Privacy Statement for the SAP Global Certification Program

This Privacy Statement was updated on March 1st, 2021.
Click here for a printable version of this Privacy Statement.

SAP Global Certification Privacy Statement

Protecting the individual's privacy is crucial to the future of our business. We have created this Privacy Statement
to demonstrate our firm commitment to the individual`s right to data protection and privacy. This Privacy Statement
outlines how we handle information that can be used to directly or indirectly identify an individual.

A. General Information

Who is the Data Controller? The data controller of SAP Global Certification Program offerings (the
"Service") is SAP SE, Dietmar-Hopp-Allee 16, 69190 Walldorf ('SAP') and its data protection officer can be reached
at privacy@sap.com.

This Privacy Statement applies where SAP acts as controller of any personal data in connection with its Service. This is
the case, where:

  • You use an activation code (e.g. provided by your employer) to register yourself with the Service;
  • You buy a Service subscription for yourself;
  • SAP uses Personal Data for the purposes of conducting license audits, tracks users or anonymizes Personal Data
    for the purposes of improving the Service notwithstanding it is acting in the provisioning of the Service
    otherwise as a data processor (see next paragraph).

Apart from the last bullet point above, this Privacy Statement does not apply whenever users are receiving their
log-on details for the Service from someone else than SAP. In this case, SAP is not acting as a controller but as a
processor.

What Personal Data does SAP collect? If you register for SAP Global Certification Program offerings,
SAP will collect the information you provide to SAP, which consists of your name, (email) address, SAP user ID (if
applicable), company name, certification code, certification exam results, date of the exam, certification attempts,
and your then created username and password) ("Personal Data").

Why SAP needs your Personal Data? SAP requires your Personal Data to:
provide you with access to the Service; to deliver the ordered goods or services; comply with statutory obligations,
including checks required by applicable export laws.
Although providing Personal Data is voluntary, without your Personal Data, SAP cannot provide you with access to the
Service.

How long will SAP store my Personal Data? SAP will only store your Personal Data for as long as it
is required

  • to make the Service available to you.
  • for SAP to comply with its statutory obligations resulting from applicable export laws.
  • to fulfill the purposes outlined in this Privacy Statement.

SAP will also retain your Personal Data for additional periods if it is required by mandatory law to retain your
Personal Data longer or where your Personal Data is required for SAP to assert or defend against legal claims, SAP
will retain your Personal Data until the end of the relevant retention period or until the claims in question have
been settled.

Who are the recipients of my Personal Data and where will it be processed? Your Personal Data will
be passed on to the following categories of third parties to process your Personal Data:

  • companies within the SAP Group; and
  • third party service providers.

As part of a global group of companies operating internationally, SAP has affiliates (the " href="https://www.sap.com/dam/site/corporate/legal/sap-legal-entities.pdf" target="_blank">SAP Group") and
third-party service providers outside of the European Economic Area (the "EEA") and will transfer your Personal Data
to countries outside of the EEA. If these transfers are to a country for which the EU Commission has not issued an
adequacy decision, SAP uses the EU standard contractual clauses to contractually require that your Personal Data
receives a level of data protection consistent with the EEA. You can obtain a copy (redacted to remove commercial or
irrelevant) of such standard contractual clauses by sending a request to href="mailto:privacy@sap.com">privacy@sap.com. You can also obtain more information from the European
Commission on the international dimension of data protection here: href="https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_fr"
target="_blank">European Commission.

What are your data protection rights? You can request from SAP: access at any time to
information about which Personal Data SAP processes about you and the correction or deletion of such Personal Data.
Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or
prevailing right of SAP to retain it. Kindly note further that if you request that SAP deletes your Personal, you
will not be able to continue to use any SAP service that requires SAP´s use of your Personal Data which includes the
possibility to verify your status as being certified.

If SAP uses your Personal Data based on your consent or to perform a contract with you, you can further request from
SAP a copy of the Personal Data that you have provided to SAP. In this case, please contact the email address below
and specify the information or processing activities to which your request relates, the format in which you would
like to receive this information, and whether the Personal Data is to be sent to you or another recipient. SAP will
carefully consider your request and discuss with you how it can best fulfill it.

