SAP Customer Data Cloud and Data Protection – What Website Operators Need to Know

If a website operator uses SAP Customer Data Cloud (formerly Gigya) for user registration, login and consent management, it processes customer data (name, e-mail, password hash, profile data, consent status) for the purpose of authentication, identity management and compliance with data protection regulations on the basis of contract performance and legitimate interests. SAP SE, Walldorf, Germany, acts as a processor and is a German company – which fundamentally simplifies the data protection profile compared to US-based providers.

This guide is aimed at website operators who use SAP Customer Data Cloud for Registration-as-a-Service (RaaS), login management and consent/preference management and therefore need a GDPR-compliant privacy policy.

A. Purpose and Function of SAP Customer Data Cloud

SAP Customer Data Cloud (formerly "Gigya" – a company acquired by SAP in 2017) is a Customer Identity and Access Management (CIAM) platform with a focus on:

• Registration-as-a-Service (RaaS): Managed registration and login processes for websites
• Social login: Authentication via social networks (Facebook, Google, LinkedIn, etc.)
• Consent and preference management: Central management and documentation of user consents on data use, marketing, cookies
• Profile data management: Central user database with extensible profile fields
• Progressive profiling: Step-by-step capture of user information across multiple visits

Integration function on the website:

1. Gigya Screen-Sets (UI components): SAP provides ready-made registration and login forms that the website operator embeds on its website (as HTML/CSS/JavaScript)
2. JavaScript SDK: A script is implemented on the website that tracks user interactions and communicates with the SAP servers
3. Consent Vault: A storage for all user consents (timestamp, wording, version number)
4. Social Provider Integration: If required, social network profiles are linked to the local user account

Typical workflow:

• User visits the website
• User clicks "Register" or "Sign in with Google"
• Gigya Screen-Set shows registration form
• User enters name, e-mail, password and agrees to privacy policy
• Gigya stores the profile and the consent status
• User is logged in and can access the website

B. Mandatory Disclosures in the Privacy Policy on SAP CDC

The GDPR requires: purposes (Art. 13(1)(c)), legal bases (Art. 13(1)(a)), categories of recipients (Art. 13(1)(e)), third-country transfers (Art. 13(1)(f), if relevant) and retention period (Art. 13(2)(a)).

Perspective on SAP CDC integration: Many website operators only write "SAP manages user data" about SAP CDC – this is too general. Instead, the following should be transparent:

• What is the registration necessary for (access to website, newsletter, customer account)?
• Which data is collected (name, e-mail, profile fields, consent status)?
• For what purpose (authentication, consent documentation, compliance)?
• On the basis of which legal basis (contract, legitimate interests)?
• Where is the data processed (in the EU, since SAP is German)?

Better: A topic-oriented section "User registration and authentication" with description of all identity management systems.

C. Provider of SAP Customer Data Cloud: SAP SE

Legal name: SAP SE

Address: Dietmar-Hopp-Allee 16, 69190 Walldorf, Germany

Country of seat: Germany (European Union)

Privacy Policy: https://www.sap.com/about/legal/privacy.html

DPF status: SAP SE is a German (EU-based) company and is not subject to the Data Privacy Framework (DPF). The DPF only applies to US companies. SAP is directly subject to the EU GDPR without transfer mechanisms, which significantly simplifies the data protection profile.

Data Processing Agreement (DPA): SAP offers a standardised Cloud DPA (Data Processing Addendum). This is available at:

• English: https://www.sap.com/about/legal/privacy.html (link to Cloud Terms and Conditions)
• German: https://www.sap.com/germany/about/legal/privacy.html

The Cloud DPA regulates:

• SAP's role as processor (Art. 28 GDPR)
• Security standards (ISO 27001, BSI C5 for German data centres)
• Support for data subject rights
• Sub-processor management
• EU data storage (without third-country transfers, if EU data centres are chosen)
• Where applicable Standard Contractual Clauses (SCC) for sub-processors outside the EU

The DPA must be signed in order to use SAP CDC in a GDPR-compliant manner.

D. Data Processing by SAP CDC – Workflow

E. Data Collected when Using SAP CDC

When using SAP Customer Data Cloud, the website operator processes the following data types:

• First name and surname
• E-mail address
• Password (one-way encrypted/hashed)
• Date of birth (optional)
• Country/region
• Additional profile fields (depending on configuration by website operator: industry, job title, company, telephone, address)
• Consent status (yes/no for marketing, cookies, privacy policy, etc.)
• Consent timestamp and version number
• IP address (at registration and login)
• User agent and browser information
• Social provider ID (if social login is used)
• Login histories (date/time, successful/failed attempts)
• Session IDs and technical session data

This data can be classified into the following standardised data class types:

• Web server log data: IP address, date/time, browser/OS, user agent
• Device data: Device type, operating system, screen resolution
• Browser information: Browser name, version, installed plug-ins
• User account data: Name, e-mail address, password (hashed), date of birth, address
• User profiles: Industry, job title, company, interests, contact information
• Interaction data: Login histories, session duration, visits to the profile editor

F. Purposes of Use when Using SAP CDC

When using SAP Customer Data Cloud, data is processed for the following purposes:

Primary purposes:

• Function provision: Provision of the registration and login system
• Authentication: Validation of user identity at every login
• Access control: Determination of access authorisation to website functions and protected content
• Account management: Profile editing, password reset, account security
• Compliance and consent management: Documentation and storage of all user consents (GDPR requirement)
• Security: Fraud prevention, detection of unusual login attempts, bot protection
• Contract performance: Performance of any existing customer relationship contract

Secondary purposes (if activated):

• Product improvement: Analysis of registration and login patterns
• Data subject rights: Provision of data exports and management of erasure requests
• Communication: Sending welcome e-mails, password reset links, security notifications

G. Legal Bases for SAP CDC

Step 1: Categorisation of SAP CDC SAP Customer Data Cloud is a processor (Art. 28 GDPR) for the storage and management of user profiles. The website operator is controller and must ensure that:

• A legal basis for the data collection exists
• The DPA with SAP is signed
• A privacy policy informs users about the processing

Step 2: Applicable legal bases

1. Contract performance (Art. 6(1)(b) GDPR) – primary for registration/login:

   • The provision of a user account is typically necessary for the performance of a contract with the user (access to website functions, download of content, etc.)
   • The storage of name, e-mail and password is necessary for authentication
   • This is the strongest legal basis for the core functions

2. Legitimate interests (Art. 6(1)(f) GDPR) – for security and optimisation:

   • The website operator has a legitimate interest in keeping its account system secure (fraud prevention, bot protection)
   • The website operator has a legitimate interest in improving registration and login processes
   • Balancing: These interests outweigh the user's interests, since they are necessary for the protection and improvement of the service

3. Consent (Art. 6(1)(a) GDPR) – optional:

   • Not required for basic functions (registration, authentication)
   • Optional: If the website operator collects additional profile fields (e.g. "Interested in marketing?"), consent may be required

4. Legal obligation (Art. 6(1)(c) GDPR) – for compliance:

   • No direct laws for registration systems, but generally: retention of documents for data subject requests and audit trails

Particularity – Consent Management and Documentation: The purpose of SAP CDC also includes documenting consents (e.g. on marketing, cookies, privacy policy). This documentation is itself a processing and requires a legal basis. Typically:

• Contract performance: If consent is necessary to provide the service
• Legitimate interests: The website operator has an interest in documenting consents (for GDPR compliance and audit trail)

H. Special Features and Notes on SAP CDC

1. SAP is a German company – major advantage SAP SE is based in Walldorf, Germany, and is directly subject to the GDPR. This means:

• No third-country transfers required (in contrast to US providers such as Braze or PayPal)
• No Data Privacy Framework certification necessary (SAP is an EU company)
• Simpler legal structure: No additional transfer mechanism management
• German authority cooperation: Requests from German data protection authorities are easier to handle

This is a significant compliance advantage over US tools.

2. SAP Customer Data Cloud is not SAP SuccessFactors Important distinction:

• SAP Customer Data Cloud (formerly Gigya): For websites – user registration, login, consent management
• SAP SuccessFactors: HR software for employee data – for internal personnel administration This guide focuses on SAP Customer Data Cloud for websites. SuccessFactors is a separate product with different data protection logic.

3. DPA is mandatory You must have a Cloud DPA with SAP. This regulates:

• SAP as processor (Art. 28 GDPR)
• Security standards
• Data centre locations (ideally: EU-exclusive)
• Support for data subject rights Available at SAP Trust Center.

4. Use EU data centre option SAP offers the possibility to store data exclusively in EU data centres (e.g. Germany, Ireland). This is recommended:

• No third-country transfers
• Simpler compliance
• Better performance for EU users Check this when configuring SAP CDC.

5. Consent Vault and audit trail SAP CDC includes a Consent Vault that stores all consents with:

• Date and time
• Wording of consent
• Version number
• IP address This is a GDPR requirement (accountability under Art. 5(2) GDPR) and a major advantage for documentation.

6. Data subject rights and right to be forgotten Users can:

• Request access to their data (Art. 15 GDPR)
• Correct their data (Art. 16 GDPR)
• Delete their account (Art. 17 GDPR – "right to be forgotten")

SAP CDC supports these functions via admin interface. You should have a process to receive and implement requests.

7. Sub-processors and data flows Check the SAP sub-processor list (in the SAP Trust Center):

• Where are backups stored?
• Which cloud infrastructure is used (AWS, Azure, etc.)?
• Which third-party providers (e-mail services, etc.) have access to data?

I. FAQ on SAP Customer Data Cloud

J. Conclusion and Recommendation on SAP CDC

SAP Customer Data Cloud is an EU-compliant, German identity management tool that offers many data protection advantages over US-based alternatives:

• German company (SAP SE) – directly subject to GDPR
• Consent Vault – audit trail for all consents
• EU data centre options – no third-country transfers required
• Support for data subject rights – data export, deletion, change

Tool-specific text templates ("SAP manages data") are too short and do not explain what a registration system does and how it functions in terms of data protection.

Recommendation: Use a topic-oriented structure:

• Section "User registration and authentication" with description of the registration process
• Clear information: "We use SAP Customer Data Cloud, a German identity management system"
• Section "Data subject rights" with info on data export, change, deletion
• Reference to the Consent Vault for consent documentation
• Section "Data security" with info on EU data centres and encryption

Make sure that:

• The Cloud DPA with SAP is signed
• EU data centre is configured (if possible)
• Users can manage their accounts themselves
• A process for data subject requests exists