This Privacy Statement was updated on October 27th, 2022.

PRIVACY STATEMENT

Protecting the individual's privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate our firm commitment to the individual's right to data protection and privacy. This Privacy Statement outlines how we handle information that can be used to directly or indirectly identify an individual.

A. General Information

Who is the Data Controller?
The data controller for SAP Mobile Start is SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany ("SAP") and its data protection officer can be reached at privacy@sap.com.

What Personal Data does SAP collect?
SAP collects some information about you in the context of your professional activities, consisting of name, username, home or business address, home or business email address, personal or business phone number, usage tracking data, recorded voice, account information ("Personal Data").

Why does SAP need your Personal Data?
SAP requires your Personal Data to:

SAP Mobile Start may process business data as well as launching respective S/4 Fiori Applications, according to the roles assigned to the user

The app also requires the following permissions:

Although providing Personal Data is voluntary, without your Personal Data SAP cannot provide you with access to SAP Mobile Start.

How long will SAP store your Personal Data?
SAP will only store your Personal Data for as long as it is required

SAP will also retain your Personal Data for additional periods if it is required by mandatory law to do so, or where your Personal Data is required for SAP to assert or defend against legal claims. In such cases, SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.

Who are the recipients of your Personal Data and where will it be processed?
As part of a global group of companies operating internationally, SAP has affiliates (the "SAP Group") and third-party service providers outside of the European Economic Area (the "EEA") or from a region with a legal restriction on international data transfers and will transfer your Personal Data to countries outside of the EEA. If these transfers are to a country for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the EEA. You can obtain a copy (redacted to remove commercial or irrelevant) of such standard contractual clauses by sending a request to privacy@sap.com. You can also obtain more information from the European Commission on the international dimension of data protection here: European Commission.

What are your data protection rights?
You can request from SAP: access at any time to information about which Personal Data SAP processes about you and the correction or deletion of such Personal Data.

If SAP uses your Personal Data based on your consent or to perform a contract with you, you can further request from SAP a copy of the Personal Data that you have provided to SAP. In this case, please contact the email address below and specify the information or processing activities to which your request relates, the format in which you would like to receive this information, and whether the Personal Data should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best fulfil it.

Furthermore, you can request from SAP that SAP restricts your Personal Data from any further processing in any of the following events: (i) you state that the Personal Data SAP has about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data, (ii) there is no legal basis for SAP processing your Personal Data and you demand that SAP restricts your Personal Data from further processing, (iii) SAP no longer requires your Personal Data but you state that you require SAP to retain such data in order to claim or exercise legal rights or to defend against third party claims, or (iv) in case you object to the processing of your Personal Data by SAP based on SAP's legitimate interest (as further set out below), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. Kindly note further that if you request that SAP deletes your Personal Data, you will not be able to continue to use any SAP service that requires SAP's use of your Personal Data.

How can you exercise your data protection rights?
Please direct any requests to exercise your rights to privacy@sap.com.

How will SAP verify requests to exercise data protection rights?
SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.
Right to lodge a complaint. If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country where you live or with the data protection authority of the country or state where SAP has its registered seat.

Can you use SAP's services if you are a minor?
In general, SAP Mobile Start is not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use SAP Mobile Start.

B. Processing based on a statutory permission

Why does SAP need to use your Personal Data and on what legal basis is SAP using it?

Processing to fulfil contractual obligation
SAP requires your Personal Data to deliver goods or services you order under a contract SAP has with you, to establish a contract for goods or services between you and SAP, and to send you invoices for ordered goods or services. SAP processes Personal Data to fulfil contractual obligations pursuant to Article 6(1) lit. b Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") or the equivalent article under other national laws, when applicable.

Processing to ensure compliance
SAP and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions, and embargoes issued by these countries, SAP is required to take measures to prevent entities, organisations, and parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through SAP's websites or other delivery channels controlled by SAP. This could include (i) automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to SAP's services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case of a potential match. Any such use of your Personal Data is based on the permission to process Personal Data in order to comply with statutory obligations (Article 6 para. 1 lit. c GDPR or the equivalent articles under other national laws, when applicable) and SAP's legitimate interest (Article 6 para. 1 lit. f GDPR or the equivalent articles under other national laws, when applicable).

