SAP Retail Execution Mobile App (RE) is not a stand-alone application, but an interface to provide you an access to log into the backend Cloud Service through your mobile device as long as you remain a user authorized by your Company to access the backend Cloud Service. Thus, SAP as data controller will normally only collect your Personal Information (e.g., username ID and related password information) for user authentication purposes in the Mobile App to enable your access to the backend Cloud Service through your mobile device. This Privacy Statement will neither cover the personal information collected or processed by the backend Cloud Service nor cover the personal information processed by SAP as data processor on behalf of data controller.

This Privacy Statement applies to the SAP Retail Execution Mobile App (“RE”) published and operated by SAP SE, Dietmar Hopp Allee 16, 69190 Walldorf, Germany.

This Privacy Statement describes how SAP processes the personal information you provide to SAP and the information that SAP collects or generates in the course of operating the RE. “Personal Information” refers to any information relating to an identified or identifiable natural personal, recorded electronically or in other manners, excluding anonymized information.

Your employer, client company, business, institution, or other providing entity (“your Company”) may have subscribed to any SAP Cloud Service (“Cloud Service”). RE is used to provide you with a channel to log in and use the Cloud Service and allow you to access and use the Cloud Service through your mobile device as long as you remain a user authorized by your Company to access the Cloud Service. RE will not collect and process your Personal Information generated during your use of the Cloud Service.

Regarding how your Personal Information will be collected and processed during your use of the Cloud Service, please carefully read the End User License Agreement (“EULA”)

The use of the Cloud Service will not be subject to the Privacy Statement.

This Privacy Statement will help you understand the following:

I. How does SAP collect and use your Personal Information?

II. How does SAP use Cookie or other third-party similar tracking technologies?

III. Processing based on the legal bases other than “consent”.

IV. Why and how does SAP process your Sensitive Personal Information?

V. How does SAP share, transfer or disclose publicly your Personal Information?

VI. How does SAP protect your Personal Information?

VII. How can you exercise your Personal Information protection rights?

VIII. Processing Personal Information of children.

IX. Where is your Personal Information stored and how is it transferred cross-border?

X. How long does SAP store your Personal Information?

XI. How is this Privacy Statement updated?

XII. How may you contact SAP?

I. HOW DOES SAP COLLECT AND PROCESS YOUR PERSONAL INFORMATION?

RE may collect and process your Personal Information for the following purposes:

· RE Admin email - to help end users reach out to the administrator for help

· RE Admin contact number - to help end users reach out to the administrator for help

· Store address – to display to location address of the store visit

· Store manager email id – to Email the store Admin

· Store manager contact no. – to contact the store Admin

· Field sales executive name – to display the greeting message once the field executive logs in

· Field sales organiser name – to display the name of the sales manager to create the visit

· Field sales executive current location – to plot the current location of the logged in user on here maps. You can choose not to grant access to your geo-location information, in which case you will not be able to use features related to geo-location, but this does not affect your normal use of the other features. In addition, you can withdraw your consent at any time by turning off access to your geo-location in the settings of your mobile device.

· Store geo location – to plot the current location of stores on here maps

· Field sales executive email id – to onboard to the RE application

· Field sales executive photo – to display the profile picture of the sales executive

II. HOW DOES SAP USE COOKIE OR OTHER THIRD-PARTY TRACKING TECHNOLOGIES?

To facilitate your access to the App, we will store a small data file called Cookie on your mobile device. The Cookie usually contains an identifier and some numbers and characters. By using the Cookie, the App can temporarily store your Personal Information such as your log in information. We will not use the Cookie for purposes other than those stated in this Privacy Statement. You may, based on your preferences, manage or delete the Cookie.

Please refer to https://www.sap.com/about/legal/privacy/cookies.html and https://www.aboutcookies.org/ for more information.

III. PROCESSING BASED ON THE LEGAL BASES OTHER THAN “CONSENT”

SAP is allowed by applicable laws to process your Personal Information based on several legal bases. You acknowledge that SAP could process your Personal Information based on one of the following legal bases without the need to obtain consent from you:

· the processing is necessary for entering into or performing a contract to which you are a party;

· compliance with legal duties and obligations to which SAP is subject;

· in response to public health incidents or to protect the vital interests of natural persons;

· for news reporting and media supervision for purpose of protecting public interest and within a reasonable scope;

· the processing within a reasonable scope of Personal Information publicized by you to otherwise lawfully made public; or

· other situations provided by applicable laws and regulations.

