ARIS

DATA PROTECTION (GDPR)

VERSION 10.0 - SERVICE RELEASE 18

MAY 2022
This document applies to ARIS Version 10.0 and to all subsequent releases.
Specifications contained herein are subject to change and these changes will be reported in
subsequent release notes or new editions.
Copyright © 2010 - 2022 Software AG, Darmstadt, Germany and/or Software AG USA Inc.,
Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
The name Software AG and all Software AG product names are either trademarks or
registered trademarks of Software AG and/or Software AG USA Inc. and/or its subsidiaries
and/or its affiliates and/or their licensors. Other company and product names mentioned
herein may be trademarks of their respective owners.
Detailed information on trademarks and patents owned by Software AG and/or its
subsidiaries is located at https://softwareag.com/licenses.
Use of this software is subject to adherence to Software AG's licensing conditions and terms.
These terms are part of the product documentation, located at
https://softwareag.com/licenses and/or in the root installation directory of the licensed
product(s).
This software may include portions of third-party products. For third-party copyright notices,
license terms, additional rights or restrictions, please refer to "License Texts, Copyright
Notices and Disclaimers of Third Party Products". For certain specific third-party license
restrictions, please refer to section E of the Legal Notices available under "License Terms and
Conditions for Use of Software AG Products / Copyright and Trademark Notices of Software
AG Products". These documents are part of the product documentation, located at
https://softwareag.com/licenses and/or in the root installation directory of the licensed
product(s).
DATA PROTECTION (GDPR)

Contents
Contents ........................................................................................................................................................... I

1 Personal data used in ARIS products ................................................................................................. 1

1.1 ARIS Administration .................................................................................................................. 1
1.2 ARIS databases ......................................................................................................................... 2
1.3 ARIS document storage .......................................................................................................... 2
1.4 Process Governance and ARIS Process Board................................................................... 3
1.5 ARIS Risk and Compliance ...................................................................................................... 4
1.6 Collaboration .............................................................................................................................. 4
1.7 Pictures in ARIS Administration and Collaboration ........................................................... 4
1.8 ARIS Log Files ............................................................................................................................ 4
1.9 PPM .............................................................................................................................................. 5

2 How to delete and anonymize personal data .................................................................................. 7

2.1 Delete user ................................................................................................................................. 8
2.2 Anonymize User Management audit logs ............................................................................ 9
2.3 Anonymize users (ARIS databases) .................................................................................... 10
2.4 Anonymize ARIS document storage users ........................................................................ 11
2.5 Anonymize Process Governance users ............................................................................. 12
2.6 Anonymize Collaboration user ............................................................................................. 13
2.7 Collect log files (ACC interface) ........................................................................................... 14
2.8 Collect log files (ACC)............................................................................................................. 15
2.9 Delete log files ......................................................................................................................... 16
2.10 Specify anonymization patterns in ARIS Risk and Compliance..................................... 17
2.11 Anonymize ARIS Risk and Compliance users ................................................................... 18
2.12 Delete and anonymize user data in PPM ........................................................................... 19

3 Glossary ................................................................................................................................................. 20

4 Legal information................................................................................................................................. 21
4.1 Documentation scope............................................................................................................ 21
4.2 Support ..................................................................................................................................... 21

I
DATA PROTECTION (GDPR)

1 Personal data used in ARIS products

In order to comply with the General Data Protection Regulation (GDPR (page 20)), ARIS
provides tools for anonymizing deleted users. The sections below explain:
§ Which ARIS components save information, such as IP addresses, MAC addresses, user
names, and images.
§ How to delete personal data in ARIS (page 7).

