Compliance Documents

Data Protection

Data protection and data privacy are becoming increasingly important in our connected world. At Software GmbH, customers can trust that their personal data is processed in compliance with data protection/data privacy requirements.

See our FAQ for how we process our customers’ personal data and how we ensure customers can use our products and services in compliance with applicable requirements.

What measures have been implemented to achieve data protection-compliant products and services? 

All products offered by Software GmbH have been analyzed with respect to their functionality for processing personal data in accordance with the applicable data protection principles. For future functionality, a release task to verify data protection compliance has been integrated into the product release cycle.

How are accountability and governance requirements addressed?

Software GmbH has set up a Data Protection Management System (DPMS), which defines clear processes for relevant data protection aspects, including the following processes and risk assessments:

  1. Handle Data Subject Requests
  2. Handle Data Breach
  3. Review DPA (Data Processing Agreement)
  4. Data Privacy Impact Assessment Necessity Check
  5. Data Privacy Impact Assessment (DPIA)
  6. Data Breach and Risk Assessment
  7. Transfer Impact Assessment (TIA)

As part of the scope of Software GmbH’s ISO 9001 certification, the established DPMS processes are subject to regular external audits.

Additionally, Software GmbH has implemented a Global Data Protection Policy, which applies to all employees. The objective of this policy is to regulate the legally compliant handling of personal data within Software GmbH and its subsidiaries, and to protect the rights arising from data protection/privacy regulations of all persons whose data is processed by Software GmbH.

How is Software GmbH processing personal data on behalf of customers?

When Software GmbH processes personal data on behalf of its customers (data controllers), or when access to personal data cannot be ruled out in the course of service provision, a Data Processing Agreement (DPA) is concluded as standard practice. It addresses in particular the following aspects: 

  • Customer’s instructions: The DPA obliges Software AG to process personal data only as instructed by the customer and in compliance with data protection law applicable to the customer.
  • Sub-processors: Software AG’s mission is to provide high availability of support services. This requires Software AG to include its affiliates worldwide, as well as carefully selected external service providers, in its support process. These organizations act as sub-processors to our customers. Also, to provide cloud and consulting services, sub-processors are used to deliver the highest possible standards of quality, performance, and flexibility to our customers.
  • Data transfer: As mentioned above, for service provision, transferring personal data to other Software AG entities or external service providers is usually necessary. For any data transfers from the EEA to countries without an adequate level of data protection, the EU Standard Contractual Clauses apply. This ensures the necessary safeguards to protect customers’ personal data in accordance with data protection regulations.
  • Data subject requests: Software AG’s customers, as data controllers, may be required under applicable data protection law to provide information upon a data subject’s request. To the extent that the request was addressed directly to Software AG by a data subject, we will notify the respective customer and respond to the data subject in accordance with the customer’s instructions. Additionally, we will support our customers in responding to data subjects’ requests using appropriate technical and organizational measures.
  • Data breach notification: In case of a data breach, Software AG’s customers, as the data controllers, might be obliged to fulfill certain notification obligations towards the affected data subjects and/or the supervisory authority. Software AG will inform its customers without undue delay if we have a documented reason to believe that a data breach at Software AG or our sub-processors has occurred. Software AG has implemented a data breach handling process that aligns with these notification requirements and is within the scope of the Data Protection Management System (DPMS).
  • Technical and organizational measures: Software GmbH has implemented appropriate Technical and Organizational Measures (TOMs) to protect personal data from unauthorized processing. The TOMs are regularly reviewed and updated if necessary. 

Does Software GmbH have a process to handle data breaches?

Yes, we have a Data Breach Handling Process documented in our Data Protection Management System. This process outlines how to proceed in the event of a personal data breach. A data breach occurs if there is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed. Once a potential data breach is discovered, the relevant business team must report the incident to the Data Protection Team, which determines whether it qualifies as a data breach. If yes, the Data Protection Team will assess the data breach based on its cause, scope, and extent and document the relevant findings. Once the Data Protection Team has assessed the risk to data subjects, the DPO will decide whether to notify the supervisory authority, and if appropriate, the affected data subjects.

Does Software GmbH have a process to handle data subject requests?

Yes, we have a Data Subject Request Handling Process documented in our Data Protection Management System. This process outlines how data subject requests (DSRs) are handled at Software GmbH. Once a DSR is received, it must be forwarded to the Data Protection Team. The Data Protection Team will verify the identity of the data subject(s) and check with the relevant business teams whether such data exists in our systems. If there are doubts as to the identity of the data subject, Software GmbH may request further proof of identity (e.g., passport, ID Card), or decide to reject the DSR in case of insufficient proof. Once the required information is provided by the relevant business teams, the Data Protection Team will respond to the data subject in accordance with the statutory notification periods.

Does Software GmbH conduct any privacy risk assessment/impact assessment (DPIA)?

Yes, we have a process for Data Protection Impact Assessment (DPIA) and DPIA pre-check documented in our Data Protection Management System. For processing activities that are likely to pose a high risk to the rights and freedoms of data subjects, or as required by an authority decision, a DPIA is performed. The relevant process outlines the steps to determine whether a DPIA is required. If pre-check shows that a DPIA is required, it is performed and documented. If a DPIA needs to be performed, the Data Protection Team will assess and document the risk of the data processing in terms of its proportionality and necessity, and (if necessary) check whether there are alternatives that are less harmful to the rights and freedoms of the data subjects. If there is a high risk, appropriate technical and organizational measures to mitigate the risk will be identified and selected. Only if the risk can be reduced to an acceptable level can the processing activity be carried out.

Does Software GmbH have a Data Protection Officer?

Software GmbH has assigned a Corporate Data Protection Officer (CDPO). The CDPO monitors compliance with applicable data protection law and advises about the processing of personal data at Software GmbH, as also regulated in the Global Data Protection Policy. The Data Protection Team supports the CDPO to fulfill its tasks.

Are employees trained in data protection requirements?

Data protection training is mandatory for all staff at Software GmbH. It addresses the requirements for compliant processing of personal data, as well as adherence to sufficient technical and/or organizational measures, and must be refreshed regularly. Non-participation in this training is monitored and may result in disciplinary action.

How does Software GmbH comply with changes in data protection requirements?

As data protection requirements can constantly change or expand due to legal amendments or decisions by the responsible supervisory authorities, Software GmbH regularly reviews the processes that are part of our DPMS and the technical and organizational measures in response to any new requirements, and adapts them accordingly. Additionally, our processes are subject to regular external audits in line with ISO 9001 certification.