CONFIDENTIALITY and PRIVACY STATEMENT V1.

7a

1. CONFIDENTIALITY/SECURITY

You undertake not to disclose any Confidential Information. Confidential Information shall mean all information
and sensitive data which the Disclosing Party protects against unrestricted disclosure to others or which is
identified as Confidential or Proprietary or would otherwise ordinarily be expected to be confidential or
proprietary regardless of the manner in which it is furnished, including but not limited to, any trade and
business secrets of SAP, SAP customers, SAP partners and/or other third parties, about which you obtain
knowledge during the course of your activities for SAP. You shall keep all Confidential Information confidential
and not disclose any Confidential Information to any person other than SAP personnel on a need to know basis
and only for the purpose of fulfilling your duties. You undertake to disclose Confidential Information to third
parties only with prior written approval by SAP. This obligation shall remain in force even after termination of
your access to SAP confidential information.

You also acknowledge that you are obliged to the terms and conditions of SAPs Security Policy and the
related Standards, including but not limited to the SAP Security Guideline for Externals (Appendix II), SAP
Global Data Protection & Privacy Policy External (Appendix III) or any amendment or new version thereof.

2. TRADE SECRETS AND COPYRIGHTS OF OTHER COMPANIES

You undertake to respect the rights, especially the copyrights, of third parties. Unless the copyright holder has
given its express consent in writing and SAP has given its approval for the respective use, third party software
or materials shall not be used or modified in any way.

You acknowledge that SAP has no interest whatsoever in Confidential Information of other companies. You
undertake not to disclose any Confidential Information or copyright protected materials of third parties to SAP.
In addition you shall not keep or store any such information in SAP premises or on SAP systems. Any
disclosure is subject to a written non-disclosure agreement to be concluded between SAP and the respective
third party before such disclosure.

3. OBLIGATION TO OBSERVE DATA SECRECY

Subject to Section 5 Bundesdatenschutzgesetz (German Federal Data Protection Act), you are prohibited to
process, publish, disclose or otherwise use personal data without authorization.
Your obligation, to observe confidentiality regarding any personal data you may have access to, shall remain in
force after termination of your access to such data. This obligation also comprises not to disclose or use any
personal data from SAP customers, SAP partners and/or any other third party.
Any violation of privacy can lead to a fine or imprisonment in accordance with Section 43
Bundesdatenschutzgesetz (German Federal Data Protection Act) and other applicable statutory provisions.

I acknowledge and agree to the regulations of the CONFIDENTIALITY AND PRIVACY STATEMENT
V1.7a including its Appendixes I-III which shall form an integral part of this Statement. With my
signature I especially acknowledge the regulations of the Federal Data Protection Act
(Bundesdatenschutzgesetz) outlined in Appendix I.

Please enter your data using block letters:

Sex: male female

First name: Middle name: Last name:

Company: SAP customer/partner no:

Company Address:

Date: Signature:

Confidentiality and Privacy Statement V1.7 page 1/12

APPENDIX I Wording of Bundesdatenschutzgesetz (unofficial translation)

Section 5 Confidentiality

Persons employed in data processing shall not collect, process or use personal data without authorisation
(confidentiality). On taking up their duties such persons, in so far as they work for private bodies, shall be
required to give an undertaking to maintain such confidentiality. This undertaking shall continue to be valid after
termination of their activity.