1.1 ARIS Administration

User data are centrally managed in the User Management of the ARIS Administration. When
creating users manually, the following data are mandatory:
§ User name
§ First name
§ Last name
If users imported or synchronized using LDAP, additional personal data can be stored:
§ E-mail address
§ Telephone number
§ LDAP DN
§ ID
§ Picture
User Management creates audit logs in databases. This provides a history of changes in
function, license and access rights. For this purpose, user names and IP addresses are logged.
Even if users were deleted (page 8), user names are stored in an invisible attribute together
with the time of deletion in order to log the changes. These invisible attributes are
automatically deleted during an upgrade to a new major ARIS version. These entries can be
anonymized (page 9) for deleted users.

1
DATA PROTECTION (GDPR)

1.2 ARIS databases

User names are stored for several purposes for different ARIS components. Even if a user is
deleted in the User Management of the ARIS Administration (page 8), in ARIS databases the
user name stays visible in the Creator and the Last modifier model and object attributes,
and in change list descriptions. This also applies to archived models and objects. These
entries can be anonymized (page 10).

1.3 ARIS document storage

ARIS document storage stores user names for several purposes:
§ The user name of the creator of documents.
§ The user name of the document owner.
§ The user name of the person who is currently editing a document so that the document is
locked.
§ Permissions on folders for a user.
§ ARIS document storage creates audit logs in a database. User names are stored in order
to log document versions, changes on folder history.
These entries can be anonymized (page 11) for deleted users (page 8).

2
DATA PROTECTION (GDPR)

1.4 Process Governance and ARIS Process Board

Process Governance stores user names for different purposes, such as the delegation history
and the execution of human tasks.
Process Governance creates audit logs in a database where user names are logged.
The data flow of an executable process step in Process Governance is described using a Data
flow diagram. It has exactly one superior object from the control flow. This means that for
objects that have multiple object occurrences in a business model, each of these object
occurrences has its own data flow diagram.
This chapter describes the input and output parameters of services used in Process
Governance and the different types of operators, constants and variables. Mandatory fields
are highlighted with a red asterisk.
The system user and the arisservice user must always have the Process Governance
administrator function privilege to execute services. The function privilege controls the
tasks that users can perform. The system user is created automatically. By default, the
system user has all function privileges. The user arisservice is created automatically. By
default, this user is assigned the Database administrator and Process Governance
administrator function privileges.
By default, no access privileges are defined in ARIS document storage. All users have access
to all folders - including the root folder - and documents. You can limit the access to
individual folders of ARIS document storage so that not all ARIS document storage users can
access all folders and their contents. Make sure that the system user and the arisservice
user have the Document administrator function privilege and access to all folders.
If a user is explicitly mapped in a data flow, the user's password must also be mapped and
must be correct. If the password or user information is missing, the arisservice user is used
regardless of whether his password has been changed or not.
The Process Governance services can write user specific data to attributes. These attribute
values can be anonymized with the help of customized reports in order to meet the
requirements of the General Data Protection Regulation (GDPR (page 20)). Please contact
your local Software AG sales organization (http://www.softwareag.com).
These entries can be anonymized (page 12) for deleted users (page 8).

3
DATA PROTECTION (GDPR)

1.5 ARIS Risk and Compliance

In ARIS Risk and Compliance user names are stored in object forms and lists and displayed as,
for example, Last editor, Performed by. Deleted users can be anonymized (page 18).

1.6 Collaboration
The user name is stored in Collaboration when a user creates a group, is coordinator of a
group, follows a group, likes a post, or writes a comment. These entries can be anonymized for
deleted users (page 8).

1.7 Pictures in ARIS Administration and Collaboration

If a user profile in ARIS Administration includes a picture, it is also displayed in Collaboration
and vice versa. The data of both applications is automatically synchronized.
In ARIS Administration, the picture of a user is deleted if the user is deleted in ARIS
Administration. In Collaboration, the picture of a user is deleted if the user was deleted in ARIS
Administration and anonymized (page 13).

