Data protection law review of SAP's controller processor agreements for cloud and support services (Cloud DPA).
Dr. Thomas Helbing
The companies I advised use cloud and professional support services from SAP, including SuccessFactors. For some clients, these services had already been introduced in the past or a new introduction was pending. In some cases, the services were not purchased directly from SAP, but via a reseller who mirrored the SAP contract clauses and passed them on to the client (reseller/authorized dealer model).
The data protection clauses provided by SAP and, in particular, the controller processor agreement in accordance with Art. 28 GDPR had to be reviewed.
Clients with existing contracts also had to convert in part due to the ECJ's case law in Schrems II and because of the new EU standard contractual clauses (SCC). In the course of thenew SCC, SAP replaced its old DPA with new ones, which then also had to be reviewed.
Through my work, I gained experience with the contract construct (partly direct SCCs with subcontractors in third countries) and critical clauses in the contracts as well as with their negotiation.
Contract titles of relevant contracts included "Agreement on Data Processing for SAP Cloud Services", "Agreement on Data Processing for SAP Maintenance and Professional Services" (translated).
Cloud services included (not exhaustive, the DPA is usually the same):
- SAP SFSF Perform / Reward
- SAP SFSF Recrutiing Execution
- SAP SFSF Onboarding
- SAP SFSF Succession & Career Development
- SAP SFSF Learning
SAP Customer Experience Solutions
- SAP Sales & Service Core
- SAP Field Service Management
- SAP Service and Asset Manager
- SAP Integration Suite
This page describes a matter, case or other experience of a lawyer.