IV. WHY AND HOW SAP PROCESSES YOUR SENSITIVE PERSONAL INFORMATION?

Sensitive Personal Information means any Personal Information that once leaked or illegally used, is likely to cause harm to the personal dignity of the relevant natural person or potentially endangers the physical and property safety of the individual, including biometric data, religious belief, special identity, medical/health data, financial account information and location tracking data, etc., and Personal Information of minors under the age of 14.

Sensitive Personal Information is subject to additional protections or restrictions by applicable laws and regulations. SAP will only process your Sensitive Personal Information allowed by and comply with the relevant applicable laws and regulations.

For the following specific purposes, we need to process your Sensitive Personal Information, otherwise, these purposes will not be achieved and may affect the rights and interests of yourself or other individuals.

V. HOW DOES SAP PROVIDE YOUR PERSONAL INFORMATION TO THIRD PARTIES AND DISCLOSE PUBLICLY YOUR PERSONAL INFORMATION?

Providing your Personal Information to Third Parties

Your Personal Information will be passed on to the following categories of third parties to process your Personal Information:

· Companies within the SAP Group;

· Third party service providers, for example, for the fulfillment and provisioning of services from SAP.

· SAP may engage service providers (“Entrusted Parties”) to process your Personal Information on behalf of SAP. For example, IT and communication service providers, cloud service providers, law firms, accountants, auditors, consultants. These Entrusted Parties are obligated to keep your Personal Information confidential and may only use your Personal Information for the purposes described in this Privacy Statement. SAP will require the Entrusted Parties to strictly abide by our measures and requirements on Personal Information and privacy protection, including but not limited to processing Personal Information according to the relevant agreement between the Entrusted Party and SAP.

Merger and Acquisition

In the event of a merger and acquisition, division, dissolution, or declaration of bankruptcy scenario, involving the transfer of Personal Information, SAP will require the new company or organization holding your Personal Information to observe this Privacy Statement, otherwise SAP will require such company or organization to seek your consent again.

Public Disclosure

SAP will not disclose your Personal Information publicly except:

· Having obtained your explicit consent.

· Law-based disclosure: if required by applicable law, legal process, legal orders or in accordance with mandatory requirements of a competent authority, SAP may disclose your Personal Information accordingly.

VI. HOW DOES SAP PROTECT YOUR PERSONAL INFORMATION?

SAP has employed security measures complying with industry standards to protect the Personal Information SAP collects via RE to prevent such Personal Information from unauthorized access, public disclosure, use, modifications, damage, or loss. SAP will adopt reasonable measures to protect your Personal Information. For example, SAP has used a trusted protection mechanism to protect such Personal Information from attacks and we deploy an access control mechanism to ensure only authorized persons can access such Personal Information.

SAP may adopt reasonable measures to ensure irrelevant Personal Information is not collected. SAP only keep your Personal Information within the minimum period required for fulfilling the purposes stated in this Privacy Statement, unless an extension is required or permitted by applicable law.

SAP has put in place measures to protect your Personal Information from loss, misuse, and unauthorized access. SAP will keep your Personal Information secure using reasonable security measures as appropriate, for example, encryption (e.g., SSL) and anonymization. SAP use the protection mechanisms offered by the mobile operating system inside the application's sandbox environment. Your Personal Information is also protected by application-level encryption based on 256-bit Advanced Encryption Standard (AES) or better method. Further, SAP may make available to your Company certain optional security measures for managing RE which your Company can deploy at its end, for example, single-sign-on, multi-factor authentication and other mobile device management security features. SAP will continue to improve the technical measures to protect your Personal Information collected by the RE.

In the event of a Personal Information security breach, SAP will notify you as required by the applicable laws and regulations. SAP will cooperate with your Company to notify the affected users and handle the event. Personal Information security breaches by the Cloud Service are not subject to this Privacy Statement. Personal information security breaches caused by the Cloud Service will be handled according to the privacy statement of the Cloud Service.

VII. HOW CAN YOU EXERCISE YOUR RIGHT TO PROTECT PERSONAL INFORMATION?

In accordance with applicable laws and regulations, you are guaranteed certain rights to your Personal Data. With respect to the Personal Data under our control, you may contact SAP at privacy@sap.com should you have any questions or concerns regarding such Personal Data.

Accessing or requesting a copy of your Personal Data

You have the right to access or request a copy of your Personal Data under our control, except for the exceptions specified in applicable laws and regulations. If you wish to exercise the right to access or request a copy of your Personal Data, you may submit a request as specified in section 5.7. If it does not incur a significant cost or cause other significant difficulties for us, upon your written request, SAP can also provide you with a copy of your Personal Data under our control (if any) that is generated during your use of the SAP SuccessFactors Mobile App.

Correcting your Personal Data

If you discover errors in your Personal Data under SAP’s control, you have the right to request SAP to make the correction. You may request a correction as specified in section 5.7.

