Privacy Statement – 【SAP Service and Asset Manager】

Last update : [ June 2024] 

 

This Privacy Statement applies to the SAP Service and Asset Manager mobile app (“[SAP Service and Asset Manager]”) published and operated by SAP SE, Dietmar-Hopp-Allee 16 Walldorf 69190, Germany.

This Privacy Statement describes how SAP processes the personal information you provide to SAP and the information that SAP collects or generates in the course of operating the [SAP Service and Asset Manager]. “Personal Information” refers to any information relating to an identified or identifiable natural personal, recorded electronically or in other manners, excluding anonymized information.  

Your employer, client company, business, institution, or other providing entity (“your Company”) may have subscribed to the backend cloud services—“Mobile Services on Business Technology Platform (BTP)”  (“ [Cloud Service]”). The [SAP Service and Asset Manager] is used to provide you with a channel to log in and use the [Cloud Service] and allow you to access and use the [Cloud Service] through your mobile device as long as you remain a user authorized by your Company to access the [Cloud Service]. The [SAP Service and Asset Manager] will not collect and process your Personal Information generated during your use of the [Cloud Service].  Regarding how your Personal Information will be collected and processed during your use of the [Cloud Service], please carefully read the End User License Agreement (“EULA”) ("https://www.sapcloud.cn/corporate/legal/privacy.html“).  The use of the [Cloud Service] will not be subject to the Privacy Statement.

This Privacy Statement will help you understand the following:  

                      I.        How does SAP collect and use your Personal Information?

                     II.        How does SAP use Cookie or other third-party similar tracking technologies?

                    III.        Processing based on the legal bases other than “consent”

                   IV.        Why and how does SAP process your Sensitive Personal Information?

                     V.        How does SAP share, transfer or disclose publicly your Personal Information?

                   VI.        How does SAP protect your Personal Information?

                  VII.        How can you exercise your Personal Information protection rights?

                 VIII.        Processing Personal Information of children

                   IX.        Where is your Personal Information stored and how is it transferred cross-border?

                     X.        How is this Privacy Statement updated?

                   XI.        How may you contact SAP?

 

I. How does SAP Collect and Process Your Personal Information? 

The [SAP Service and Asset Manager] may collect and process your Personal Information for the following purposes:

1.     Authentication
When you log in on SAP Service and Asset Manager, SAP Service and Asset Manager collects your unique device identifier, username ID, face ID and/or fingerprint ID (stored locally in your mobile device), and related password information for user authentication purposes before permitting you to access the  services of SAP Service and Asset Manager. If you do not provide such information, SAP Service and Asset Manager cannot authenticate you and without authentication you cannot access the services of SAP Service and Asset Manager.

2.     Geo-location
To use features of SAP Service and Asset Manager related to tracking your geo-location on  SAP Service and Asset Manager (for instance, to provide driving directions, as well as identify “nearby” work orders, notifications, and assets that you will be working on), you have to grant  SAP Service and Asset Manager access to track the geo-location of your mobile device. Geo-location information may be regarded as sensitive personal information. You can choose not to grant SAP Service and Asset Manager access to track your geo-location information, in which case you will not be able to use features of SAP Service and Asset Manager related to geo-location, but this does not affect your normal use of the other features of SAP Service and Asset Manager. In addition, you can withdraw your consent at any time by turning off SAP Service and Asset Manager’s access to track your geo-location in the settings of your mobile device. Your geo-location data will not be stored in SAP owned systems, but in customer owned SAP backend systems and locally in SAP Service and Asset Manager in your mobile device.

3.     Push notification
SAP Service and Asset Manager collects your unique device ID for the purpose to allow the Cloud Service instance to send you push notification. If you do not wish to receive push notification, please contact your Company to disable such function on the Cloud Service instance. Device ID is collected to identify the device to allow push notification registration and to allow connected mobile services to send push notification to the device.

4.     Usage Data
SAP Service and Asset Manager may collect the usage data to understand the most used features and functions of SAP Service and Asset Manager in order to provide better user experience. Anonymous usage metrics related to app performance collected by 3 Usage metrics collected using Dynatrace library.

5.     Picture taken from camera
Pictures and file attachments are stored in a database on device (for offline access) and synced to customer’s SAP backend system. Users can attach pictures to a business object (work order, notification, equipment or functional location) from the mobile device and save it in SAP backend system. Business data downloaded and residing on client in offline database, including pictures and files attached to business objects, are removed when the mobile app is reset or uninstalled. Business data saved in the backend system resides in customer’s SAP backend system and its retention period depends on customer’s retention policy.

