Privacy Statement
Effective Date: 1st July, 2026
Welcome!
Protecting the individual’s privacy is crucial to the future of business. We have created this privacy statement to demonstrate our firm commitment to the individual’s right to data protection and privacy. It outlines how we handle information that can directly or indirectly identify an individual (“personal data”).
Respecting your time and with the goal of providing you with the quickest possible access to the relevant passages of the privacy statement, we offer you the following summary:
Summary
The privacy statement aims to explain what personal data is processed by SAP Emarsys, who uses your personal data, for what purpose, for how long, and explains what rights you have in this context.
Who collects and processes your personal data? SAP Emarsys does, in the form of the respective legal entity, being either Emarsys eMarekting Systems GmbH in Vienna, Austria or any other member of the global SAP Group. The emarsys.com Privacy Statement describes in detail which processing activities of which SAP Group members apply.
SAP Emarsys is processing information including personal data about the users of emarsys.com using cookies or similar technologies for the purposes set out in the Cookie Statement. You will find further information and have the option to exercise your preferences by clicking on the Cookie Preferences link in the footer of this page.
What personal data does SAP Emarsys collect?
SAP Emarsys may collect various types of personal data about you when conducting its business, including:
- Personal contact data,
- Personal data related to your or your employer’s business relationship with SAP Emarsys,
- Personal data SAP Emarsys must collect due to legal- and compliance-related purposes,
- Personal usage, registration, and participation data which SAP Emarsys may generate through your use of its web and online offerings,
- Special categories of personal data,
- Application-related personal data,
- Personal data which SAP Emarsys may receive from third parties,
- Personal data SAP Emarsys requires to ensure your or your employer’s satisfaction with our products, services, and offerings.
For what purpose(s) does SAP Emarsys collect personal data?
SAP Emarsys processes your personal data to:
- Pursue its business relationships with you, your employer, or your employer’s customers, including ensuring your satisfaction with and keeping you up to date on the latest news about our products and services,
- Develop and offer you its software products, cloud, and other services,
- Protect the quality and safety of its premises, facilities, products, or services,
- Secure and, if necessary, defend its protected legal assets against unlawful attacks, assert our rights or defend SAP against legal claims,
- Ensure compliance with statutory laws and regulations applicable to SAP Emarsys,
- Operate SAP Emarsys’ internet pages, web offerings, or other online events including analysing the behaviour of the users, enabling you to create a user profile, benefit from an identity service and to promote and continuously improve your user experience,
- Search you as a potential talent for SAP Emarsys,
- Transfer it to recipients like other members of the SAP Group, third-party service providers, SAP partners and others.
If you want to learn more about each of these purposes for which SAP Emarsys may collect, transfer, and use your personal data, including for how long your data is being retained and specific to the General Data Protection Regulation (GDPR), the legal ground on which SAP Emarsys is pursuing them, please refer to the full privacy statement below.
What are your data protection rights?
You have the right to request from SAP Emarsys access to, correction of, and/or the return or the deletion of your personal data. You may request from SAP Emarsys to restrict the access to your personal data or to exclude it from further processing. You may revoke a once given consent or object to processing activities which SAP Emarsys may intend to pursue in a given case. When you believe that SAP Emarsys was processing your personal data not in accordance with this privacy statement or under breach of applicable data protection laws, you have the right to lodge a complaint with a relevant supervisory authority. The emarsys.com Privacy Statement describes each of these rights in detail, including how you can reach us to exercise any of these rights against SAP Emarsys and how to identify, if necessary, the relevant data protection authority.
In the final section below, SAP Emarsys addresses several country-specific aspects that must be explained in a privacy statement under relevant country laws. The country-specific requirements include but are not limited to those from the EU and EEA, Australia, Canada, Singapore, and the United States of America.
SAP Emarsys Privacy Statement
(for details on each section, expand/contract the text by using the “+/-” icons)
This privacy statement applies to the collection and processing of personal data:
- during the central operation of this website and other globally operated business activities by
- Emarsys eMarketing Systems GmbH, Lassallestraße 7b, 1020 Vienna, Austria if you are in a member state of the EU or the EWR or in any of the countries of Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, Switzerland, or the United Kingdom
- Emarsys North America, Inc., 10 W. Market Street, Suite 1350, Indianapolis, IN 46204, Indiana, United States if you are in any other country,
- a specific SAP Group Entity as may be stated in the Additional Country and Regional Specific Provisions at the end of this privacy statement.