Section 43 Administrative offences

(1) An administrative offence shall be deemed to have been committed by anyone who, whether intentionally or
through negligence
1. in violation of Section 4d (1), also in conjunction with Section 4e second sentence, fails to notify, fails to do
so within the prescribed time limit or fails to provide complete information,
2. in violation of Section 4f (1) first or second sentence, in each case also in conjunction with the third and sixth
sentences, fails to appoint a data protection official or fails to do so within the prescribed time limit or in the
prescribed manner,
2 a. in violation of Section 10 (4) third sentence fails to ensure that the transfer of data can be ascertained and
checked,
2 b. in violation of Section 11 (2) second sentence fails to assign work correctly, completely or in accordance
with the rules, or in violation of Section 11 (2) fourth sentence fails to verify compliance with the technical and
organizational measures taken by the processor before data processing begins,
3. in violation of Section 28 (4) second sentence fails to notify the data subject, or fails to do so correctly or
within the prescribed time limit, or fails to ensure that the data subject may obtain the relevant information,
3 a. in violation of Section 28 (4) fourth sentence requires a stricter form,
4. in violation of Section 28 (5) second sentence transfers or uses personal data,
4 a. in violation of Section 28a (3) first sentence fails to notify, or fails to do so correctly, completely or within
the prescribed time limit
5. in violation of Section 29 (2) third or fourth sentence fails to record the evidence described there or the
means of presenting it in a credible way,
6. in violation of Section 29 (3) first sentence, incorporates personal data into electronic or printed address,
telephone, business or similar directories,
7. in violation of Section 29 (3) second sentence fails to ensure the inclusion of identifiers,
7 a. in violation of Section 29 (6) fails to treat a request for information properly
7 b. in violation of Section 29 (7) first sentence fails to notify a consumer, or fails to do so correctly, completely
or within the prescribed time limit
8. in violation of Section 33 (1) fails to notify the data subject, or fails to do so correctly or completely,
8 a. in violation of Section 34 (1) first sentence, also in conjunction with the third sentence, in violation of
Section 34 (1a), in violation of Section 34 (2) first sentence, also in conjunction with the second sentence, or in
violation of Section 34 (2) fifth sentence, (3) first sentence or second sentence or (4) first sentence, also in
conjunction with the second sentence, fails to provide information, or fails to do so correctly, completely or
within the prescribed time limit, or in violation of Section 34 (1a) fails to record data
8 b. in violation of Section 34 (2) third sentence fails to provide information, or fails to do so correctly,
completely or within the prescribed time limit,
8 c. in violation of Section 34 (2) fourth sentence fails to provide the data subject with the information referred
to, or fails to do so within the prescribed time limit,
9. in violation of Section 35 (6) third sentence transfers data without providing the counter-statement,
10. in violation of Section 38 (3) first sentence or (4) first sentence fails to provide information, or fails to do so
correctly, completely or within the prescribed time limit, or fails to allow a measure, or
11. fails to comply with an executable instruction under Section 38 (5) first sentence.
(2) An administrative offence shall be deemed to have been committed by anyone who, whether intentionally or
through negligence
1. collects or processes personal data which are not generally accessible without authorization,
2. makes available personal data which are not generally accessible by means of automated retrieval without
authorization,
3. retrieves personal data which are not generally accessible without authorization, or obtains such data for
themselves or others from automated processing operations or non-automated files without authorization,
4. obtains transfer of personal data which are not generally accessible by providing false information,

Confidentiality and Privacy Statement / Appendix I page 2/12

APPENDIX I Wording of Bundesdatenschutzgesetz (unofficial translation)

5. in violation of Section 16 (4) first sentence, Section 28 (5) first sentence, also in conjunction with Section 29
(4), Section 39 (1) first sentence or Section 40 (1), uses transferred data for other purposes,
5 a. in violation of Section 28 (3b) makes the conclusion of a contract dependent on the consent of the data
subject,
5 b. in violation of Section 28 (4) first sentence processes or uses data for purposes of advertising or market or
opinion research,
6. in violation of Section 30 (1) second sentence, Section 30a (3) third sentence or Section 40 (2) third
sentence combines a feature referred to there with specific information, or
7. in violation of Section 42a first sentence, fails to notify or fails to do so correctly, completely or within the
prescribed time limit.
(3) Administrative offences may be punished by a fine of up to 50,000 in the case of subsection 1, and a fine
of up to 300,000 in the cases of subsection 2. The fine should exceed the financial benefit to the perpetrator
derived from the administrative offence. If the amounts mentioned in the first sentence are not sufficient to do
so, they may be increased.

Section 44 Criminal offences

(1) Anyone who willfully commits an offence described in Section 43 (2) in exchange for payment or with the
intention of enriching him-/herself or another person, or of harming another person shall be liable to
imprisonment for up to two years or to a fine.
(2) Such offences shall be prosecuted only if a complaint is filed. Complaints may be filed by the data subject,
the controller, the Federal Commissioner for Data Protection and Freedom of Information and the supervisory
authority.