1.8 ARIS Log Files

Many ARIS components save personal data, such as IP addresses, MAC addresses, and user
names in log files, for example, loadbalancer.log or agent.rest.operations.log. ARIS handles
log files in a cyclic way. Depending on the size or the age of a log file, new files are created
and used. Older log files remain. If problems occur during operation, you can use log files to
find and resolve errors.
In order to comply with the General Data Protection Regulation (GDPR), you can collect log
files using ACC (page 15) or the ACC interface (page 14), find personal data related to deleted
users (page 8), and manually delete or anonymize log file entries in source files.

Warning
If you delete log files (page 16), Software AG might no longer be able to support you in order to
resolve software problems.

4
DATA PROTECTION (GDPR)

1.9 PPM
PPM Administration stores user names and E-Mail addresses to assign user privileges in PPM.
However, the user administration for PPM is handled by ARIS Administration and already
described above. PPM log files may contain private data of ARIS users, such as IP addresses,
MAC addresses, or user names. In order to comply with the General Data Protection
Regulation (GDPR), please refer to the PPM Operation Guide. This guide explains in detail
what kind of personal data is used and stored:
User data is managed centrally in the User Management Component (UMC) of PPM. When
creating users manually, the following data is mandatory:
§ User name
§ First name
§ Last name
User data is also stored in the PPM Administration component to assign user privileges for
PPM application and the imported process data. The following additional personal data can be
stored:
§ E-Mail address
If users imported or synchronized using LDAP, additional personal data can be stored:
§ Telephone number
§ LDAP DN
§ ID
§ Picture
The User Management Component creates audit logs in an attached database. This provides a
history of changes to functions, licenses, and access rights. For this purpose, user names and
IP addresses are logged.
Even if users were deleted, user names are stored in a hidden attribute together with the time
of deletion in order to log the changes. The hidden attributes are automatically deleted when
upgrading to a new major version of the ARIS Infrastructure. These entries can be
anonymized for deleted users.
User privileges related to PPM are managed in the PPM Administration. Here the following
information is available for each user:
Mandatory:
§ Name (User Name from above)
Optional:
§ First Name
§ Last Name

5
DATA PROTECTION (GDPR)

§ E-mail address
User names and IP addresses are also stored for several purposes in log files: audit and trace
logs for all components.
In addition, user names are also available in the PPM database to store the above mentioned
PPM privileges, which are not available in UMC.
As a business process monitoring and analysis tool, PPM might also import personal data from
processes extracted from external source systems such as SAP, CSV files, or database
systems. These processes might contain personal information from which you can identify a
person involved in the process monitored. This information depends on the data extracted
from the source system and is subject to the customizing model used for this source system.

6
DATA PROTECTION (GDPR)

2 How to delete and anonymize personal data

In order to comply to GDPR (page 20), after a defined period of time you must delete personal
data of persons no longer employed. To do so, proceed as follows:
Delete users (page 8).
Anonymize personal data stored in User Management audit logs (page 9).
Anonymize personal user data remaining in ARIS databases (page 10).
Anonymize personal user data remaining in ARIS document storage (page 11).
Anonymize personal user data remaining in Process Governance (page 12).
Anonymize personal user data remaining in Collaboration (page 13).
Specify anonymization patterns in ARIS Risk and Compliance (page 17).
Anonymize ARIS Risk and Compliance users (page 18).
Anonymize log files entries (page 4).
Delete and anonymize user data in PPM (page 19).

7
DATA PROTECTION (GDPR)

2.1 Delete user

Delete users when they are no longer relevant.

Prerequisite
You have the User administrator function privilege.

Warning
Do not delete your system user. Having more than one system user can avoid problems. If
your single system user was deleted accidentally, create a new one by using the superuser.
The superuser cannot be deleted.
If you delete the default users system, arisservice, and guest, the Generate, if not available
option (ARIS Administration > Configuration > User management > Users >) is
automatically disabled and the users are no longer generated at startup with the last saved
password until you manually enable the option again. The superuser can recreate the other
default users (system, arisservice, guest) if they were deleted.

Procedure
1. Click Application launcher > Administration. ARIS Administration opens.