- in the context of a pre-contractual or contractual business relationship with you or your employer by a local SAP Group Entity.
- in the context of a registration form when a specific SAP Group Entity is directly collecting personal data for the purpose of registering to a service or event and is therefore presented as the relevant controller on this registration page or website by referencing to this privacy statement.
Emarsys eMarketing Systems GmbH , Emarsys North America, Inc., and each relevant SAP Group Entity are, depending on the given case, hereinafter referred to as “SAP” or “SAP Emarsys”.
This privacy statement does not apply to SAP internet-pages or web-services which present their own privacy statement.
Depending on the applicable law there must be a justification for processing of personal data, which is sometimes referred to as legal basis. Here are details on both the purpose of processing and the legal basis for doing so.
SAP Emarsys’ compliance with statutory obligations
- SAP Emarsys processes your personal data for the purpose of ensuring an adequate level of technical and organisational security of SAP Emarsys’ products, services, online events, facilities, and premises. For this, SAP Emarsys will take the measures necessary to verify or maintain the quality and safety of a product or service which is owned, manufactured by or for, or controlled by SAP Emarsys. This may comprise the use of personal data for sufficient identification and authorisation of designated users, internal quality control through auditing, analysis, and research, debugging to identify and repair errors that impair existing or intended functionality, account and network security, replication for loss prevention, detecting security incidents, protection against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such kind of activity. We may further process your name, likeness, and other contact or compliance related data when you visit a local SAP affiliate or lab in the context of access manage
ment and video surveillance to protect the security and safety of our locations and assets. SAP Emarsys may process personal data to create anonymized data sets which may then be used to safeguard and protect SAP Emarsys systems including data, equipment, facilities and networks. - SAP Emarsys processes Personal Data (name, surname, country, IP address) to the extent necessary to fulfil sanctions and embargo requirements under European Economic Area (“EEA”) laws to which SAP Emarsys is subject, and laws and regulations extraterritorial to the EEA (based on SAP’s legitimate interest).
- If necessary, SAP Emarsys uses personal data to prevent or prosecute criminal activities such as any form of cybercrime, the illegal use of our products and services or fraud, to assert our rights or defend SAP Emarsys against legal claims.
- To comply with data protection and unfair competition law related requirements. Depending on the country in which the relevant SAP Group company operates, and whether you have expressly consented to or opted out of receiving commercial information, SAP Emarsys may process personal data necessary to accommodate your data protection and privacy choices for the receipt of such information and, when necessary to ensure compliance, exchange such information with the other entities of the SAP Group.
- When ensuring compliance, SAP Emarsys processes your personal data if and to the extent necessary to fulfil legal requirements under European Union or EU Member State law to which SAP Emarsys is subject, and laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations).
SAP Emarsys’ Web Services
SAP Emarsys processes personal data for the purpose of operating, providing to you and administering your use of SAP Emarsys’ internet pages, web offerings, or other online events. This may include, without limitation:
- To provide web services and functions, create and administer your online account, update, secure, troubleshoot the service, provide support, improve, and develop the web services and/or answer and fulfil your requests or instructions.
- To process information that relates to your visit to our web offerings to improve your user experience, identify your individual demand and to personalise the way we provide you with the information you are looking for. For this purpose, we collect information regardless of whether you register with a user profile or not.
- To share basic participant information (your name, company, and email address) with other participants of the same event, seminar, or webinar to promote interaction between the participants and to stimulate the communication and the exchange of ideas.
- To manage and ensure the security of our web services and prevent and detect security threats, fraud or other criminal or malicious activities and as reasonably necessary to enforce the web services terms, to establish or preserve a legal claim or defence, to prevent fraud or other illegal activities, including attacks on our information technology systems.