6.     Files located on device
Users can attach files (.pdf, .txt, etc.) to a business object (work order, notification, equipment, or functional location) from the mobile device and save it in SAP backend. File attachments are stored in a database on device (for offline access) and synced to customer’s SAP backend system. Business data downloaded and residing on client in offline database, including pictures and files attached to business objects, are removed when the mobile app is reset or uninstalled. Business data saved in the backend system resides in customer’s SAP backend system and its retention period depends on customer’s retention policy.

7.     Device Logs
For debugging purposes. Device log is stored on device and can be uploaded to SAP Cloud platform mobile services. Locally stored username, device ID and local client logs are deleted and removed as soon as the app is uninstalled from the device.

8.     Survey IDs
If SAP asks you to participate in a survey, SAP will generate and place a random ID on your device. This ID will be stored on your device as long as you use the SAP Service and Asset Manager and signals to SAP that your device has already participated in a given survey and/or prevents that this device and therefore you will be presented with the same survey more than once or at too short intervals. Furthermore, together with the responses to the surveys, SAP will collect certain technical information about your device such as the device type or its operation system which will help SAP to interpret your feedback. Please note that neither the IDs nor the technical data allow SAP to identify you or your device. If you do not want to give feedback and/or do not want the above-mentioned technical data to be sent with your survey responses, you can just decline to participate in a survey.

For more detailed description of the types of Personal Information to be collected by SAP, the manner of collection, frequency or timing of collection as well as the impact of refusing to process this type of Personal Information on you, please refer to Appendix I – I. List of Personal Information Collection.

 

II. How does SAP use Cookie or other third-party tracking technologies? 

SAP doesn’t use cookie or third-party tracking technologies in [SAP Service and Asset Manager] and usage analytics or profiling functionalities are not integrated in the application.

 

1.     Third-party codes or SDKs

To provide and optimize products and services, SAP may use third-party software development kits (“SDKs”) in the [SAP Service and Asset Manager]. The SDKs may collect your Personal Information when helping SAP provide comprehensive services to you. SAP will take necessary measures to control the collection and use of your Personal Information by such SDKs to effectively protect your Personal Information. Please refer to Append III. List of SDKs for the identities of third parties, the types of SDKs, the types of Personal Information to be collected by SDKs, the purposes and manners of processing as well as the links to the third parties’ privacy policies, etc.

III. Processing based on the legal bases other than “consent”

SAP is allowed by applicable laws to process your Personal Information based on several legal bases. You acknowledge that SAP could process your Personal Information based on one of the following legal bases without the need to obtain consent from you:

·         the processing is necessary for entering into or performing a contract to which you are a party；

·         compliance with legal duties and obligations to which SAP is subject;

·         in response to public health incidents or to protect the vital interests of natural persons;

·         for news reporting and media supervision for purpose of protecting public interest and within a reasonable scope;

·         the processing within a reasonable scope of Personal Information publicized by you to otherwise lawfully made public；or

·         other situations provided by applicable laws and regulations.

IV. Why and how SAP processes your Sensitive Personal Information?

Sensitive Personal Information means any Personal Information that once leaked or illegally used, is likely to cause harm to the personal dignity of the relevant natural person or potentially endangers the physical and property safety of the individual, including biometric data, religious belief, special identity, medical/health data, financial account information and location tracking data, etc., and Personal Information of minors under the age of 14.

Sensitive Personal Information is subject to additional protections or restrictions by applicable laws and regulations. SAP will only process your Sensitive Personal Information allowed by and comply with the relevant applicable laws and regulations.

For the following specific purposes, we need to process your Sensitive Personal Information, otherwise, these purposes will not be achieved and may affect the rights and interests of yourself or other individuals:

1.     Authentication. When you log in on SAP Service and Asset Manager, SAP Service and Asset Manager collects your face ID and/or fingerprint ID (stored locally in your mobile device), and related password information for user authentication purposes before permitting you to access the  services of SAP Service and Asset Manager. If you do not provide such information, SAP Service and Asset Manager cannot authenticate you and without authentication you cannot access the services of SAP Service and Asset Manager.

2.     Location data – Display user’s current location on the map in order to provide driving directions, as well as identify “nearby” work orders, notifications, and assets that the technician would be working on.