Processing based on SAP's legitimate interest
SAP can use your Personal Data based on its legitimate interest (Article 6 para. 1 lit. f GDPR or the equivalent article under other national laws, when applicable).

Right to object
You can at any time object to SAP's use of your Personal Data as set forth in this section by sending an email to privacy@sap.com. In this case, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP's compelling legitimate grounds for continued use of the information, which override your interest in objecting, or if SAP requires the information for the establishment, exercise or defence of legal claims.

Processing under applicable national laws
If the applicable national law allows SAP to do so, SAP will use information about you for a business purpose, some of which is Personal Data

C. Additional Country and Regional Specific Provisions

Colombia-Specific Provisions apply to citizens of the Republic of Colombia.

Where SAP is subject to certain privacy requirements in the Philippines, the following also applies:
For individuals within the Philippines, you may exercise your rights as follows:
You can call or write to SAP to submit a request at:
privacy@sap.com
Phone: +632-8705-2500
Address: SAP Philippines, Inc.
Attn: Data Protection Officer
27F Nac Tower, Taguig City 1632, Philippines

The following provisions apply to residents and citizens of the Philippines:

Russian-Specific Provisions apply to citizens of the Russian Federation.

Where SAP is subject to the requirements of the Protection of Personal Information Act, 2013 ("POPIA") in South Africa, the following also applies:
"Personal Data" as used in this Privacy Statement means Personal Information as such term is defined under POPIA.

"You" and "Your" as used in this Privacy Statement means a natural person or a juristic person as such term is used under POPIA.
Systems Applications Products (South Africa) Proprietary Limited with registered address at 1 Woodmead Drive, Woodmed (SAP South Africa) is subject to South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) and responsible party under the POPIA.

You may request details of personal information which we hold about you under the Promotion of Access to Information Act 2 of 2000 ("PAIA"). For further information please review the SAP PAIA manual, located here.

Should you as an individual or a juristic person believe that SAP South Africa as responsible party has utilized your personal information contrary to POPIA, you undertake to first attempt to resolve any concerns with SAP South Africa.

Phone: 011 325 6000
Address: 1 Woodmead Drive Woodmead Johannesburg South Africa 2148
Email: privacy@sap.com

If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator, using the contact details listed below:
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, P.O. Box 31533, Braamfontein, Johannesburg, 2017
Email: complaints.IR@justice.gov.za

Enquires: inforeg@justice.gov.za

Where SAP is subject to certain privacy requirements in the United States, the following also applies:

U.S. Children's Privacy. SAP does not knowingly collect the Personal Data of children under the age of 13. If you are a parent or guardian and believe SAP collected information about a child, please contact SAP as described in this Privacy Statement. SAP will take steps to delete the information as soon as possible. Given that SAP Mobile Start is not directed to users under 16 years of age and in accordance with the disclosure requirements of the CCPA, SAP does not sell the Personal Data of any minors under 16 years of age.

Where SAP is subject to certain privacy requirements in the United States in the State of California, the following also applies:
You have the right:

In accordance with the disclosure requirements under the California Consumer Privacy Act ("CCPA"), SAP does not and will not sell your Personal Data. In accordance with the verification process set forth in the CCPA, SAP will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorised access or deletion of your Personal Data. If SAP must request additional information from you outside of information that is already maintained by SAP, SAP will only use it to verify your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.

In addition to contacting SAP at privacy@sap.com, you may also exercise your rights as follows:
You can call toll-free to submit a request using the numbers provided here. You can also designate an authorised agent to submit requests to exercise your data protection rights to SAP. Such authorised agent must be registered with the California Secretary of State and submit proof that you have given authorisation for the agent to act on your behalf.

Where SAP is subject to the requirements of the Singapore's Personal Data Protection Act ("PDPA"), the following also applies:
SAP has appointed a Data Protection Officer for Singapore. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to:
Subject: [Attn.] Tina Bhatia, DPO (Singapore)
Email: privacy@sap.com
Address: Mapletree Business City, 30 Pasir Panjang Rd, Singapore 117440
Contact: +65 6664 6868