When operating SAP Emarsys’ web services, SAP Emarsys processes your personal data if and to the extent,
- SAP Emarsys obtained your consent, if required by law, to process your personal data for this purpose,
- necessary to fulfil (pre-) contractual obligations with you,
- necessary to fulfil legal requirements applicable to SAP Emarsys,
- necessary to pursue SAP Emarsys’ legitimate interest to efficiently perform or manage SAP’s web services and business operation and assert or defend itself against legal claims.
We believe that SAP Emarsys’ interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain processing for such purpose. In any of these cases, we duly factor into our balancing test: the business purpose reasonably pursued by SAP Emarsys in the given case, the categories, amount and sensitivity of personal data that is necessarily being processed, the level of protection of your personal data which is ensured by means of our general data protection policies, guidelines, and processes, and the rights you have in relation to the processing activity.
SAP Emarsys’ business relationships
SAP Emarsys processes personal data to pursue its business relationships with customers, partners, and other users to fulfil pre-contractual and contractual business relations. This may include satisfying requests, processing orders, delivering an ordered product or service, or engaging in any other relevant action to establish, fulfil and maintain our business relationships, including:
- Products and services: This may include any of SAP Emarsys’ on premise and cloud software products, web services, apps, online forums, webinars and events, non-marketing related newsletters, white papers, tutorials, trainings, as well as other offerings like contests or sweepstakes. When you purchase or intend to purchase products or services from SAP Emarsys on behalf of a corporate customer or are otherwise associated as contact person for the business relationship between SAP Emarsys and a corporate customer or partner (“Customer Contact”), SAP Emarsys will use your personal data for this purpose. More specifically, SAP Emarsys may use your personal data to confirm your opening of an account, manage the contract execution, send you disclosures as may be required by law, notice of payments, and other information about our products and services. SAP Emarsys may respond to related inquiries, provide you with necessary support and process your feedback. In the context of your or your employers use of our products or services, SAP Emarsys may communicate with you by post, email, live chat, contact forms, phone or any other medium to resolve your, a user’s, or a customer’s question or complaint or to investigate suspicious transactions. In case of telephone calls or chat sessions, SAP Emarsys may record such calls or chat sessions to improve the quality of SAP Emarsys’ services after informing you accordingly during that call and, subject to applicable law, receiving your prior consent before the recording begins.
- Customer Satisfaction: Within an existing business relationship between you or your employer and SAP Emarsys, SAP Emarsys processes your personal data to help us understand how satisfied you are with the functionality and quality of our products and services, to provide you with relevant information on our latest product announcements, software updates or upgrades, events, special offers, and other information about SAP Emarsys’ software and services that is relevant and useful to you.
- To keep you up to date: Within an existing business relationship between you or your employer and SAP Emarsys, SAP Emarsys processes your personal data to inform you about SAP events, products or services which are similar or relate to products and services you or your employer have already purchased or used. SAP Emarsys will inform you by postal mail, email, phone or other electronic means about such news if SAP Emarsys has collected such information in the context of the business relationship or has obtained this information from a publicly available source as far as it is allowed by law, or you have consented. You are entitled to object to SAP Emarsys’ use for this purpose at any time by selecting the opt-out option at the bottom of each marketing-related communication.
- Feedback requests and surveys: To the extent allowed by applicable law, SAP Emarsys may contact you for feedback regarding the improvement of the relevant material, product, or service. SAP Emarsys may also invite you to participate in questionnaires and surveys. These will generally be designed so you can participate without having to provide information that identifies you as a participant. If you nonetheless provide your personal data, SAP Emarsys will use it for the purpose stated in the questionnaire or survey or to improve its products and services.
- To get in touch with you: To establish new business relationships between SAP Emarsys and you or your employer, SAP Emarsys processes your personal data to inform you about SAP Emarsys events, products or services that have a substantive or material connection to your role or function in your organisation. We may also contact you to discuss further your interest in SAP Emarsys’ products or services. SAP Emarsys will contact you by postal mail, email, phone or other electronic means if you have either consented to such use, or if SAP Emarsys has obtained your personal data from a publicly available source as allowed by law or to address you for further consent. You are entitled to object to SAP Emarsys’ use for this purpose at any time by selecting the opt-out option at the bottom of each marketing-related communication.
