Professional Documents
Culture Documents
Data Privacy EhP4 EN PDF
Data Privacy EhP4 EN PDF
S AP E n h a n c e m e n t P a c k a g e 0 4
f o r S AP E R P 6 . 0
Copyright
© Copyright 2011 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM,
z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,
Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower,
PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,
RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,
Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide
Web Consortium, Massachusetts Institute of Technology.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for
technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks of
Business Objects Software Ltd. Business Objects is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product
specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG
and its affiliated companies ("SAP Group") for informational purposes only, without representation
or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to
the materials. The only warranties for SAP Group products and services are those that are set
forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
Additional icons are used in SAP Library documentation to help you identify different types of
information at a glance. For more information, see Help on Help General Information Classes
and Information Classes for Business Information Warehouse on the first page of any version of
SAP Library.
Typographic Conventions
Considering the increase in data abuse and the accompanying need for legal regulations, data
privacy and data security have also gained importance in enterprises. Data privacy does not
mean protecting the data, rather protecting the individual from his or her personal data being
abused. Data security however, means protecting the data from being accessed by unauthorized
persons. For enterprises, this means that adhering to data privacy guidelines requires suitable
data privacy and data security measures.
More Information
Data Privacy Management [Page 7]
Efficient data privacy management comprises organizational and technical measures for handling
personal data so as to adhere to data privacy principles. It must be ensured that the data can be
used optimally, and without interruption, in operative business processes for as long as this is
required.
Earmarking
Necessity
For what purpose is
Which personal
personal data entered and
data is entered?
used?
Data privacy
in the enterprise
Data economy/
Data destruction
data reduction while
Only personal data that is considering
absolutely necessary for the
retention periods
application
The following data privacy principles provide you with the necessary reference for ensuring data
privacy in your enterprise and your employees' right to determine what happens to their data:
Earmarking
Personal data may only be processed for the purpose for which it was collected and is to
be protected from abuse.
In data privacy, this principle can be viewed as a preventative measure and can also
reduce costs if it results in the effective organization of data processing. This also
includes the efficient management of the volume of data in a database to limit the
operating costs for a system. For information about data management, see SAP Service
Marketplace at http://www.service.sap.com/ilm .
In the Human Resources applications, a multitude of data is to be considered personal data with
regard to data privacy and is thus subject to data privacy legal regulations. The data privacy
principles of data economy and necessity mean that personal data is to be deleted as soon as it
is no longer required. SAP supports your data privacy management by providing suitable SAP
NetWeaver Information Lifecycle Management (ILM) functions in the Human Resources
applications.
Data Archiving
Efficient data management involves archiving data from completed business transactions. This
data that is no longer required in the system, but is to be retained as evidence, for example, is
written to an archive file. To reduce the load on the database, the archive file is stored in a file
system or content repository and the data is deleted from the database. For more information,
see SAP Library for SAP NetWeaver on SAP Help Portal and choose Data Archiving (CA-
ARC) Archiving Using the Archive Development Kit (ADK) .
Retention Periods
ILM's Retention Management provides tools and methods for storing data and enables you to
fulfill the legal requirements for retaining data:
Legal Case Management functions such as destruction locks for data that is to be
retained for longer than the retention period with regard to legal cases
For more information, see SAP Library for SAP NetWeaver on SAP Help Portal and choose
Information Lifecycle Management (ILM) in the SAP System Control Information Lifecycle
with Retention Management .
Destruction of Data
In the Human Resources applications, you have the ILM function for the destruction of personal
data available. You can use this function to delete personal data as soon as the end of the legal
and operational retention periods specified for the data has been reached, and thus fulfill data
privacy requirements. For more information about the data destruction process, see Destruction
of Data [Page 9].
In all Human Resources (HR) applications, you have archiving objects available, which support
the Information Lifecycle Management (ILM) function for the destruction of data. Some archiving
objects support archiving in addition to data destruction.
An archiving object contains data from the database that is related in a business context. An
archiving object has at least one write program and one delete program. The write program reads
the data from the database and the associated delete program deletes the data from the
database. An archive file must always be written for the destruction of data; this is also deleted
after the data has been destroyed. The system writes the data that, according to the relevant
checks, can be destroyed in accordance with the specified retention rules, to this archive file.
In the Information Retention Manager (IRM), you can define and edit policies and rules for the
retention of data. These retention rules are evaluated when the write program is run for the
archiving object.
Retention periods for data can have different reasons. For example, tax-based data needs to be
retained for revision purposes and tax audits. For data privacy reasons, personal data needs to
be retained and destroyed when it is no longer needed. These reasons are represented by audit
areas in the system. For more information, see SAP Library for SAP NetWeaver and choose
Information Lifecycle Management (ILM) in the SAP System Control Information Lifecycle
with Retention Management Edit Policies for Retaining Business Information General
Principles and Recommendations for Policies and Rules .
Process
To destroy data for personal data in HR, proceed as follows:
1. To be able to use retention rules for an archiving object, you need to assign this archiving
object to an object category. You assign archiving objects in the Information Retention
Manager (transaction IRM_CAT).
For more information about this Customizing setting, see SAP Library for SAP
NetWeaver and choose Information Lifecycle Management (ILM) Retention
Management Edit Policies for Retaining Business Information Information Retention
Manager Object-Category-Specific Customizing .