Confidentiality and Privacy Statement / Appendix I page 3/12

APPENDIX II Security at SAP, SAP Security Guideline for Externals V1.3

SAP Security Policy & Standards short form (Version from August 01, 2013)

The SAP Security Policy defines all security objectives for SAP which is binding to all employees and external
workers. The objectives are stipulated as detailed security accountabilities and requirements within the related
SAP Security Standards. This appendix summarizes the most important regulations of the SAP Security
Standards and should be used as a short reference guide for security-compliant behaviour. However the
original form of each SAP Security Standard is binding as published within the SAP Corporate Portal under
Quick Link: /securitystandards.

Authorization

It is generally forbidden to try to get access to or to manipulate information. This particularly refers to illegal
technical methods for circumventing access restrictions and to obtaining access rights without being authorized
to do so. Information owners who are responsible for issuing access and system rights must grant access
privileges on a risk based approach which means that possible segregation of duties (caused by functional
combinations) or access to confidential data must be avoided as much as possible. In the case such access
risks cannot be avoided respective mitigation controls must be implemented and effectively managed.

Clean Desk

All desks must be organized in such a way that unauthorized persons cannot get hold of confidential
documents and data. In addition, valuables (especially laptops, PDAs, and mobile phones) must be protected
against misuse and theft. Any PCs, laptops, smartphones and tablets must be locked adequately when the
desk is left for a longer time period. This might be ensured by locking the office door or by storing the devices
in a lockable cabinet. It must be ensures that confidential documents will not be disclosed to unauthorized
persons while they are printed. Therefore PIN based secure printing shall be used when available. Also
confidential materials in meeting rooms may not be left (Whiteboards must be cleaned and flipchart papers
must be stored away or destroyed respectively). Secure methods which are released by SAP Global IT must
be applied to destroy data carriers that contain confidential or strictly confidential information.

Communication

When using an SAP e-mail account every user seems to be a SAP employee. When e-mail communication is
used, it is required to ensure that documents and information are not passed on to unauthorized parties.
Distribution list members must be checked before confidential documents are sent for example. It is an
obligation of everyone to protect the SAP voice mail box by applying a PIN. The same applies to the SAP
mobile phone. Official press statements or other publications for authorities, and other external bodies must
always be coordinated with SAP Global Communication.

Information Classification

Documents at SAP are classified according to the following five categories: public, customer, internal,
confidential, and strictly confidential. These globally valid categories are to be used globally in English. All
documents and other information must be classified by the information owner. All employees and external
workers need to protect the classified information accordingly with given protection solutions and organizational
measures. Those must be applied in accordance with the classification and handling matrix. Documents or
other information that have not been classified must be treated at least as internal.

Facility Access Card

Each person which is an employee or external worker needs a valid facility access card to get into SAP
buildings. The facility access card must display the employees or external workers name with a respective
photograph and must be carried all time visible while staying at SAP premises. Generic visitor cards are
available for short-term visitors only. It is forbidden to pass the facility access card to other third parties. If the
facility access card gets lost, the local security office (front desk) that issued the card or SAP Security in
Walldorf (+49 62277 42400) must be informed immediately.

Confidentiality and Privacy Statement / Appendix II page 4/12

APPENDIX II Security at SAP, SAP Security Guideline for Externals V1.3

IT-Security All Employees

The security standard 'IT-Security - All Employees' combines all IT-related security requirements for employees
in one single document. All employees cover requirements which have to be fulfilled by all employees, but also
external workers and partner ecosystem users who will obtain access to the SAP IT infrastructure and
applications. The 'Roles and Responsibility' section has been clearly structured and explains these
responsibilities. The section for actual system security has been split into PCs/Laptops (i.e. MS Windows-
based devices) and other mobile devices (i.e. smartphones and tablets based on iOS, Android, and other
mobile operating systems). Requirements are defined related to the correct password chose, anti-virus
protection, secure authentication and others according the ISO 27001/2 framework. One major contributor to
better understandability and clarity is that all information pertaining to system operation has been moved to the
security standard 'IT Secure System Operation - Operational Groups'. This is also part of the IT-Security
Framework.