- Personalised Content: SAP Emarsys processes information about your interactions with SAP Emarsys across its various business areas and its offerings (your or your employers prior and current use of SAP Emarsys products or services, your participation in and use of SAP Emarsys’ web offerings, events, white papers, free trials or newsletters) to provide you with the requested products and services and to improve our personal communications with you. This data may also be used to efficiently operate SAP Emarsys’ business, which also includes: the automation and aggregation of data to support various analytic and statistical efforts, performance and predictive analytics and exploratory data science to support your customer journey and to fulfil such requests. To the extent permitted by law, SAP Emarsys may combine and use such information in an aggregated manner to help us understand your interests and business demands, develop our business insight and marketing strategies, and to create, develop, deliver, and improve our personalised communications with you. It may also be used by SAP Emarsys to display relevant content on SAP Emarsys owned or third-party websites.
- Advertising IDs: Provided your consent or to the extent permitted by applicable law, SAP Emarsys may create a hashed user ID to provide to third-party operated social networks or other web offerings (such as LinkedIn, Facebook, Instagram, Reddit, Microsoft or Google). This information is then matched against the third-party’s own user database to display to you more relevant SAP Emarsys content.
When pursuing its business relationships, including engaging in direct marketing and sales activities, SAP Emarsys may process your personal data if and to the extent that:
- The contract or pre-contractual relation relates to a company or other legal body and if SAP Emarsys processes your personal data as Customer Contact and it is necessary
- to fulfil (pre-) contractual obligations (legitimate interest to efficiently perform or manage SAP Emarsys’ business operation),
- to maintain our business relationships with you or your employer, to ensure your satisfaction as a user or customer contact, to map the relevant group internal structures and bundle relevant business activities at central sources within the SAP Group, to operate them uniformly and to provide you with information about other SAP Emarsys products and services as indicated by your demand or interest, which may also comprise the combination of information about you from different sources (profiling) (legitimate interest to maintain and operate intelligent and sustainable business processes in a group structure optimised for the division of labour and in the best interest of our employees, customers, partners, and shareholders and to operate sustainable business relationship with SAP Emarsys customers and partners).
- when providing you with information about other SAP Emarsys products and services, we may send them to your email address provided that we (i) received your email address in connection with the purchase of our products or services, (ii) you did not object to the use of your email address for direct advertising and (iii) we inform you in every approach, at any time that you may object to our use of your email address for marketing purposes. We may also send you such information by other electronic means (e.g., telephone, SMS, MMS) to the extent permitted under applicable law or explicit or presumed consent.
- We serve or maintain our business relationships with you, ensure your satisfaction as a user or customer representative, and/or provide you with information about other SAP Emarsys products and services as indicated by your demand or interest (necessary for the performance of a contract and/or legitimate interest to operate sustainable business relationship with SAP Emarsys customers and partners).
- We operate to establish a new business relationship with you or your employer and you have consented to SAP Emarsys’ use of your personal data for such marketing purpose or we (i) obtained your email from a publicly available source (ii) you did not object to the use of your email address for direct advertising and (iii) we inform you in every approach that you may object to our use of your email address for marketing purposes at any time.
- Whenever you grant SAP Emarsys consent that SAP Emarsys may use your personal data to provide you with additional information on SAP Emarsys products and services (General Marketing Consent), SAP Emarsys will process your data as described in the section above.
SAP Emarsys processes various types of personal data about the people we interact with when conducting our business or operating our various web presences and other communication channels. Depending on the individual case, this may comprise the following types of personal data:
- Contact Data: SAP Emarsys processes the following categories of personal data as contact data: first name, last name, email addresses, postal address/location (country, state/province, city), telephone numbers, and your relationship history with SAP.
- Personal data related to the business relationship with SAP Emarsys: In the context of established business relationships, SAP Emarsys processes the business partner’s company name, industry, your job title and role, department and function and your company’s relationship history to SAP Emarsys. If you provide a credit card number or bank details to order products or services, SAP Emarsys will collect this information to process your payment for the requested products or services.
- Compliance-related personal data: If required by statutory law or regulation, SAP Emarsys may process data categories like date of birth, academic credentials, identity cards or other ID numbers, geolocation, business partner relevant information about e.g., significant litigation or other legal proceedings, and other export control or custom compliance relevant information.