2. Click User management. The list of users is displayed.

3. Move the mouse pointer to the relevant user name. The buttons of the available functions
are displayed.

4. Click Delete. The Confirmation dialog opens.

5. Click OK. The user data is deleted. It takes about 30 minutes until the deletion is written to
the log files.
6. To comply with GDPR (page 20), delete the log files of ARIS Administration/User
Management 30 minutes after deletion of the user data. You can find them in this path:
<Your installation
folder>\ARIS<version>\server\bin\work\work_umcadmin_<size>\base\logs
7. Delete the log files.
The user data and the log files are deleted.
To delete several users at the same time, enable the check boxes for the relevant users, and
click Delete. Make sure not to enable any check boxes of default users (system,
arisservice, guest), as they cannot be deleted by bulk deletion. They can only be deleted
individually like described above. To anonymize users according to GDPR, refer to the online
help of the respective component.

8
DATA PROTECTION (GDPR)

2.2 Anonymize User Management audit logs

You can anonymize deleted users in audit logs according to GDPR. Please use
y-tenantmgmt.bat for Windows® operating systems and y-tenantmgmt.sh for Unix
operating systems.
Please note that you must wait at least 30 minutes after the deletion of the user from User
Management before you can start the anonymization process.

Prerequisites
§ The user was deleted in ARIS Administration.
§ ARIS must be running.
§ ARIS Server installation
§ Users need the function privileges License administrator, User administrator,
Technical configuration administrator.
§ Users need to login as superuser or they need either an ARIS Architect license or an
ARIS UML Designer license.

Procedure
1. Open a Command Prompt and navigate to:
ARIS installation path>/server/bin/work/word_umcadmin_< your installation size, for
example, s,m, or l>/tools/bin for Windows® operating systems
and
ARIS installation path>/cloudagent/bin/work/word_umcadmin_< your installation size,
for example, s,m, or l>/tools/bin for Linux operating systems.
2. Enter this command to import all documents into ARIS document storage of each tenant
you use, for example, default:
y-tenantmgmt.bat -t <URL of the server> anonymize -u <user name> -p <password>
-type user.
If a user group is deleted, the type is user group.
If the port used is other than the default ports 80 or 1080, add the port to the URL.
The audit logs are anonymized.

9
DATA PROTECTION (GDPR)

2.3 Anonymize users (ARIS databases)

Users can only be deleted (page 8) in ARIS Administration.
Even if a user is deleted in the User Management of the ARIS Administration (page 8), in ARIS
databases the user name stays visible in the Creator and the Last modifier model and object
attributes, and in change list descriptions. This also applies to archived models and objects.
You can anonymize user data according to GDPR (page 20).

Warning
Make sure to only anonymize deleted users. If you anonymize existing users, the user names
are anonymized in all attributes, such as Creator, Last modifier, and the user names in
change list descriptions.

Prerequisites
§ ARIS Server Administrator is installed.
§ You know the credentials of the superuser, or you have the Server administrator function
privilege.
§ The database must be locked for other users.

Procedure
1. Click Start > Programs > ARIS > Administration > ARIS Server Administrator 10.0 if
you accepted the program group suggested by the installation program. Under a Linux
operating system, execute the arisadm.sh shell script instead. To do so, enter: su -c
arisadm.sh aris10. The command prompt opens and ARIS Server Administrator is
launched in interactive mode.
2. Establish a connection to the server and tenant:
Syntax: server <server name>:<port number> <tenant> <user name> <password>
Example: server arissrv:1080 default system manager
3. Enter: userwipeout <dbname>|all <user>,<user>
User identifications of one or multiple users are deleted from one or all databases. The
attributes Last modifier, Creator, and the user name in change list descriptions is set to
unknown.

10
DATA PROTECTION (GDPR)

2.4 Anonymize ARIS document storage users

You can anonymize deleted users in ARIS document storage according to GDPR. Please use
y-admintool.bat for Windows® operating systems and y-admintool.sh for Unix operating
systems.

