GDPR

SAP Concur observes industry practices for global data privacy, security and data governance. We help you protect your data and optimise your travel, expense and invoice experience

What is GDPR?

The General Data Protection Regulation (GDPR) is a new European Union (EU) law that gives residents greater protection and control of their personal data. GDPR will regulate the data that can be collected, stored and transferred for companies both in and outside of the EU.

When does GDPR come into place?

All companies that process EU resident data must be ready to comply when the GDPR enforcement starts on May 25, 2018.

Our commitment to compliance.

As a company, SAP Concur is committed to ensuring compliance with the GDPR by May 25, 2018. SAP Concur has been consistent in its approach to data protection as part of our general product standards and this is now being extended to reflect new requirements of the GDPR.




SAP Concur is committed, with its products and services, to enable its customers to implement the EU's General Data Protection Regulation (GDPR) requirements. Existing product and services features are being enhanced to support customers in their GDPR compliance journey.

SAP will be the first company to receive Data Protection and Privacy certification based on GDPR by the British Standards Institute.

How can SAP Concur help?

SAP Concur solutions adhere to industry practices for global data privacy, security and data governance. We help you protect your data and optimise your travel, expense and invoice experience.

  • SAP Concur services are developed with customer data protection and security in mind aligning to both SAP and industry practices. SAP Concur are committed to helping customers understand how our solutions protect the confidentiality, integrity and availability of their data by proactively publishing information such as certifications and attestations, data processing agreements and real-time cloud solution availability.



  • SAP Concur provides data centers in various regions around the world so customers can choose where their data is processed.
  • SAP Concur applies robust security measures by maintaining activity records, privacy by design checks, privacy impact assessments and new privacy rights within product cycles.
  • SAP Concur adheres to guidelines and training through the BS10012 certified Data Protection Management System (DPMS) to effectively manage data protection.
  • SAP Concur takes a global approach with its Data Processing Agreement (DPA) which incorporates the Standard Contractual Clauses (SCC), but goes beyond SCC in providing data protection assurances to customers.

How can SAP Concur help?

SAP Concur services have always been built on stringent data protection principles and standards. Below are some examples of how our services will aim to meet the key compliance requirements.

Transparency of data usage / access to information:

Personal data is available for reporting and export to the data subject or authorized employees, who require access to perform a relevant, critical business function. Any changes made to personal profile data are automatically tracked in SAP Concur products - regardless of the channel used to make the change.

Right to be forgotten:

  • SAP Concur will introduce a feature in time for the GDPR that allows customers to purge personal data. Once an end-user is deactivated in the SAP Concur solutions, customers can automatically remove personal profiles.
  • SAP Concur will also implement a feature in time for the GDPR in the Data Retention Administration portal so customers can remove all transactional and remaining data associated to a data subject from the system.

Data retention of customer data upon policy requirement:

  • SAP Concur allows customers to specify, based on policies, the length of time their data is going to be stored in our products.
  • Customers can also create exceptions that block specific data subjects from being removed.
  • The feature will also remove critical personal data user. Once an end user is deactivated, the new system will automatically expedite the remove associated specific personal data.

Restriction of processing (role based access to personal data):

SAP Concur offers Role Based Permissions (RBP) to keep personal data secure in the travel, expense and invoice management products and through backend processes.

Change logging for personal data and sensitive personal data logging:

SAP Concur enables logging of personal data changes and access logging for sensitive personal data.

Information notices:

SAP Concur shares information notices with customers to reflect the updates in our travel, expense and invoice management services.