Initial Certification: 11/2020
okadis Consulting GmbH is the manufacturer of the software tool EU-DSGVO cockpit. This tool can be integrated in an existing SAP installation as an additional module to support GDPR compliance. Users can easily get an overview of all personal data stored in SAP based ERP systems and deploy effective restriction (blocking) and anonymisation functionalities with the help of the tool.
The okadis EU-DSGVO Cockpit has been developed for ERP systems in the banking sector, but can also be used with other SAP applications in other industries. Its focus lies on personal data for business partner management and the associated business-related data (such as loans, posting documents or securities).
okadis EU-DSGVO Cockpit
Qualification: IT product
Version of Certification Criteria
03/11/2020 – 30/11/2022
okadis Consulting GmbH
Frankfurter Str. 80
okadis EU-DSGVO Cockpit has been specifically developed to facilitate compliance with legal provisions related to data subjects’ rights.
As the controllers for the respective processing of personal data, users are responsible for the legitimacy of such data processing.
Users can add the okadis EU-DSGVO Cockpit as a separate module to an existing SAP system. The tool facilitates the effective restriction and anonymisation of personal data. Via a decision cockpit, the user can execute filter, restriction (blocking) and anonymisation functions. The ToE (target of evaluation) uses the same data basis as the SAP system of the respective client. However, no data from the client’s SAP system is stored in the okadis EU DSGVO Cockpit. Rather, all data remains within the SAP system as such.
To use the restriction and anonymisation functions of the ToE, personal data must be identified in the relevant services (database tables) of the client’s SAP system. In general, this may pose a challenge, since SAP systems are usually structured in a way that each application has its own modules with an own data repository. okadis EU-DSGVO Cockpit, however, is capable of displaying personal data stemming from different SAP applications. What is more, the tool allows for the analysis and filtering of information indicating the need for restriction of processing and deletion of personal data in compliance with data protection law and legal retention periods.
So-called decision trees represent the criteria according to which it is determined whether personal data must be restricted and/or deleted / anonymised. okadis Consulting GmbH provides users of the ToE with a standard decision tree as a template.
Anonymisation serves as a means of choice to comply with Art. 17 GDPR, since the deletion of all relevant data in SAP systems may, e.g., corrupt referential integrity and thus lead to a high error rate for the further operation of the system. The anonymisation is performed directly by the cockpit and runs through a standardised anonymisation procedure (“random”) programmed by okadis Consulting GmbH.
It must be highlighted that the business partner numbers in SAP are not subject to the anonymisation. These numbers serve as a central ID in SAP and are automatically assigned sequentially by the SAP system. Their anonymisation would jeopardise the functionality of the SAP system, which is why they remain in the system together with the anonymised data. The users are sensitised for this in a privacy hints leaflet. This leaflet makes it very clear that an export of the business partner numbers and the related personal data would bear the risk of an unlawful re-identification of anonymised data within the ToE at a later point. The leaflet asks the users to dispense with such data exports and to raise the awareness of all relevant staff for this issue.
For details, please cf. below as well as the summary of the evaluation results provided in the short public report.
Initial Cert 2020/11
The minimum requirement for the use of the okadis EU-DSGVO Cockpit is SAP Release 740 with Support Package (SP) 0020 and the use of the SAP Business Partner (BP). The platform to be used is SAP Netweaver.
For the blocking (restriction of processing) function, a connection to SAP ILM (information lifecycle management) with the following business functions is required:
– BUPA_ILM_BF (ILM-based blocking and deletion of business partners)
– ERP_CVP_ILM_1 (ILM-based blocking and deletion of customer and supplier master data)
– ILM_BLOCKING (general ILM blocking functionality)
– ILM (information lifecycle management)
The target of evaluation (ToE) of this certification consists of the following components:
- okadis EU-DSGVO Cockpit;
- the file “transport” provided to customers;
- the standard decision tree;
- the standard anonymisation method (“random”).
Not part of the ToE are
- SAP systems and their configuration at the client’s side;
- SAP ILM and ILM interface;
- Modifications of the ToE by the client, e.g. regarding the decision tree or the anonymisation method;
- Modifications of the ToE by way of customising;
- The deployment environment of the client;
- The implementation of the software as well as the provision of support and maintenance by okadis Consulting GmbH;
- The internet presence https://www.okadis.de;
- Apps for smartphones or tablets and other products and services offered by okadis Consulting GmbH.
datenschutz cert GmbH
Dr. Irene Karper
datenschutz cert GmbH