V. How Does SAP provide your Personal Information to third parties and disclose publicly your Personal Information? 

(1) Providing your Personal Information to Third Parties

Your Personal Information will be passed on to the following categories of third parties to process your Personal Information:

·                   Companies within the SAP Group;

·                   Third party service providers, for example, [for the fulfillment and provisioning of services from SAP]。

SAP may engage service providers (“Entrusted Parties”) to process your Personal Information on behalf of SAP. For example, [IT and communication service providers, cloud service providers] These Entrusted Parties are obligated to keep your Personal Information confidential and may only use your Personal Information for the purposes described in this Privacy Statement. SAP will require the Entrusted Parties to strictly abide by our measures and requirements on Personal Information and privacy protection, including but not limited to processing Personal Information according to the relevant agreement between the Entrusted Party and SAP.

(2) Merger and Acquisition

In the event of a merger and acquisition, division, dissolution or declaration of bankruptcy scenario, involving the transfer of Personal Information, SAP will require the new company or organization holding your Personal Information to observe this Privacy Statement, otherwise SAP will require such company or organization to seek your consent again.  

(3) Public Disclosure  

SAP will not disclose your Personal Information publicly except:  

1.     Having obtained your explicit consent.

2.     Law-based disclosure: if required by applicable law, legal process, legal orders or in accordance with mandatory requirements of a competent authority, SAP may disclose your Personal Information accordingly. 

VI. How does SAP Protect Your Personal Information?  

1. SAP has employed security measures complying with industry standards to protect the Personal Information SAP collects via the [SAP Service and Asset Manager], to prevent such Personal Information from unauthorized access, public disclosure, use, modifications, damage or loss. SAP will adopt reasonable measures to protect your Personal Information. For example, SAP has used a trusted protection mechanism to protect such Personal Information from attacks and we deploy an access control mechanism to ensure only authorized persons can access such Personal Information.  

2. SAP may adopt reasonable measures to ensure irrelevant Personal Information is not collected. SAP only keep your Personal Information within the minimum period required for fulfilling the purposes stated in this Privacy Statement, unless an extension is required or permitted by applicable law.  

3. SAP has put in place measures to protect your Personal Information from loss, misuse and unauthorized access. SAP will keep your Personal Information secure using reasonable security measures as appropriate, for example, encryption (e.g., SSL) and anonymization. SAP use the protection mechanisms offered by the mobile operating system inside the application's sandbox environment. Your Personal Information is also protected by application-level encryption based on 256-bit Advanced Encryption Standard (AES) or better method. Further, SAP may make available to your Company certain optional security measures for managing the [SAP Service and Asset Manager] which your Company can deploy at its end, for example, single-sign-on, multi-factor authentication and other mobile device management security features. SAP will continue to improve the technical measures to protect your Personal Information collected by the [SAP Service and Asset Manager].

In the event of a Personal Information security breach, SAP will notify you as required by the applicable laws and regulations. SAP will cooperate with your Company to notify the affected users and handle the event. Personal Information security breaches by the [Cloud Service] are not subject to this Privacy Statement. Personal information security breaches caused by the [Cloud Service] will be handled according to the privacy statement of the [Cloud Service].

VII. How can you exercise your Right to protect Personal Information?

In accordance with applicable laws and regulations, you are guaranteed certain rights to your Personal Information.  

With respect to the Personal Information under our control, you may contact SAP at https://support.sap.com/en/contact-us.html should you have any questions or concerns regarding such Personal Information. To the extent SAP has retained such information with an identifier that can be connected to you, you have the following rights.

(1) Accessing or requesting a copy of your Personal Information

You have the right to access or request a copy of your Personal Information under our control, except for the exceptions specified in applicable laws and regulations. If you wish to exercise the right to access or request a copy of your Personal Information, you may contact SAP at https://support.sap.com/en/contact-us.html.

If it does not incur a significant cost or cause other significant difficulties for us, upon your written request, SAP can also provide you with a copy of your Personal Information under our control (if any) that is generated during your use of the [SAP Service and Asset Manager]. If you wish to access such Personal Information, please contact us at https://support.sap.com/en/contact-us.html.

(2) Correcting your Personal Information

As the types of Personal Information that SAP collects is very limited, if you discover errors in your Personal Information under SAP’s control, you have the right to require SAP to make the correction. You may request a correction by contacting SAP at https://support.sap.com/en/contact-us.html.

(3) Deleting your Personal Information 

In the following cases, you may send a request to https://support.sap.com/en/contact-us.html to delete your Personal Information under SAP’s control:  

1. If SAP’s behavior in processing your Personal Information violates applicable laws or regulations;  

2. If SAP’s behavior in processing your Personal Information violates our agreement with you;  

3. If you desist from the use of the [SAP Service and Asset Manager], or you cancel the account;  

4. If SAP desists from providing the [SAP Service and Asset Manager] to you, or the retention period has expired.  

If you request for deletion, while the retention period provided by any law or administrative rules has not expired, or it is difficult to realize the deletion of Personal Information technically, SAP will cease the processing of Personal Information except for storing and taking necessary security protection measures for such information.

