Common use of SAP OBLIGATIONS Clause in Contracts

SAP OBLIGATIONS. 2.1 SAP shall process Personal Data only in accordance with the Data Controller’s instructions submitted by Customer. SAP shall use reasonable commercial efforts to follow and comply with the instructions received from Customer as long as they are legally required and technically feasible and do not require any material modifications to the functionality of the Service or underlying software. SAP shall notify Customer if SAP considers an instruction submitted by Customer to be in violation of the applicable Data Protection Law. SAP shall not be obligated to perform a comprehensive legal examination. If and to the extent SAP is unable to comply with an instruction it shall promptly notify (email permitted) Customer hereof. 2.2 SAP may, upon the instruction of Customer and with Customer’s necessary cooperation, correct, erase and/or block any Personal Data if and to the extent the functionality of the Service does not allow the Customer, its Data Controllers or Authorized Users to do so. In the event that SAP needs to access any of Customer’s systems or Customer’s instance of the Service remotely to execute an instruction or provide technical support, e.g. via application sharing, Customer hereby grants to SAP the permission for such remote access. Further, Customer will name a contact person that – if necessary – can grant to SAP the required access rights. 2.3 For processing Personal Data, SAP and its Subprocessors shall only use personnel who are subject to a binding obligation to observe data secrecy or secrecy of telecommunications, to the extent applicable, pursuant to the applicable Data Protection Law. SAP shall itself and shall require that its Subprocessors regularly train individuals to whom they grant access to Personal Data in data security and data privacy. 2.4 SAP shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Appendix 2 of the Exhibit to keep Personal Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage. Since SAP provides the Service to all customers uniformly via a hosted, web-based application, all appropriate and then current technical and organizational measures apply to SAP’s entire customer base hosted out of the same data center and subscribed to the same Service. Customer understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, SAP is expressly allowed to implement adequate alternative measures as long as the security level of the measures is maintained. In the event of any detrimental change SAP shall provide a notification together with any necessary documentation to Customer by email or publication on a website easily accessible by Customer. 2.5 SAP shall regularly test the measures described in Appendix 2. If a Data Controller believes that additional measures are required under the applicable Data Protection Law Customer shall submit an instruction according to Section 2.1 above. 2.6 SAP shall promptly inform Customer as soon as it becomes aware of serious disruptions of the processing operations, reasonable suspected or actual data protection violations or any Security Breach in connection with the processing of Personal Data which, in each case, may significantly harm the interest of the Data Subjects concerned. 2.7 At Customer’s expense, SAP shall reasonably support Customer or other Data Controllers in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the processing of Personal Data hereunder.

SAP OBLIGATIONS. 2.1 SAP shall process Personal Data only in accordance with the Data Controller’s instructions submitted by Customer. SAP shall use reasonable commercial efforts to follow and comply with the instructions received from Customer as long as they are legally required and technically feasible and do not require any material modifications to the functionality of the Service or underlying software. SAP shall notify Customer if SAP considers an instruction submitted by Customer to be in violation of the applicable Data Protection Law. SAP shall not be obligated to perform a comprehensive legal examination. If and to the extent SAP is unable to comply with an instruction it shall promptly notify (email permitted) Customer hereof. 2.2 SAP may, upon the instruction of Customer and with Customer’s necessary cooperation, correct, erase and/or block any Personal Data if and to the extent the functionality of the Service does not allow the Customer, its Data Controllers or Authorized Named Users to do so. In the event that SAP needs to access any of Customer’s systems or Customer’s instance of the Service remotely to execute an instruction or provide technical support, e.g. via application sharing, Customer hereby grants to SAP the permission for such remote access. Further, Customer will name a contact person that – if necessary – can grant to SAP the required access rights. 2.3 For processing Personal Data, SAP and its Subprocessors shall only use personnel who are subject to a binding obligation to observe data secrecy or secrecy of telecommunications, to the extent applicable, pursuant to the applicable Data Protection Law. SAP shall itself and shall require that its Subprocessors regularly train individuals to whom they grant access to Personal Data in data security and data privacy. 2.4 SAP shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Appendix 2 of the Exhibit to keep Personal Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage. Since SAP provides the Service to all customers uniformly via a hosted, web-based application, all appropriate and then current technical and organizational measures apply to SAP’s entire customer base hosted out of the same data center and subscribed to the same Service. Customer understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, SAP is expressly allowed to implement adequate alternative measures as long as the security level of the measures is maintained. In the event of any detrimental change SAP shall provide a notification together with any necessary documentation to Customer by email or publication on a website easily accessible by Customer. 2.5 SAP shall regularly test the measures described in Appendix 2. If a Data Controller believes that additional measures are required under the applicable Data Protection Law Customer shall submit an instruction according to Section 2.1 above. 2.6 SAP shall promptly inform Customer as soon as it becomes aware of serious disruptions of the processing operations, reasonable suspected or actual data protection violations or any Security Breach in connection with the processing of Personal Data which, in each case, may significantly harm the interest of the Data Subjects concerned. 2.7 At Customer’s expense, SAP shall reasonably support Customer or other Data Controllers in dealing with requests from individual Data Subjects and/or a supervisory authority with respect to the processing of Personal Data hereunder.