CLM for Administrators ยป Data Protection and Privacy


Data Protection and Privacy

Quick Links


Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. 

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with general data privacy acts, it is necessary to consider compliance with industry-specific legislation in different countries. SAP provides specific features and functions to support compliance with regards to relevant legal requirements, including data protection. This section describes the specific features and functions that SAP provides to support compliance with the relevant legal requirements, including data privacy.

SAP does not give any advice on whether these features and functions are the best methods to support company, industry, regional or country-specific requirements. Furthermore, this guide does not give any advice or recommendations in regard to additional features that would be required in a particular environment; decisions related to data protection must be made on a case-by-case basis, under consideration of the given system landscape and the applicable legal requirements.

Note: In the majority of cases, compliance with data privacy laws is not a product feature. SAP software supports data privacy by providing security features and specific functions relevant to data protection, such as functions for the deletion of personal data. SAP does not provide legal advice in any form. The definitions and other terms used in this guide are not taken from any given legal source.





The action of the data subject confirming that the usage of his or her personal data shall be allowed for a given purpose. A consent functionality allows the storage of a consent record in relation to a specific purpose and shows if a data subject has granted, withdrawn, or denied consent.


The irreversible destruction of personal data.

Personal Data

Any information relating to a data subject.


The information that specifies the reason and the goal for the processing of a specifies set of personal data. As a rule, the purpose references the relevant legal basis for the processing of personal data.

Retention period

The period of time between the end of the last business activity involving a specifies object (for example, a business partner) and the deletion of the corresponding data, subject to applicable laws. The retention period is a combination of the residence period and the blocking period.

User Consent

We assume that software operators, such as SAP customers, collect and store the consent of data subjects, before collecting personal data from data subjects. Personal Sensitive Data is only available to users with DPO Role in CLM.

Deletion of Personal Data

When handling personal data, consider the legislation in the different countries where your organization operates. After the data has passed the end of purpose, regulations may require you to delete the data. Additional regulations may require you to keep the data longer after the end of purpose. During this period you must block access to the data by unauthorized persons until the end of the retention period, when the data is finally deleted.

CLM administrators can delete user data when the end of purpose has been reached in SAP CLM. See Application Settings.

Information Report

Data subjects have the right to receive information regarding their personal data undergoing processing. The personal data record feature helps you to comply with the relevant legal requirements for data protection by allowing you to search for and retrieve all personal data for a specified data subject. The search results are displayed in a comprehensive and structured list containing all personal data of the data subject specified, organized according to the purpose for which the data was collected and processed.

Change Log

For auditing purposes or for legal requirements, changes made to personal data should be logged, enabling the monitoring of who made changes and when. 

CLM maintains a change log in Admin Audit Trail.

Read Access Logging

If no trace or log is stored that records which business users have accessed data, it is difficult to track the person(s) responsible for any data leaks to the outside world. The Read Access Logging (RAL) component can be used to monitor and log read access to data and provide information such as which business users accessed personal data, for example, of a business partner, and in which time frame.

Admin Audit Trail displays sensitive Customer and Contact fields that were used for filtering or exporting contracts. This information is only available to users with DPO role.  

Related Articles