If SAP agrees to your deletion request, SAP will also inform the entities which has obtained such Personal Information from SAP to delete such Personal Information without delay, unless otherwise specified in laws and regulations, or these entities have obtained your separate authorization.

(4) Right to Stop or Restrict

You can request SAP to stop or restrict your Personal Information from further processing in certain circumstances.

(5) Right to Object

You can request not to be subject to a decision based solely on automated processing.

(6) Right to Withdraw Consent

Wherever SAP is processing your Personal Information based on your consent, you may at any time withdraw your consent. After your withdrawal, you can log out of [SAP Service and Asset Manager] at any time. Upon logging out of [SAP Service and Asset Manager], [SAP Service and Asset Manager] will not store or process any of your Personal Information  on your mobile device . In case SAP is required to retain your Personal Information for legal reasons your Personal Information will be restricted from further processing and only retained for the term allowed by law. However, any withdrawal has no effect on past processing of Personal Information by SAP up to the point in time of your withdrawal.

(7) Canceling your Account

Please note that the [SAP Service and Asset Manager] is used to allow you to access and use the [Cloud Service] through your mobile device, you can log out of [SAP Service and Asset Manager] at any time. Upon logging out of [SAP Service and Asset Manager], [SAP Service and Asset Manager] will not store any of your Personal Information on your mobile device. If you request to cancel your account on the Cloud Service, please contact your Company to cancel it, because your Company controls the Cloud Service. Please note that you will not be able to access and use the [Cloud Service] after the cancellation of your account.

(8) Right to Lodge a Complaint

If you take the view that SAP is not processing your Personal Information in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with competent data protection authority.

(9) Responding to Your Above Requests  

Please submit your request in writing. To ensure security, SAP may need to verify your identity before processing your request. SAP will reply to your request within 15 working days after verification of your identity. If you have any concerns, you may contact SAP at https://support.sap.com/en/contact-us.html.

Generally, SAP will not charge fees to process any reasonable request. But if you submit the same request frequently or your request exceeds a reasonable extent, SAP may charge a fee based on our processing costs as SAP may reasonably determine. Where the requests are repeated without good reasons, or require too many technical measures (e.g., a new system is needed or current practice will be changed fundamentally), or put others’ legitimate rights and interests at risk or are very impractical (e.g., require a backup of the Personal Information stored in the tape), SAP reserves the right reject such requests.  

In the following cases, in accordance with applicable laws and regulations, SAP is unable to accommodate your request:  

1. Directly related to national security and national defense security;  

2. Directly related to public security, public health, and major public interests;  

3. Directly related to criminal investigation, prosecution, trial, and enforcement of judgments;  

4. There is sufficient evidence indicating that you have subjective malicious intentions or abuse your rights;  

5. Responding to your request will cause serious damage to the legitimate rights and interests of the data subject or other individuals or organizations;  

6. Involving trade secrets. 

VIII. Processing Personal Information of Children

The [SAP Service and Asset Manager] and any related websites, products and services are intended for adults. We consider anyone less than 14 years old a child. You represent and warrant that you are an adult and not a child and you will not transmit Personal Information of any child through the [SAP Service and Asset Manager] without the explicit consent of the child’s parents or guardians. If SAP discover that SAP has collected Personal Information of children without verifiable consent of their parents or guardians, SAP will find ways to delete such data as soon as possible. 

Names and contact details of such overseas recipients, the purposes and manners of processing, and the types of Personal Information to be provided are set out in Appendix II. List of Personal Information recipients.

X. How Is This Privacy Statement Updated?  

Our Privacy Statement may be updated from time to time. If the updates to the Privacy Statement may essentially impact the rights you are entitled to under this Privacy Statement, the [SAP Service and Asset Manager] will alert you of these updates through a pop-up notice or other prominent methods and obtain your explicit consent to these updates to the Privacy Statement. Without your explicit consent, SAP will not diminish the rights you are entitled to under this Privacy Statement.

XI. How may you contact SAP?  

If you have any question, comment or suggestion relating to this Privacy Statement, you can contact SAP at https://support.sap.com/en/contact-us.html. Generally, SAP will strive to reply within 15 working days.  

Appendix I: List of Personal Information Collection

 

 

 

Appendix III – List of SDKs