Internal Applications

Security-relevant requirements for the secure development of all SAP products are described in the SAP
Security Standard for the product innovation life cycle (PIL). These security requirements also apply to the
development of internal applications and must be applied accordingly.

Managing Access of External Parties at SAP

This SAP Security Standard describes the requirements for providing access rights to external party users (C-
users) to the SAP corporate network and associated business applications. Important is to understand that
external party users cannot approve access requests of other external party users. Only trustworthy external
party users can obtain access to strategic internal projects or confidential business information. It is also a
must that external party users return their SAP owned equipment back after completing their services to SAP.
Therefore a start and end date for external party users must be specified in accordance with the external party
contract.

IT Secure System Operation SAP Operational Groups

The security standard 'IT Secure System Operation SAP Operational Groups ' is relevant only for those users
that operate IT systems as part of their job description. This may also include external workers or members of
the partner ecosystem who will operate SAP IT systems under the duty of contractual agreements. It is an
integral part of the IT Security Framework that has been closely aligned with ISO27001/2. The 'Security
Standard IT Secure System Operation SAP Operational Groups', the thereof depending security directives
and the security procedures form a comprehensive IT Security Framework which summarizes all requirements
when operating IT systems at SAP. These requirements relates for instance for the secure development of
internal applications, security requirements for implementation & configuration of IT systems, introduction of a
required IT system security lifecycle management and the secure operations (for instance required change
management, incident management and others) of these IT systems.

Third Party Systems

In exceptional cases it might be required that non-SAP IT systems (e.g. laptop, tablet, etc.) of external workers
might need to be connected to the SAP corporate network. This is only allowed if a valid business reason
exists. SAP owned devices that are provided by Global IT must always be the first choice. The non-SAP IT
systems must be validated by SAP Global IT if best practice security measures are implemented and activated
correctly before connecting them to the SAP corporate network.

Confidentiality and Privacy Statement / Appendix II page 5/12

APPENDIX III SAP GLOBAL DATA PROTECTION POLICY External V 1.0 (September 2012)

Introduction

SAP is committed to data protection and privacy. SAP respects data protection and privacy rights and
safeguards any Personal Data of employees, applicants, customers, suppliers, partners, and all other
individuals whose Personal Data is under SAPs responsibility. To demonstrate SAP`s commitment, SAP has
decided to implement this Global Personal Data Protection And Privacy Policy (Policy).
This Policy establishes the basic principles for any collection, processing, recording, storage, transfer,
disclosure, deletion and any other handling or use of Personal Data under SAPs legal responsibility by
defining requirements for all operations involving Personal Data and by establishing clear responsibilities and
organizational structures.
The elementary definition of Personal Data to be used within SAP is (see Appendix 1 for other relevant
definitions):

Personal Data is any information related to an identified or identifiable natural person. It includes data of
employees, applicants, former employees, customers, prospects, suppliers, partners, users of SAP Websites
and services, or any other individual.

Individuals may be identified for example directly by their names, telephone numbers, email addresses,
physical location addresses, user IDs, taxpayer IDs, social security numbers, or indirectly by a combination of
any information. Personal data may be located in both SAPs own systems as well as contracted systems, but
also in on-demand systems run by SAP for their customers, or even in customers and partners systems, if
SAP personnel could possibly gain access in the course of services, support, or consultancy activities.
If any operation at SAP involves the collection, processing and/or use of Personal Data, the regulations of this
Policy have to be adhered to. Management and process owners are responsible to ensure that all processes
involving the collection, processing and/or use of Personal Data are designed to comply with the regulations of
this Policy. It is within the responsibility of every SAP employee to comply with the regulations of this Policy
when handling Personal Data in their SAP work. This Policy shall be imposed accordingly to all parties working
with Personal Data of SAP and on behalf of SAP.
SAP is a global company with its headquarters in Germany, which is a member of the European Union (EU).
Therefore this Policy is based on the definitions of the European Data Protection legislation and defines the
basic principles which are applicable for every SAP entity.
If local (i.e. country specific) or other applicable laws require stricter standards, Personal Data must be handled
in accordance with those stricter laws. Any further standard and/or guideline issued under this Policy may be
supplemented as necessary by such local or other applicable laws.
Where applicable law provides a lower level of protection, the principles governing any collection, processing
and/or use of Personal Data shall be based on this Policy and not on the lower level of protection provided by
law.
Questions about applicable law may be addressed to the Data Protection and Privacy Office (DPPO)
(mail:privacy@sap.com).
Employee data protection and privacy rights must be ensured according to the law of the country of the
employment contract, independent of the actual location and law of the country in which the employee data is
processed or used. The legal responsibility for employee Personal Data always remains with the employing
legal entity. The employing legal entity is responsible for notifying other SAP entities (e.g. if manager is
employee of another SAP legal entity), if there are different rules applicable to their employees for data
protection and privacy.
This policy shall not restrict SAPs ability to exercise its rights in lawsuits.

