The uncertainty is great. With the new General Data Protection Regulation (GDPR) poses additional challenges for every company. You can find an overview of the content here. As an SAP Business One partner, we naturally ask ourselves what needs to be considered in relation to GDPR and ERP operations. In order not to fish in the mud, we have lawyer Wolfgang A. Schmida recognised expert on the subject.
Versino Blog: Is the operation of an ERP system affected by the GDPR at all?
Mr Schmid: The prerequisite is that personal data is processed. Even if customers' contact persons are regularly contacted (by name, telephone extension or personalised E-mail address), we are right in the middle of the EU GDPR's scope of application.
Are there requirements that an ERP manufacturer must fulfil with regard to the programming, design and/or provision of its ERP software?
The customer is the controller and addressee of the EU GDPR. It must ensure the security of the processing. It must ensure that the software used - regardless of whether On-premise Behind the firewall or SaaS - Prove that the application is designed or at least has possible settings options for data protection. Privacy by design and privacy by default can be a competitive advantage for the manufacturer if the customer can simplify their inspection obligations with the corresponding documents. In future, the definition of erasure concepts within the programming will massively differentiate "privacy-friendly" from "privacy-unfriendly" software.
Lawyer Wolfgang A. Schmid
Partner at SCHMID FRANK Rechtsanwälte PartG mbB, Augsburg, specialist lawyer for information technology law, has been training data protection officers since 2004 and advises them nationwide, external certified data protection officer in numerous companies, specialist lectures and speaker activities, e.g. since 2009 at the German Lawyers' Academy, VKU, TÜV Rheinland and others.
Are there any other obligations, such as information or documentation obligations, that an ERP manufacturer must comply with?
What responsibility does an ERP partner have towards the customer with regard to the GDPR?
This depends to a large extent on whether personal data of the Customers are to be processed in accordance with the order. If the manufacturer is the processor, it must document the procedures for each customer and observe the obligations arising from a data processing agreement. This includes information and documentation obligations.
Does it make a difference whether an ERP partner only advises and trains or, for example, offers services such as hosting?
About hosting and access to personal data Data the ERP partner presumably opens the door to order processing and will have to accept corresponding checks and documentation obligations as a processor. The formal effort is different. Hosting can also be easily secured under data protection law. So far, the consultant has only had to sign confidentiality agreements
What happens if you obtain your ERP from the cloud? How are the responsibilities distributed there?
In terms of data protection law, the scope of application of Art. 28 EU GDPR may apply. The operator of the cloud, presumably the manufacturer, who can also access personal data, becomes the processor. It has the obligations that apply to it as a processor. The main new aspect is joint and several liability alongside the actual controller.
How do you deal with historically "grown systems" and the often huge amounts of data they contain?
If personal data is also affected, the major challenge is to organise the EU GDPR's requirement to limit storage. This means a deletion concept. In future, the manufacturers who offer solutions for this will win the race.
What needs to be considered when setting up interfaces to other software and/or other business partners?
In future, the manufacturer who can make a statement about how they guarantee transparency and security here, either conceptually or via settings, will be ahead. The responsible organisation must document access by other departments or third parties in process descriptions. The intelligent manufacturer must do the groundwork here and FAQs or the like.
What do I have to regulate organisationally in my company despite or because of an ERP system?
Essentially, the company must provide the process description in the register of processing activities, check the lawfulness of the data processing and carry out a risk assessment.
If I operate an ERP system, do I also need a data protection officer? If so, who can this be (internal/external)?
This is independent of the Application According to the EU GDPR, this does not apply if an authority / responsible body processes the data, extensive regular and systematic monitoring of data subjects takes place or, for example, health data is processed. According to the new BDSG 2018 again (no change to the old BDSG, by the way), if at least 10 persons with log-in and PW regularly process personal data. There is always the option of appointing either a company DPO or an external DPO. What certainly speaks in favour of the external DPO is the fact that the company DPO can no longer be dismissed.
The EU's new General Data Protection Regulation: Costly breaches for companies
AI in the company: 4 myths about the GDPR
From data tomb to think tank: AI in ERP systems
Accounting outsourcing: Why it pays off for SMEs
CANDIS for SAP Business One
Financial accounting 2025 - information & changes