Furthermore, you can request from SAP that SAP restricts your Personal Data from any further processing in any of the
following events: (i) you state that the Personal Data SAP has about you is incorrect, subject to the time SAP
requires to check the accuracy of the relevant Personal Data), (ii) there is no legal basis for SAP processing your
Personal Data and you demand that SAP restricts your Personal Data from further processing, (iii) SAP no longer
requires your Personal Data but you state that you require SAP to retain such data in order to claim or exercise
legal rights or to defend against third party claims or (iv) in case you object to the processing of your Personal
Data by SAP based on SAP's legitimate interest (as further set out below) subject to the time for as long as it is
required to review as to whether SAP has a prevailing interest or legal obligation in processing your Personal Data.

Please direct any such request to elearning@sap.com.

How will SAP verify requests to exercise data protection rights? SAP will take steps to ensure that
it verifies your identity to a reasonable degree of certainty before it will process the data protection right you
want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise
your rights with information already maintained by SAP. This could include matching two or more data points you
provide when you submit a request with two or more data points that are already maintained by SAP.

In accordance with the verification process set forth in the California Consumer Privacy Act ("CCPA"), SAP will
require a more stringent verification process for deletion requests, or for Personal Data that is considered
sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your
Personal Data. If SAP must request additional information from you outside of information that is already maintained
by SAP, SAP will only use it to verify your identity so you can exercise your data protection rights, or for
security and fraud-prevention purposes.

SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise
required by local law.

Right to lodge a complaint. If you take the view that SAP is not processing your Personal Data in accordance with the
requirements in this Privacy Statement or under applicable data protection laws, you can at any time lodge a
complaint with the data protection authority of the EEA country where you live or with the data protection authority
of the country or state in which SAP has its registered seat.

How will SAP verify requests to exercise data protection rights? SAP will take steps to ensure that
it verifies your identity to a reasonable degree of certainty before it will process the data protection right you
want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise
your rights with information already maintained by SAP. This could include matching two or more data points you
provide when you submit a request with two or more data points that are already maintained by SAP.

In accordance with the verification process set forth in the California Consumer Privacy Act ("CCPA"), SAP will
require a more stringent verification process for deletion requests, or for Personal Data that is considered
sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your
Personal Data. If SAP must request additional information from you outside of information that is already maintained
by SAP, SAP will only use it to verify your identity so you can exercise your data protection rights, or for
security and fraud-prevention purposes.

SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise
required by local law.

Right to lodge a complaint. If you take the view that SAP is not processing your Personal Data in accordance with the
requirements in this Privacy Statement or under applicable data protection laws, you can at any time lodge a
complaint with the data protection authority of the EEA country where you live or with the data protection authority
of the country or state where SAP has its registered seat.

Can I use SAP's services if I am a minor? Children. In general, this Service is not directed to
users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16
or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use this Service.

U.S. Children's Privacy. SAP does not knowingly collect the Personal Data of children under the age
of 13. If you are a parent or guardian and believe SAP collected information about a child, please contact SAP as
described in this Privacy Statement. SAP will take steps to delete the information as soon as possible. Given that
SAP Global Certification Program offerings are not directed to users under 16 years of age and in accordance with
the disclosure requirements of the CCPA, SAP does not sell the Personal Data of any minors under 16 years of age.

Links to other websites. This website may contain links to foreign (meaning non-SAP Group companies)
websites. SAP is not responsible for the privacy practices or the content of websites outside the SAP Group of
companies. Therefore, we recommend that you carefully read the privacy statements of such foreign sites.

B. Processing based on a statutory permission

Why does SAP need to use my Personal Data and on what legal basis is SAP using it?

In the following cases, SAP is permitted to process your Personal Data under the applicable data protection law.

Processing to fulfill contractual obligation. If you register for the Service using an activation code or if
you purchase a Service subscription for yourself, SAP requires your Personal Data to deliver goods or services you
order under a contract SAP has with you, to establish a contract for goods or services between you and SAP, and to
send you invoices for ordered goods or services. SAP will use your Personal Data to (i) contact you after completion
of a certification via email or other communication methods in order to inform you about the results, or to send you
exam reminders, or (ii) to follow up with you when you contact SAP about the Service, (e.g. when you claim digital
badges). This information may be passed on to your employer you are assigned to at the time of inquiry or an
affiliated entity or an authorized representative designated by your employer. SAP processes Personal Data to
fulfill contractual obligations pursuant to Article 6 (1) lit. b GDPR or the equivalent article under other national
laws, when applicable.