Deleting your Personal Data

In the following cases, you may submit a request to delete your Personal Data under SAP’s control as specified in section 5.7, if:

(a) SAP’s processing your Personal Data violates applicable laws or regulations;

(b) SAP’s processing your Personal Data violates this Privacy Statement;

(d) If SAP desists from providing the SAP SuccessFactors Mobile App to you, or the retention period has expired.

If you request for deletion, while the retention period provided by any law or administrative rules has not expired, or it is difficult to realize the deletion of Personal Data technically, SAP will cease the processing of Personal Data except for storing and taking necessary security protection measures for such information.

If SAP agrees to your deletion request, SAP will also inform the entities which has obtained such Personal Data from SAP to delete such Personal Data without delay, unless otherwise specified in laws and regulations, or these entities have obtained your separate authorization.

Right to Stop or Restrict

You can request from SAP to stop or restrict the further processing of your Personal Data in certain circumstances set out in applicable laws. You may submit a request as specified in section 5.7.

Canceling your Account

You can log out of SAP SuccessFactors Mobile App at any time. Upon logging out of SAP SuccessFactors Mobile App, it will not store any of your Personal Data on your mobile device. Your Company controls the Cloud Service. Should you have any questions about how to cancel your account on the Cloud Service, please contact your Company.

Right to lodge a Complaint

If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with competent data protection authority.

Submitting a Request, SAP Data Protection Officer

You can exercise your data protection rights specified in sections 5.1 to 5.4 by sending a request to privacy@sap.com.

Responding to Your Above Requests

Please submit your request in writing. To ensure security, SAP may need to verify your identity before processing your request. SAP will reply to your request within 30 days after verification of your identity. If you have any concerns, you may contact SAP at privacy@sap.com.

Generally, SAP will not charge fees to process any reasonable request. But if you submit the same request frequently or your request exceeds a reasonable extent, SAP may charge a fee based on our processing costs as SAP may reasonably determine. Where the requests are repeated without good reasons, or require too many technical measures (e.g. a new system is needed or current practice will be changed fundamentally), or put others’ legitimate rights and interests at risk or are very impractical (e.g. require a backup of the Personal Data stored in the tape), SAP reserves the right reject such requests.

In the following cases, in accordance with applicable laws and regulations, SAP is unable to accommodate your request:

(e) Directly related to national security and national defense security;

(f) Directly related to public security, public health, and major public interests;

(g) Directly related to criminal investigation, prosecution, trial, and enforcement of judgements;

(h) There is sufficient evidence indicating that you have subjective malicious intentions or abuse your rights;

(i) Responding to your request will cause serious damage to the legitimate rights and interests of the data subject or other individuals or organizations;

(j) Involving trade secrets.

VIII. PROCESSING PERSONAL INFORMATION OF CHILDREN

RE and any related websites, products and services are intended for adults. We consider anyone less than 14 years old a child. You represent and warrant that you are an adult and not a child and you will not transmit Personal Information of any child through RE without the explicit consent of the child’s parents or guardians. If SAP discover that SAP has collected Personal Information of children without verifiable consent of their parents or guardians, SAP will find ways to delete such data as soon as possible.

IX. WHERE IS YOUR PERSONAL INFORMATION STORED AND HOW IS IT TRANSFERRED CROSS-BORDER?

Your Personal Information will be stored within the data center where your tenant is hosted. However, as SAP may provide products or services via servers and resources located worldwide, your Personal Information may be transferred to jurisdictions outside your country. Such jurisdictions may have different data protection laws or have no such laws. However, for your Personal Information under our control, SAP will ensure such Personal Information will have no less protection than under the laws protecting Personal Information in your country.

X. HOW LONG DOES SAP STORE YOUR PERSONAL INFORMATION?

SAP only keeps your Personal Information within the necessary minimum period required for fulfilling the purposes stated in this Privacy Statement, unless an extension is required or permitted by applicable law. Once the retention period expires, personal data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after the expiration of the retention period.

XI. HOW IS THIS PRIVACY STATEMENT UPDATED?

Our Privacy Statement may be updated from time to time. Without your explicit consent, SAP will not diminish the rights you are entitled to under this Privacy Statement. The SAP SuccessFactors Mobile App will alert you through a pop-up notice or other prominent method of any update and obtain your explicit consent to the new version of the Privacy Statement.

XII. HOW MAY YOU CONTACT SAP?

SAP has appointed a Data Protection Officer who can be contacted with any questions relating to the processing of Your Personal Data collected via the SAP SuccessFactors Mobile App at privacy@sap.com. If you have any question, comment or suggestion relating to this Privacy Statement, you can contact SAP Data Protection Officer.