Basic Data Protection and Privacy Principles

At any operation of SAP that involves the collection, processing and/or use of Personal Data, Personal Data
must always be processed fairly and only to the extent allowed by applicable law.
Generally, processing is permitted:
Based on freely given consent of a Data Subject, e.g., by registering on a Web site or
To the extent required to fulfil contracts with the Data Subject, e.g., an employment contract or a
contract for services or
Where the law requires or allows processing, e.g., tax laws, social codes

Confidentiality and Privacy Statement / Appendix III page 6/12

APPENDIX III SAP GLOBAL DATA PROTECTION POLICY External V1.0 (September 2012)

Personal Data may only be collected for legitimate purposes, which must be specified before the time of
collection.
The data may not be further processed in any way incompatible with the original specified purposes unless
allowed otherwise, subject to the conditions of applicable law.
Personal Data shall be collected directly from the Data Subject. If this is not possible or not the case, Data
Subjects have, at a minimum to be provided with information about the kind of Personal Data being processed
and the specified purposes of collection, processing and/or use of Personal Data.
O the amount of data reasonably necessary to accomplish the specified purpose may be collected. Excessive
data collection is not allowed. Personal data must be accurate at all times and must be corrected where
necessary Personal Data may be kept only as long as necessary for the specified purposes.

Responsibility for Data Protection and Privacy

a. Management
The legal responsibility for the collection, processing and/or use of Personal Data within SAP lies with the
executive management of the respective SAP legal entity that collects, processes and/or uses the Personal
Data for the business purposes of the respective legal entity e.g. Board Members of SAP AG, Managing
Directors etc. following applicable law.
Internally within SAP, responsibility may be delegated along SAPs organizational structure to managers of
different levels and employees through documented managerial instructions, directives and the definition of
business processes with explicit hand over of responsibility and accountability.
Management is responsible that any process regarding the collection, processing and/or use of Personal Data
is designed to satisfy the requirements of this Policy.
The management of each legal SAP entity is responsible:

for the monitoring of local (i.e. country specific) legislation, for example by a local Data Protection and
Privacy Coordinator (see Section 8b)
to verify if global processes are in line with local law and inform the local and global process owners
accordingly when local regulation impact such processes
to get in contact with supervisory authorities in cases, where local law requires (prior) approvals by or
notice to authorities for the collection, processing, use or transfer of personal data.

b. Global Human Resources

Any employee having access to Personal Data, whether under control of SAP or any of SAPs business
partners, shall be properly informed of their personal responsibility under applicable law and personally obliged
to data secrecy and confidentiality. Such obligation shall be certified in writing or in an adequate verifiable form.
The obligation shall be executed according to applicable law for employees and any persons acting on behalf
of SAP, and include an indication of personal responsibility and possible legal consequences of any violations
of applicable data protection and privacy laws.
The responsibility for the execution of this obligation lies with SAPs Global Human Resources organization for
SAPs employees as well as for third parties who have access to Personal Data at SAP.

c. Employees
All SAP employees are responsible to maintain confidentiality regarding Personal Data they have access to
due to their employment duties at SAP.
Any SAP employee may collect process and/or use Personal Data only to the extent necessary to fulfill their
duties and according to approved processes. Employees can rely on the lawfulness of managerial instructions
regarding the usage of Personal Data. In case of doubt, employees can ask for clarification through
management or the Data Protection and Privacy Office (privacy@sap.com). Employees are personally
accountable for the fulfilment of their obligations e.g. obligation to observe data secrecy.