- Data generated through your use of, or participation in SAP’s internet pages, web, or online offerings:
- Usage data: SAP Emarsys processes certain user-related information, e.g., info regarding your browser, operating system, or your IP address when you visit SAP Emarsys’ web properties. We also process information regarding your use of our web offerings, like the pages you visit, the amount of time you spend on a page, the page which has referred you to our page and the links on our sites you select.
- Registration data: SAP Emarsys may process your contact data as set out above and other information which you may provide directly to SAP Emarsys if you register for any of SAP Emarsys’ events or other web offerings.
- Participation data: When you participate in webinars, virtual seminars, events, or other SAP Emarsys web offerings, SAP Emarsys may process your interactions with the relevant web service to organise the event including its sessions, polls, surveys, or other interactions between SAP Emarsys and/or its participants. Depending on the event and subject to a respective notification of the participants, SAP Emarsys may collect audio and video recordings of the event or session.
- Special categories of personal data: In connection with the registration for an event, SAP Emarsys may ask for your dietary preferences or information about possible disabilities for purposes of consideration for the health and well-being of our guests. Any collection of such information is always based on the consent of the participants. Kindly note that if you do not provide such information about dietary preferences, SAP Emarsys may not have the opportunity to respond to such requests at the time of the event.
- Personal data received during an application for a job at SAP Emarsys: SAP Emarsys processes personal data of individuals applying for a job at SAP Emarsys as set out in the privacy statement of the SAP Career Portal.
- Personal data necessary for customer satisfaction: To the extent permitted by law or based on your consent, SAP Emarsys may combine the information we collect either directly or indirectly about specific users to ensure the completeness and correctness of the data and to help us better tailor our interactions with you and determine the information which best serves your respective interest or demand.
SAP Emarsys generally aims to collect personal data directly from the data subjects. If you are requested to provide personal data to SAP Emarsys and you fail to provide such personal data, kindly note that SAP Emarsys may not be able to provide you with the respective service and/or business relationship requested. If you or applicable law allows SAP Emarsys to do so, SAP Emarsys may obtain personal data also from third party sources. These third party sources may include:
- your employer, in the context of its business dealings with SAP Emarsys and/or the SAP Group entities,
- third parties you directed to share your personal data with SAP Emarsys,
- third-party sources and publicly available sources like business oriented social networks or information brokers.
When we collect personal data from third-party sources, we establish internal controls to ensure that the third-party source was permitted to provide this information to SAP Emarsys and that we may use it for this purpose. SAP Emarsys will treat this personal data according to this privacy statement, plus any additional restrictions imposed by the third party that provided the personal data to SAP Emarsys or by applicable national law.
SAP Emarsys may retain your personal data for additional periods if necessary for compliance with legal obligations to process your personal data or if the personal data is needed by SAP Emarsys to assert or defend itself against legal claims. SAP Emarsys will retain your personal data until the end of the relevant retention period or until the claims in question have been settled. SAP Emarsys stores your personal data only for as long as it is required:
- to make products and services requested by you or your employer available to you;
- to develop products or services until this is no longer necessary or SAP Emarsys is informed that your relationship with the SAP Emarsys customer has changed;
- to fulfil SAP Emarsys’ legitimate business purposes as further described in this privacy statement, unless you object to SAP Emarsys’ use of your personal data for these purposes;
- for SAP Emarsys to comply with statutory obligations to retain personal data, resulting inter alia e.g., from applicable export, finance, tax or commercial laws;
- until you revoke a consent you previously granted to SAP Emarsys to process your personal data.
- Entities of the SAP Group: Other entities of the SAP Group may also receive or gain access to personal data either when rendering group internal services centrally and on behalf of SAP SE, when supporting others in the SAP Group Entities or when personal data is transferred to them on a respective legal basis. In these cases, these entities may process the personal data for the same purposes and under the same conditions as outlined in this privacy statement. The current list of SAP Group Entities can be found here.
- Third-party service providers: SAP Emarsys may engage third-party service providers to process personal data on SAP Emarsys’ behalf, e.g., for consulting or other services, the provision of the website, the fulfilment and provisioning of offers from SAP Emarsys or newsletter dispatch. These service providers may receive or are granted with access to personal data when rendering their services and will constitute recipients within the meaning of the relevant data protection law, including GDPR.