Prerequisites
§ The user was deleted in ARIS Administration.
§ ARIS must be running.
§ The user you want to use to execute the anonymization must have write privileges.

Procedure
1. Open a Command Prompt and navigate to:
<ARIS installation path>/server/bin/work/work_apg_< your installation size, for example,
s,m, or l>/tools/bin for Windows® operating systems
and
/home/ARIS/cloudagent/bin/work/work_apg_< your installation size, for example, s,m,
or l>/tools/bin for Linux operating systems.
2. Enter this command to import all documents into ARIS document storage of each tenant
you use, for example, default:
y-admintool.bat -s <URL of ARIS document storage> -t <tenant name> anonymize -u
<user name> -p <password>.
If the port used is other than the default ports 80 or 1080, add the port to the URL.
The users are anonymized.
Please note:
If you delete only one user from the user list or from user groups that have access to the
folder and then anonymize the folder data, all actions related to the folder data are
anonymized. This means that the anonymization does not affect the data of the deleted user
only.
Before you delete a user, get the user ID of a specific user from the user details in the user
management.
In this case, add the following parameter with y-admintool.bat or y-admintool.sh:
-ownerName <owner of the folder> -ownerType USER

11
DATA PROTECTION (GDPR)

2.5 Anonymize Process Governance users

You can anonymize deleted users of in Process Governance data, for example, in substitution
logs or audit logs according to GDPR. All user names are replaced with anonymous. Please
use y-ageclitool.bat for Windows® operating systems and y-ageclitool.sh for Unix operating
systems. The user information in human tasks must be available for audit purposes. It must
be possible to see who executed the task when and who delegated the task to whom. So, to
delete the user information, delete the process instance after some years based on the GDPR
policy.

Prerequisites
§ The user was deleted in ARIS Administration.
§ ARIS Server is running.

Procedure
1. Open a Command Prompt and navigate to:
<ARIS installation path>/server/bin/work/work_apg_<s,m, or l>/tools/bin for Windows®
operating systems
or:
/home/ARIS/cloudagent/bin/work/work_apg_<s,m, or l>/tools/bin for Linux operating
systems.
2. Enter this command to import all documents into ARIS document storage of each tenant
you use, for example, default:
y-ageclitool.bat --apg <Process Governance endpoint> -ht <ID of the human task>
-p <password of the executer> * -t <tenant name> -umc <user management
endpoint> -u <user name of the executer>
The user name is replaced by the string anonymous.

12
DATA PROTECTION (GDPR)

2.6 Anonymize Collaboration user

You can anonymize deleted Collaboration users according to GDPR.

Prerequisites
The user was deleted in ARIS Administration.

Procedure
1. Start ARIS Cloud Controller.
ACC is a command-line tool (see ARIS Cloud Controller (ACC) Command-Line Tool.pdf
(../../documents/3 Installation/31 Initial installation/312 Server/3121 Basic (Single
node)/ARIS Cloud Controller (ACC) Command-Line Tool.pdf)) for administrating and
configuring an ARIS installation. It communicates with ARIS Agents on all nodes.
To start ACC under a Windows operating system click Start > All Programs > ARIS >
Administration > Start ARIS Cloud Controller. If you have changed agent user
credentials you must enter the user name and/or the password.
To start ACC under a Linux operating system, execute the acc10.sh shell script instead.
To do so, enter: su -c acc10.sh aris10.
To get information about the usage of ACC commands, enter help or help <command>.
2. To anonymize, for example, the deleted y4711 user on ecp_m on the default tenant,
enter:
invoke anonymizeUser on ecp_m user.list="y4711" tenant.id="default"
Collaboration synchronizes every 24 hours. That means that the anonymization is not
immediately visible.
Activities of this Collaboration user, such as posts, comments, groups, are shown with
Anonymized user instead with the y4711 user name. If several users are anonymized a
number is added, such as Anonymized user 2.