Details

a. Notification, Data Accuracy and Access

Any Data Subject has to be provided with proper information about the collection, processing and/or use of
Personal Data, usually before the collection of data and in accordance with applicable law.

Confidentiality and Privacy Statement / Appendix II page 7/12

APPENDIX III SAP GLOBAL DATA PROTECTION POLICY External V1.0 (September 2012)

Notification to Data Subjects about data handling activities has to be given in an easy understandable way
without misleading information or wording.
Stored Personal Data has to be accurate and reasonable steps must be taken to correct or delete inaccurate
personal data. Data Subjects may request access to their Personal Data at any time. Any processes for
collecting, processing and/or using Personal Data must include a possibility for correcting, updating, and where
applicable law requires, deleting or blocking as appropriate. Any request or complaint of a Data Subject must
be handled by the responsible SAP legal entity in a timely manner. Any objection of a Data Subject regarding
the processing of their personal data must be duly verified and, if required, remedial action must be taken.
Employees need to be able to access their Personal Data as required by law in their employing countries,
regardless of the location where the data is stored or processed. If any Personal Data is inaccurate or
incomplete, the employee may request that the data be amended or if necessary, blocked or erased.
Any Data Subject has the right to inquire the nature of the personal data stored or processed about him or her
by any SAP entity or third party vendor working on behalf of SAP.

b. Expiration of Data and Data Deletion

Any process that involves collection, processing and/or use of Personal Data must define a schedule for
deletion, anonymization or blocking of the Personal Data once the specified purpose has been accomplished
or the legal basis has otherwise expired. Any process shall foresee the regular deletion.
Instead of deletion, Personal Data may also be irreversible anonymized, i.e. it may be kept in a form where
identification of an individual is no longer possible. Where neither deletion nor anonymization is possible due to
technical or for legal reasons (e.g. where a law requires to keep records for taxation purposes), such Personal
Data must be blocked from any further processing and/or use and the access to the Personal Data has to be
restricted to those persons that have a legitimate need to access the Personal Data.

c. Additional Rules for Sensitive Personal Data

Sensitive Personal Data is a Special Category of Personal Data that includes personal information specifying
medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal
convictions, trade union membership or information related to the sexual orientation of an individual.
In circumstances where SAP or a third party on behalf of SAP needs to collect Sensitive Personal Data,
management has to ensure that the Data Subject is notified of the reason for obtaining this Sensitive Data and
with whom it will be shared. Contingent upon applicable law, SAP has to obtain explicit consent from the Data
Subject regarding the processing and transfer of such Sensitive Personal data. Appropriate protection
measures (e.g.: physical security devices, encryption, and access restrictions) shall be provided depending on
the nature of data and the risks associated with the intended use.

For these special categories of data, the following additional rules apply:
Collection, processing and/or use of such data must always be transparent to individual Data Subjects.
Any consent of individual Data Subjects must refer expressly to such data.
Processes that involve the collection or use of Sensitive Personal Data may only be established with
the advance approval of the Data Protection and Privacy Office or the Local Data Protection and
Privacy Coordinator.

d. Transfer/Contractual Data Processing

It is not uncommon in todays business world for Personal Data to be exchanged between affiliates of one
company or with other companies, either because one company or affiliate processes data on behalf of
another entity (so called Transfer for Processing) or because the receiving entity shall use the personal data
for its own purposes (Transfer for Own Purposes). In both situations contractual provisions on security and
data protection are required.

Additionally personal data in the legal responsibility of an SAP entity in the European Union must only be
processed or transferred outside the European Economic Area (European Union plus Norway, Iceland and
Liechtenstein) with proper legal safeguards in accordance with Articles 25 and 26 of the EU Data Protection
Directive 95/46/EC in place.
Where personal data is transferred, the following rules apply:

Transfer for Processing on behalf of SAP:

Confidentiality and Privacy Statement / Appendix II page 8/12

APPENDIX III SAP GLOBAL DATA PROTECTION POLICY External V1.0 (September 2012)

SAP always remains legally responsible regarding the obligations towards the Data Subject. These obligations
do not cease by a handover to or usage of a third party as a service provider.