2. To differentiate between retention policies and residence time policies, the term policy
category will be used. Not all policy categories known to the Information Retention
Manager (IRM) are available automatically for an object type, you need to have specified
this explicitly in Customizing for the object type. Create the permitted policy category
(transaction IRM_CUST).
For more information about this Customizing setting, see SAP Library for SAP
NetWeaver and choose Information Lifecycle Management (ILM) Retention
Management Edit Policies for Retaining Business Information Information Retention
Manager Object-Category-Specific Customizing .
For more information, see SAP Library for SAP NetWeaver and choose Information
Lifecycle Management (ILM) Retention Management Information Retention Manager
Maintenance of Policies and Rules .
4. Edit your ILM policies for the policy category in Editing of Policies (transaction IRMPOL).
For more information about this Customizing setting, see SAP Library for SAP
NetWeaver and choose Information Lifecycle Management (ILM) Retention
Management Edit Policies for Retaining Business Information Information Retention
Manager Object-Category-Specific Customizing .
5. Create minimum retention periods for each archiving object. To be able to destroy data,
you need to have first written it to an archive file temporarily. However, the storage of
data for an archiving object registered in the Information Retention Manager is only
possible if each audit area that is assigned to this object type contains at least one audit
area and at least one rule that can be applied. In this rule you need to have defined a
start time and a minimum retention period. Therefore, to archive data that must be kept,
enter the retention period and a start time in rule maintenance.
6. Use the relevant archiving objects in archive administration [External] (transaction SARA)
to destroy personal data.
For more information about the individual archiving objects, see SAP Library for SAP
ERP and choose SAP ERP Central Component Human Resources HR Archiving
.
In the Legal Holds (3246) infotype, you can state which employee data is blocked for destruction,
meaning for deletion from the database.
As a result of legal activities not completed, it is possible that data has to be retained for longer
periods of time, even if their retention period has already expired and the data is to be destroyed
for data privacy reasons. You can use this infotype to ensure that data relevant for a legal case
cannot be destroyed. When the legal case is decided, the data can be further processed.
When performing archiving sessions for the destruction of data with archiving object programs,
you must therefore ensure that information on emloyees and activities relevant for legal cases
cannot be deleted from the database. This infotype enables you to specify legal holds for such
data relevant for legal cases.
For example, in the following situations you must ensure that the relevant data is not
deleted:
When the legal case is decided, this data can be further processed.
Structure
An entry in the Legal Holds infotype contains the following information for each employee:
Validity period with start and end date (system end date) for the legal hold
Subtype that refers to the archiving object and for which the legal hold is to be applied
The infotype text can be used to enter a detailed description for the legal hold.
Prerequisites
For each archiving object for which destruction logs are to be created, a subtype must be created
in the infotype Archived Objects. You can check this Customizing setting in the view Subtypes for
Infotype 0283 and Infotype 3246 (V_T77PAARC_SUBTY).
Groupings of subtypes can also be defined for each subtype of infotype 0283.
In Time Management, the archiving object HR: Absences (HRTIM_ABS) can be used to
destroy data from infotypes for groupings of multiple subtypes, for example, all absence
types for URLAUB (leave) or all absence types for KRANKHEIT (illness). This grouping of
absence types is saved as information in the document data record of infotype 0283. A
separate data record is created in infotype 0283 for each grouping of absence types.
Features
If the preprocessing program of the archiving object has been run and a corresponding session
has been created, a data record is created in infotype 0283. The status Flagged for Data
Destruction is set for this data record. After the delete program of the archiving object has been
run, this status is set to Destroyed.
If a personnel number is selected for data destruction as a result of the defined retention rule, but
there are no valid data records that can be destroyed, during the preprocessing phase the status
Destroyed is set immediately for this data record in the infotype 0283.
If there is a data record to be destroyed for the personnel number for which the valid-to date is
after the maximum destruction date, the status Destroyed is also set in the preprocessing phase.
For the data record of infotype 0283, the maximum destruction date is set as the valid-to date.
The data records of infotype 0283 are also used to create data blocks. This prevents data from
being created again for the period for which it was destroyed.
All absence data for an employee that is older than 3 years (for example, up to December
31, 2007) is destroyed for data privacy reasons. For the period up until December 31,
2007, no more absence data can be created retroactively for this employee.
Prerequisites
An archiving session for the destruction of data for an employee in a defined period was
started for an archiving object.
Process
1. For this employee, the system writes a data record with the related delete period to the
infotype Archived Objects (0283).
2. If relevant data is created for the employee in the delete period, for example, using
transaction PA30, the system reads infotype 0283.
Destroy until
12/31/2005
01/01/2002 A 12/31/2004
01/01/2003 B 12/31/2008
01/01/2002 C
There are three data records for three employees for maternity protection/parental leave. The end
date of two data records (A and C) is before the destruction date (Destroy Until) December 31,
2005, which means that these data records are completed. The end date of data record B is after
the Destroy Until date, which means that this record is not completed. Data destruction is
performed for data records A and C. For data record B, no data destruction is performed since
the check showed that the data record does not meet the retention rule since it is not older than 5
years. After the data destruction session has been completed, the following actions are no longer
possible due to the block on creating data:
For the period before December 31, 2005, no data on maternity protection/parental leave
can be created for these employees.
The data record that was not destroyed may not be changed.
If the infotype data records are not from Time Management, they can be delimited on
January 1, 2006.
Creating data is blocked, irrespective of which transaction you use to create data.