Processing to ensure compliance. SAP and its products, technologies, and services are subject to the export
laws, of various countries including, without limitation, those of the European Union ("EU") and its member states,
and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions,
and embargos issued by these countries, SAP is required to take measures to prevent entities, organizations, and
parties listed on government-issued sanctioned party lists from accessing certain products, technologies, and
services through SAP's websites or other delivery channels controlled by SAP. This could include (i) automated
checks of any user registration data as set out herein and other information a user provides about his or her
identity against applicable sanctioned-party lists; (ii) regular repetition of such checks whenever a
sanctioned-party list is updated or when a user updates his or her information; (iii) blocking of access to SAP's
services and systems in case of a potential match; and (iv) contacting a user to confirm his or her identity in case
of a potential match. Any such use of your Personal Data is based on the permission to process Personal Data in
order to comply with statutory obligations (Article 6 para. 1 lit. c GDPR) and SAP‘s legitimate interest (Article 6
para. 1 lit. f GDPR) or the equivalent articles under other national laws, when applicable.

Processing based on SAP's legitimate interest.
SAP can use your Personal Data based on its legitimate interest (Article 6 para. 1 lit. f GDPR) or the equivalent
article under other national laws, when applicable as follows:

  • Fraud and Legal Claims. If required, SAP will use your Personal Data for the purposes of
    preventing or prosecuting criminal activities such as fraud and to assert or defend against legal claims.
  • Questionnaires and survey. SAP could invite you to participate in questionnaires and surveys.
    These questionnaires and surveys will be generally designed in a way that they can be answered without any data
    that can be used to identify you. If you nonetheless enter such data in a questionnaire or survey, SAP will use
    this personal data to improve its products and services.
  • Contract Performance. If you purchase or intend to purchase goods or services from SAP on
    behalf of a corporate customer or otherwise be the nominated contact person for the business relationship
    between a corporate customer (a "Customer Contact") and SAP, SAP will use your Personal Data for this purpose.
    This includes, for the avoidance of doubt, such steps which are required for establishing the relevant business
    relationship. In case that an existing Customer Contact informs SAP that you are his replacement, SAP will, from
    the point in time of such notification, consider you to be the relevant Customer Contact for the respective
    customer until you object as further set out below.
  • Creation of anonymized data sets. SAP will anonymize Personal Data provided under this Privacy
    Statement to create anonymized data sets, which will then be used to improve its and its affiliates' products
    and services. These anonymous data sets and information may be provided to your employer for reporting purposes.
  • Personalized Newsletter. If you opt-in to receive marketing communications such as newsletters
    from SAP, SAP will collect and store details of how you interact with the newsletters to help create, develop,
    operate, deliver and improve our newsletter communications with you. This information is aggregated and used to
    help SAP provide more useful information and to understand what is of most interest.
  • Recordings for quality improvement purposes. In case of telephone calls or chat sessions, SAP
    will record such calls (after informing you accordingly during that call and before the recording starts) or
    chat sessions in order to improve the quality of SAP's services.
  • To keep you up-to-date or request feedback. Within an existing business relationship between
    you and SAP, SAP might inform you, where permitted in accordance with local laws, about its products or services
    (including webinars, seminars or events) which are similar or relate to such products and services you have
    already purchased or used from SAP. Furthermore, where you have attended a webinar, seminar or event of SAP or
    purchased products or services from SAP, SAP might contact you for feedback regarding the improvement of the
    relevant webinar, seminar, event, product or service.

You can at any time object to SAP`s use of your Personal Data as set forth in this section by sending an email to href="mailto:learning@sap.com">learning@sap.com. In this case, SAP will carefully review your objection and
cease further use of the relevant information, subject to SAP's compelling legitimate grounds for continued use of
the information, which override your interest in objecting, or if SAP requires the information for the
establishment, exercise or defense of legal claims.

C. Processing based on consent

In the following cases SAP will process your Personal Data if you granted prior consent to the specific proposed
processing of your Personal Data (Article 6 para. 1 lit. a GDPR) or the equivalent article under other national
laws, when applicable.