If SAP engages a service provider to fulfil tasks on behalf of SAP that include processing of personal data,
contractual provisions on security and data protection are required. Therefore, a process to check suppliers
involved in contractual data processing must be implemented and maintained. No supplier for services that
includes contractual data processing may be engaged without a prior verification of their compliance to SAPs
legal and contractual obligations and requirements.

Transfer for the Receiving Companys own Purposes:

Transfer of personal data to a third party for purposes of this third party or to a national or international
authority is only allowed where permitted or required by law or where the Data Subjects concerned have given
their prior consent.

Transfer between SAP Legal Entities

SAP has established an Intercompany Master Data Protection Agreement among all SAP subsidiaries and
legal entities to ensure the lawfulness of the transfer of personal data among SAP legal entities. All mergers,
splits, and acquisitions of legal entities must be included in this framework through the execution of a contract.
Any use of personal data transferred between legal entities must be in compliance with the rules of the master
data protection agreement or any framework subsequently introduced to ensure compliance with applicable
data protection legislation, especially but not limited to the European Unions Data Protection Directive and
related local laws.
In the case of acquisitions, splits or founding of new companies no transfer of personal data and no
authorization for access to personal data are permitted unless the Intercompany Master Data Protection
Agreement is fully executed in the newly acquired or established legal entities.

Transfer of Customer Data

SAP handles Personal Data of customers and on behalf of customers. Any transfer and use of such customer
data must be done in compliance with applicable laws and contractual obligations. Personal Data of customers
shall never be transferred to third parties without proper legal or contractual basis.
In this regards SAP cooperates with customers to facilitate customers compliance with applicable data
protection laws.

Supervisory Authorities for Data Protection and Privacy

SAP legal entities must always cooperate with data protection supervisory authorities, whether demanded by
local law, contractual obligations, or by this Policy. Such cooperation shall also be exercised across borders. If
supervisory authorities for Data Protection and Privacy demand any information or exercise supervisory rights,
local legal and local Data Protection and Privacy Organization shall be promptly informed. Any cross border
activities must be aligned with SAPs Data Protection and Privacy Office.

Data Protection and Privacy Versus Security

Data protection and privacy laws require specific security measures. SAP defines such measures in the SAP
Security Policy and dependent security standards and guidelines. The Data Protection and Privacy Office
support definition and maintenance of such standards and guidelines.

Data Protection Organization

a. Global Organization
The Data Protection and Privacy Office is an organizational unit within SAP AG reporting directly to the
responsible Board Member

The governance for data protection and privacy on global level belongs to the Data Protection and Privacy
Office led by the SAP Data Protection Officer. The independence of the SAP Data Protection Officer is
guaranteed under the regulation of section 4f of the German Data Protection Act.

b. Local, Regional, and Line-of-Business-Related Organization

Confidentiality and Privacy Statement / Appendix II page 9/12

APPENDIX III SAP GLOBAL DATA PROTECTION POLICY External V1.0 (September 2012)

Local, regional and Line of Business (LoB) management must implement a local and/or regional or LoB
specific organization, in particular:

Appoint a Data Protection and Privacy Coordinator as part of a global Data Protection and Privacy
Network. A Data Protection and Privacy Coordinator can be appointed for different countries or for a
complete region, but the country-specific responsibilities must always be transparent. A direct or
functional reporting line to the Managing Director of the legal entity or the responsible head of the
regional or LoB management must be established.
Provide the Data Protection and Privacy Coordinator with reasonable resources to fulfil his tasks.
Ensure the timely involvement of the Data Protection and Privacy Coordinator and DPPO in relevant
projects.

There must be no legal entity without a responsible Data Protection and Privacy Coordinator.
Due to the internal organization of SAP, a country-specific setup of data protection and privacy governance is
not sufficient. Therefore, the following lines of business must appoint a Data Protection and Privacy
Coordinator regardless the existence of Data Protection and Privacy Coordinators on country or regional level:

on global level:
Global Human Resources
Global Service & Support
Cloud Business Unit
Ecosystem and Channels
SAP Global Marketing
Global IT
SAP Research
Global Finance & Administration
Development

on regional level:
Consulting Services

The specific tasks of the Local, Regional, and Line-of-Business-Related Organization are defined in Appendix
3 (SAP internal documents which are not included in this version).