- SAP partners: With your consent or as otherwise indicated by your request, including to fulfil your ordered services, SAP Emarsys may share your personal data with designated partner companies to provide you with the product or service you have requested.
- Other third-parties: SAP Emarsys may transfer your registration data based on your consent or as otherwise indicated by your request to companies listed on the registration page of an SAP Emarsys seminar, webinar or event. These companies may receive your personal data as co-organiser or sponsor of the event and will use your registration data for the purposes of their participation in the event. They will provide you directly with any legally required information about their processing purposes and how you may exercise your rights.
SAP Emarsys honors your statutory rights when it comes to the processing of your personal data. To the extent provided by applicable data protection laws, you have the right to:
- Access your personal data that we have on you, or have it updated.
- Obtain a copy of the personal data you provided to SAP Emarsys, if SAP Emarsys uses your personal data based on your consent or to perform a contract with you. In this case, please refer to the section below “How you can exercise your Data Protection Rights(s)”. Please note that you will need to specify the information or processing activities to which your request relates, the format in which you would like to receive the personal data and whether it should be sent to you or another recipient. SAP Emarsys will carefully consider your request and communicate with you how it can best be fulfilled.
- Delete your personal data we hold about you. Please note, however, that SAP Emarsys can or will delete your personal data only if there is no statutory obligation or prevailing right of SAP Emarsys to retain it. If you request from SAP Emarsys to delete your personal data, you may not be able to continue to use any SAP Emarsys service that requires SAP Emarsys’ use of your personal data.
- Object to SAP Emarsys further processing your personal data, if and to the extent SAP Emarsys is processing your personal data based on its legitimate interest. When you object to SAP Emarsys’ processing of your personal data, SAP Emarsys will carefully review your objection and cease further use of the relevant information, subject to SAP Emarsys’ compelling legitimate grounds for continued use of the personal data, which may override your interest in objecting, or if SAP Emarsys requires the information for the establishment, exercise, or defence of legal claims.
- Object to direct marketing or to apply profiling in relation to direct marketing. When you object to SAP Emarsys’ processing of your personal data for direct marketing purposes, SAP Emarsys will immediately cease to process your personal data for such purposes.
- Revoke consent, wherever SAP Emarsys is processing your personal data based on your consent, you may at any time withdraw your consent by unsubscribing or giving us respective notice of withdrawal. In case of withdrawal, SAP Emarsys will not process personal data subject to this consent any longer unless legally required or permitted to do so (e.g., if your personal data is needed by SAP Emarsys to assert or defend against legal claims). In case SAP Emarsys is required or permitted to retain your personal data for other legal reasons your personal data will be restricted from further processing and only retained for the term required by law or to fulfil the other purpose. However, any withdrawal has no effect on past processing of personal data by SAP Emarsys up to the point in time of your withdrawal. Furthermore, if your use of an SAP Emarsys offering requires your prior consent, SAP Emarsys will no longer be able to provide the relevant service, offer or event to you after your revocation.
- Not to be subject to a decision based solely on automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way.
- Request from SAP Emarsys to restrict your Personal Data from further processing in any of the following events:
- you state the Personal Data about you is incorrect, subject to the time SAP Emarsys requires to check the accuracy of the relevant Personal Data,
- there is no legal basis for SAP Emarsys to process your Personal Data and you demand SAP Emarsys to restrict your Personal Data from further processing,
- SAP Emarsys no longer requires your Personal Data, but you state you require SAP Emarsys to retain such data to claim or exercise legal rights or to defend against third party claims, or
- in case you object to the processing of your Personal Data by SAP Emarsys based on SAP Emarsys’ legitimate interest, subject to the time required for SAP Emarsys to determine whether it has a prevailing interest or legal obligation SAP Emarsys in processing your Personal Data.
- Lodge a complaint to the competent supervisory authority if you are not satisfied with how SAP Emarsys is processing your personal data. Your competent supervisory authority can be found in the country specific section below.
