Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

Blogs in this Series [#CAP #DPP]

  1. Part 1 : DPP Terminologies and PDM Overview

  2. Part 2 : Personal Data Annotations in CAP and Integration with PDM

  3. Part 3 : Explore PDM Application features


In today’s world, Organizations must adopt multiple applications or services which are not only required for regulatory compliance but also helps in building trust with customers and stand out from competitors.  Data Privacy and Protection services on SAP Business Technology Platform (BTP) help you to deliver trusted customer experiences in addition to compliance of different data privacy regulations like EU General Data Protection Regulation.

SAP BTP provides following data privacy and protection services:

  1. SAP Personal Data Manager

  2. SAP Data Retention Manager

  3. SAP Data Privacy Integration

  4. SAP Audit Log Service

In this blog series, we will see how we can design and develop a CAP (Cloud Programming Model) based application on BTP  and use different data privacy and protection services to meet regulatory requirements.

Before we get into the details of DPP services and its usage in application development, let us understand a few terminologies around personal data privacy and protection.

DPP Terminologies

  • Personal Data:

    • One or more pieces of information that can be used to identify an individual is considered personal data even if it is encrypted or pseudonymized.

    • Bits of Data that has been rendered anonymous in an irreversible way, that the individual is no longer identifiable, is no longer considered personal data.

    • Examples of personal data are name, home address, email address, card identification number, location data, IP address, phone number etc.

  • Data Subjects and Its Rights: In the context of DPP, identified or identifiable natural persons are called Data Subjects. As per latest regulations (especially GDPR), Data Subjects have following rights:

    • right to be informed about what information is collected and used, its purposes, retention periods, and with whom the information will be shared

    • right to access and receive a copy of their personal data

    • right to rectification/completion of inaccurate personal data

    • right to erasure/deletion of personal data

    • right to limit or restrict usage and processing of personal data

    • right to data portability when requested

    • right to object to the processing of their data in certain circumstances

    • right to exclusion of profile data in relation to automated decision-making

You can find out more information about rights of data subjects here.

  • Data Controller: the natural or legal person, public authority, agency, or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data

  • Data Processor: entities that process personal data on behalf of data controllers.Example: Company ABC sells different products on their commerce website, and it collects personal data of customer to process orders. As a confirmation of successful processing of order, it sends a SMS to customer mobile for which it uses a Cloud Service from Company XYZ. Here Company ABC decides the use and purpose of personal data i.e., phone number and Company XYZ processes or uses phone number to send a message on behalf of Company ABC. Hence in this case, Company ABC acts as data controller and Company XYZ acts as Data Processor. To find out more detail on differences, you can visit this page: Data Controller vs. Data Processor: What's The Difference?

It is important to note that, Data Privacy and Protection is a complex topic and could have different meaning as per legal regulatory bodies of different countries. In previous section, terminologies are defined in its simplistic definition so that we can get a basic understanding which is necessary to utilize DPP services in application development.

From this point forward, the terms "Data Subjects" and "Individuals" will be used interchangeably in this blog series.

Now Let’s look at couple of DPP services on BTP (Business Technology Platform) and see how these services help to comply with personal data regulations.

SAP Personal Data Manager

A service runs in the Cloud Foundry environment of BTP which helps in:

  • Identify Data Subjects: find Data Subjects across one or more applications and services

  • Manage Requests: Make requests on behalf of individuals concerning their personal information and forward the requests for handling

  • Inform Data Subjects: Notify the individuals about the specific personal information being utilized by the applications and services, or send them a copy of their personal data record via email.

Note: Later i will add details about other services once i am ready with an example 🙂


In this blog post, the theoretical foundations of Data Privacy and Protection and PDM service on BTP are introduced.

In the next blog post of this series we will look into a sample application developed using CAP and see how can it be integrated to DPP services.

More information about cloud application programming model can be found here. You can follow my profile to get notification of the next blog post on CAP. Please feel free to provide any feedback you have in the comments section below and ask your questions about the topic in sap community using this link.