Data Protection and Privacy Standards

Since this Policy describes the obligation and duties for SAP, its managers, and its employees when
processing personal data in a general way, there will be local or topic dependent needs to set up guidelines,
procedures or work instructions in a specific way, to have operationally usable documents available.
Therefore, data protection and privacy standards shall be developed, implemented, and maintained by or in
close alliance with the DPPO or local, regional or LoB-specific Data Protection and Privacy Coordinators. Such
standards shall be reviewed and approved by the DPPO; for regional or global standards an additional
approval is required by the Data Protection and Privacy Steering Committee.

Such standards must never conflict with the obligations of this Policy, but can extend or specify general
statements hereof.

Awareness
DPPO and the Data Protection and Privacy Coordinators shall create awareness programs on a regular basis.
All employees and persons working on behalf of SAP shall not only be regularly informed about their
obligations and duties, but also about their rights under this Policy and applicable law.

Confidentiality and Privacy Statement / Appendix II page 10/12

APPENDIX III SAP GLOBAL DATA PROTECTION POLICY External V1.0 (September 2012)

Appendix 1 Definitions

Anonymous Data Data in a form where an identification of an

individual, including without limitation an indirect
identification with the help of other data or
information, is no longer possible. Anonymous data is
no longer subject to internal or external regulation on
data protection and privacy
Collection, Collection means the acquisition of data on the data
Processing and/or subject. Processing means any operation or set of
Use: operations which is performed upon personal data,
whether or not by automatic means, such as
collection, recording, adaption, storing, alteration,
transfer, blocking, and erasure of personal data. Use
means any utilization of personal data other than
processing.
Consent Can be explicit or implicit. In general, explicit consent
requires an action of the data subject to allow any
processing of data, e.g., an opt-in to send emails or
gather personal data. Freely given explicit consent is
considered a proper cause to process personal data
unless otherwise regulated by law. Implicit consent
(e.g., opt-out) allows processing as long as the data
subject does not indicate otherwise
Controller A natural or legal person, who alone or jointly with
others, determines the purposes and means of the
processing of personal data (general legal definition).
In SAPs case, always an SAP legal entity is the
controller of the personal data of its employees,
customers, suppliers, partners or other individuals.
SAP employees, internal units or organizations
cannot be controllers. The controller is represented
by the legally responsible management, e.g. the
Board Members of SAP AG or the managing directors
of other SAP legal entities.
Data Subject Any identified or identifiable natural person; an
identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an
identification number or to one or more factors
specific to his physical, physiological, mental,
economic, cultural or social identity.
Deletion Either physical destruction of data or anonymization
of data in a way that no further relation of the data to
a natural person is possible.
Personal Data Any information relating to an identified or identifiable
natural person (data subject). An identifiable person
is one who can be identified, directly or indirectly, in
particular, by reference to an identification number or
to one or more factors specific to his or her physical,
physiological, mental, economic, cultural, or social
identity
Processor A natural or legal person, public authority, agency, or
any other body that processes personal data on
behalf of the controller, e.g., an external legal entity or
SAP legal entity different from the controller.
Special Categories of Personal Data Includes data concerning racial or ethnic origin,

Confidentiality and Privacy Statement / Appendix II page 11/12

APPENDIX III SAP GLOBAL DATA PROTECTION POLICY External V1.0 (September 2012)

political opinions, religious or philosophical beliefs,

trade-union membership, offences, criminal
convictions, health, or sex life, as well as data that
may be used for identity theft, such as social security
numbers, credit card and bank account numbers, and
passport or drivers license numbers.
Third Party Any natural or legal person, public authority, agency,
or any other body other than the data subject, the
controller, the processor, and the persons who, under
the direct authority of the controller or the processor,
are authorized to process the data; different legal
entities in the SAP Group of companies are third
parties to each other.

Confidentiality and Privacy Statement / Appendix II page 12/12