Depending on applicable local data protection laws, your rights may be subject to deviations, limitations, or exceptions as set out below in the country-specific section. Please be aware, that SAP Emarsys honors your statutory rights when it comes to the processing of your personal data to the extent provided by applicable data protection laws.
How you can exercise your data protection rights
If you want to unsubscribe from SAP Emarsys Marketing communications, please visit this webpage.
SAP Emarsys will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP Emarsys will match personal data provided by you in submitting a request to exercise your rights with information already maintained by SAP Emarsys. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP Emarsys.
SAP Emarsys will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.
Automated Decision Making
Automated decisions are defined as decisions about individuals that are based solely on the automated processing of Personal Data and that produce legal effects that significantly affect the individuals involved (“Automated Decision Making”).
SAP Emarsys only performs Automated Decision Making based on the necessity for the performance of or entering into a contract, your explicit consent or if a law specifically allows the processing for Automated Decision Making.
The following elements contribute to SAP Emarsys’ Automated Decision Making:
- Categories of data used in the profiling or decision-making process
- Why these categories are considered relevant
- How any profile used in the automated decision-making process is built, including any statistics used in the analysis
- Why this profile is relevant to the automated decision-making process
- How it is used for a decision concerning the data subject
- Fact that automated processing is in place and that he/ she can obtain human intervention if not satisfied with the outcome
In general, SAP Emarsys websites and online services are not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16, you cannot register with and use these websites or online services.
Where SAP Emarsys is subject to privacy requirements in the EU/EEA or a country with national laws equivalent to the GDPR:
Who is the Data Protection Officer of the Controller?
You can reach SAP Emarsys’ data protection officer any time at emarsys_dataprotection[@]sap.com.
Who is the relevant Data Protection Authority?
The contact details of your specific data protection supervisory authority can be found on the European Data Protection Board website. SAP Emarsys’ lead data protection supervisory authority is the Österreichische Datenschutzbehörde and can be reached at Barichgasse 40-42, 1030 Wien.
How does SAP Emarsys justify international data transfers?
As a global group of companies, SAP has group affiliates and uses third-party service providers also in countries outside the European Economic Area (the “EEA”). SAP Emarsys may transfer your personal data to countries outside the EEA as part of SAP Emarsys’ international business operations. If we transfer personal data from a country in the EU or the EEA to a country outside the EEA and for which the EU Commission has not issued an adequacy decision, SAP Emarsys uses the EU standard contractual clauses to contractually require the data importer to ensure a level of data protection consistent with the one in the EEA to protect your personal data. You may obtain a copy (redacted to remove commercial or irrelevant information) of such standard contractual clauses by sending a request to emarsys_dataprotection[@]sap.com. You may also obtain more information and their perspectives on international data protection issues on the European Commission’s International Dimension of Data Protection webpage.
Where SAP Emarsys is subject to privacy requirements in Australia
Where SAP Emarsys is subject to the requirements of the Privacy Act 1988 (Cth) (‘Privacy Act’), the following applies:
SAP Emarsys may store your Personal Data in paper-based files or as an electronic record in the Cloud or on physical devices e.g. computer systems. Your Personal Data will likely be held and stored by the SAP Group located in another country for our general business purposes including outsourcing and data processing. We will only do this where it is necessary or appropriate to achieve the purposes set out in this Privacy Statement. We take reasonable steps to protect your personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.
You can contact us either by the telephone number +61 2 9935 4939 or via email at: emarsys_dataprotection[@]sap.com to exercise the following rights:
- You can request from SAP Emarsys at any time access to information about which Personal Data SAP Emarsys processes about you and, if necessary, the correction of such Personal Data. Please note, however, that SAP Emarsys can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP Emarsys to retain it.
- Wherever SAP Emarsys is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving us respective notice of withdrawal. In case of withdrawal, SAP Emarsys will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP Emarsys is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by SAP Emarsys up to the point in time of your withdrawal.
- In Australia, a complaint should first be made to SAP Emarsys in writing as required by law. You can find more information about privacy and the protection of Personal Data on the Office of the Australian Information Commissioner website.
Where SAP Emarsys is subject to privacy requirements in Canada
Your personal data may be processed globally. If personal data is processed across provincial/territorial or international borders, SAP Emarsys complies with laws of the transfer of personal data between countries to keep your personal data protected. It may, however, based on the laws of such countries be subject to access by local law enforcement.
