs.

When the provision of products and services by SAP to its customers involves the international transfer of EU/EEA personal data to “Third Countries” (such as countries, organizations, or territories not acknowledged by the EEA/EU under Article 45 of the GDPR as a safe country with an adequate level of protection), SAP relies on the Standard Contractual Clauses as issued by the European Commission to legitimize such transfers.