Global Marketing. In the following cases, SAP will process your Personal Data if you granted prior consent to
the specific proposed processing of your Personal Data (Article 6 (1) lit. a GDPR). Each below section about a
processing operation of Personal Data is linked to one consent statement in the Consent Resource Center. If you
re-open this Privacy Statement after you initially grant one or more consents, you will see the full Privacy
Statement and not just information on the consents you granted.

News about SAP's Products and Services. Subject to a respective provision and your consent, SAP may use your name,
email and postal address, telephone number, job title and basic information about your employer (name, address, and
industry) as well as an interaction profile based on prior interactions with SAP (prior purchases, participation in
webinars, seminars, or events or the use of (web) services) - further details on this topic can be found in the
Cookie Statement displayed on the relevant SAP website - in order to keep you up to date on the latest product
announcements, software updates, software upgrades, special offers, and other information about SAP's software and
services (including marketing-related newsletters) as well as events of SAP and in order to display relevant content
on SAP's websites. In connection with these marketing-related activities, SAP may provide a hashed user ID to third
party operated social networks or other web offerings (such as Twitter, LinkedIn, Facebook, Instagram or Google)
where this information is then matched against the social networks' data or the web offerings' own data bases in
order to display to you more relevant information.

Creating user profiles. SAP offers you the option to use its web offerings including forums, blogs, and
networks (such as the SAP Community) linked to this website that require you to register and create a user profile.
User profiles provide the option to display personal information about you to other users, including but not limited
to your name, photo, social media accounts, postal or email address, or both, telephone number, personal interests,
skills, and basic information about your company.

These profiles may relate to a single web offering of SAP or, if created in the SAP Cloud Platform Identity
Authentication Service, may also allow you to access other web offerings of SAP or of other entities of the SAP
Group, or both (irrespective of any consent granted under the section "Forwarding your Personal Data to other SAP
companies." below). It is, however, always your choice which of these additional web offerings you use and your
Personal Data is only forwarded to them once you initially access them. Kindly note that without your consent for
SAP to create such user profiles SAP will not be in a position to offer such services to you where your consent is a
statutory requirement that SAP can provide these services to you.

Within any web offering, beyond the mere provision of access your profile is used to personalize interaction with
other users (for example, by way of messaging or follow functionality) and by SAP to foster the quality of
communication and collaboration through such offerings and for SAP to provide gamification elements (gamification is
the process of taking something that already exists, such as a website, an enterprise application, or an online
community, and integrating game mechanics into it to motivate participation, engagement, and loyalty). To the
greatest extent supported by the relevant web offering, you can use the functionality of the relevant web offering
to determine which information you want to share.

Special categories of Personal Data. In connection with the registration for and provision of access to an
event or seminar, SAP may ask for information about your health for the purpose of identifying and being considerate
of individuals who have disabilities or special dietary requirements throughout the event. Any such use of
information is based on the consent you grant hereunder.

Kindly note that if you do not provide any such information about disabilities or special dietary requirements, SAP
will not be able to take any respective precautions.

Event profiling. If you register for an event, seminar, or webinar of SAP, SAP may share basic participant
information (your name, company, and email address) with other participants of the same event, seminar, or webinar
for the purpose of communication and the exchange of ideas. Forwarding your Personal Data to other SAP companies.
SAP may transfer your Personal Data to other entities in the SAP Group. The current list of SAP Group entities can
be found here: SAP
Group
. In such cases, these entities will then use the Personal Data for the same purposes and under the
same conditions as outlined in this Section C. above.

Forwarding your Personal Data to other third Parties. At your request, as indicated by your consent, SAP will
transfer your registration data to the companies listed on the registration page. The companies will use your
registration data for the purposes of their participation in the event and are obliged to delete the data
thereafter. If a company intends to use your data for any other purposes, they will contact you to explain how and
for which other purposes they will use your registration data.

Revocation of a consent granted hereunder. You may at any time withdraw a consent granted hereunder by
unsubscribing at target="_blank">https://training.sap.com/consent-management. In case of withdrawal, SAP will not process
Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain
your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained
for the term required by law. However, any withdrawal has no effect on past processing of personal data by SAP up to
the point in time of your withdrawal. Furthermore, if your use of an SAP offering requires your prior consent, SAP
will not be (any longer) able to provide the relevant service (or services, if you revoke the consent for SAP to use
your profile under the SAP Cloud Platform Identity Authentication Service for multiple SAP offerings), offer or
event to you after your revocation.