Where SAP Emarsys is subject to privacy requirements in Singapore
Where SAP Emarsys is subject to the requirements of the Singapore’s Personal Data Protection Act (PDPA), the following applies
- You can request from SAP Emarsys personal data about you that is in the possession or under the control of SAP Emarsys and information about the ways in which such personal data has been or may have been used or disclosed by SAP Emarsys within a year prior to this request. Please be informed that SAP Emarsys is not obliged to accede to your request if any exceptions under the PDPA apply.
- You may submit a request to have inaccurate/incomplete personal data corrected in our systems. Please be informed that SAP Emarsys is not obliged to accede to your request if any exceptions under the PDPA apply.
- Revoke consent, wherever SAP Emarsys is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving us respective notice of withdrawal. In case of withdrawal, SAP Emarsys will not process Personal Data subject to this consent any longer unless legally required or permitted to do so (e.g. if your Personal Data is needed by SAP Emarsys to assert or defend against legal claims). In case SAP Emarsys is required or permitted to retain your Personal Data for other legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law or fulfil the other purpose. However, any withdrawal has no effect on past processing of Personal Data by SAP Emarsys up to the point in time of your withdrawal. Furthermore, if your use of an SAP Emarsys offering requires your prior consent, SAP Emarsys will no longer be able to provide the relevant service, offer or event to you after your revocation.
- Lodge a complaint to the Personal Data Protection Commission (PDPC) if you are not satisfied with how SAP Emarsys is processing your Personal Data.
SAP Emarsys has appointed a Data Protection Officer for Singapore. Written inquiries, requests or complaints to our Data Protection Officer can be sent via post to Mapletree Business City, 30 Pasir Panjang Rd, #03-32, Singapore 117440 or email to emarsys_dataprotection[@]sap.com with the subject “Data Protection Officer” or can be reached via phone +65 6664 6868
Where SAP Emarsys is subject to privacy requirements in the United States of America
Where SAP Emarsys is subject to the requirements of the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), from here on referred to as “CCPA” or where other US state laws have similar requirements, the following applies:
You have the right to:
- Know what personal information the business has collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer.
- Delete personal information that the business has collected from the consumer, subject to certain exceptions.
- Correct inaccurate personal information that a business maintains about a consumer.
- Opt-out of the sale or sharing of their personal information by the business (where applicable).
- Limit the use or disclosure of sensitive personal information by the business (subject to certain exceptions, where applicable).
- Receive non-discriminatory treatment for the exercise of these rights.
- Appeal any denial of your request to exercise these rights.
How you can exercise your Data Protection Right(s)
To exercise these rights, or to limit the sharing of your personal information, please contact us at emarsys_dataprotection[@]sap.com or:
Address: 10 W. Market Street, Suite 1350, Indianapolis, IN 46204, Indiana, USA
In accordance with the verification process set forth under US relevant state law (as appropriate), SAP Emarsys may require a more stringent verification process for deletion requests (or for personal data that is considered sensitive or valuable) to minimise the harm that might be posed to you by unauthorised access or deletion of your personal data. If SAP Emarsys must request additional information from you outside of information that is already maintained by SAP Emarsys, SAP Emarsys will only use it to verify your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes. You can designate an authorised agent to submit requests to exercise your data protection rights to SAP Emarsys. The agent must submit authorisation to act on your behalf and, where required by relevant law, the agent must be appropriately registered.
New Jersey’s Daniel’s Law
SAP Emarsys does not disclose on the internet or otherwise make available information that is subject to a Daniel’s Law request.
Financial Incentives
SAP Emarsys does not offer financial incentives in return for your consent to share your personal information, nor limit service offerings where you opt-out of such sharing (unless sharing is practically necessary to perform the relevant service).
Children’s Privacy
Given that SAP Emarsys websites and online services are not directed to users under 16 years of age, SAP Emarsys does not sell or share the personal information of any minors under 16. If you are a parent or guardian and believe SAP Emarsys collected information about your child, please contact SAP Emarsys. SAP Emarsys will take steps to delete the information as soon as possible.