13
DATA PROTECTION (GDPR)

2.7 Collect log files (ACC interface)

If problems occur during operation, you can use log files to find and resolve errors. You can
download zipped log files related to each runnable or you can download all available log files.

Procedure
1. Open your browser and enter the URL:
syntax: http://<server name>:<port>/acc/ui
for example
http://aris10srv.eur.co.umg:1080/acc/ui
The infrastructure tenant's login dialog opens. The tenant cannot be changed. Having
performed a standard installation, the master tenant is the infrastructure tenant by
default.
2. Select the interface language.
3. Enter the system user's or the superuser's credentials.
4. Click Log in. The infrastructure tenant's node view is displayed. It gives an overview on
the node's runnables.

5. If you want to collect all log files, click More > Download log files.
6. If you want to collect log files of a specific runnable, move the mouse pointer to the
related row and click Download log file.
A ZIP archive created to be opened or saved.
If you cannot solve the problems and have a maintenance agreement, please send an error
description and the ZIP archives containing collected log files as well as the entire contents of
the log and config directories to the ARIS Global Support via Empower
(https://www.softwareag.com/corporate/services/support/default).

14
DATA PROTECTION (GDPR)

2.8 Collect log files (ACC)

If problems occur during operation, you can use log files to find and resolve errors. You can
download zipped log files related to each runnable or you can download all available log files.

Procedure
1. Start ARIS Cloud Controller.
ACC is a command-line tool (see ARIS Cloud Controller (ACC) Command-Line Tool.pdf
(../../documents/3 Installation/31 Initial installation/312 Server/3121 Basic (Single
node)/ARIS Cloud Controller (ACC) Command-Line Tool.pdf)) for administrating and
configuring an ARIS installation. It communicates with ARIS Agents on all nodes.
To start ACC under a Windows operating system click Start > All Programs > ARIS >
Administration > Start ARIS Cloud Controller. If you have changed agent user
credentials you must enter the user name and/or the password.
To start ACC under a Linux operating system, execute the acc10.sh shell script instead.
To do so, enter: su -c acc10.sh aris10.
To get information about the usage of ACC commands, enter help or help <command>.
2. To collect log files, for example related to the abs_l runnable, enter:
collect log files for abs_l
To collect all log files, enter:
collect log files
or
collect logfiles
You can use additional parameters. To get information about the usage of ACC
commands, enter help or help <command>.
All log files are stored as a ZIP archive.
If you cannot solve the problems and have a maintenance agreement, please send an error
description and the ZIP archives containing collected log files as well as the entire contents of
the log and config directories to the ARIS Global Support via Empower
(https://www.softwareag.com/corporate/services/support/default).

15
DATA PROTECTION (GDPR)

2.9 Delete log files

Log files may contain private data of ARIS users, such as IP addresses, MAC addresses, or
user names. In order to comply with the General Data Protection Regulation (GDPR), you can
collect log files using ACC (page 15) or the ACC interface (page 14), find personal data related
to deleted users (page 8), and manually delete or anonymize log file entries in source files.

Warning
If you delete log files (page 16), Software AG might no longer be able to support you in order to
resolve software problems.
In order to delete all log files, you must stop the related runnables to allow unhindered access
to all files. If you do not stop the runnables, some files may be locked and cannot be deleted.

Procedure
1. Start ARIS Cloud Controller (ACC).
2. To delete log files, for example related to the abs_l runnable, enter: delete log files for
abs_l
To delete all log files, enter: delete log files or delete logfiles
All log files that are not accessed by a runnable are deleted. Log files that were not deleted
are listed.

16
DATA PROTECTION (GDPR)

2.10 Specify anonymization patterns in ARIS Risk and

Compliance
Specify anonymization patterns according to GDPR (page 20) to anonymize deleted users in
ARIS Risk and Compliance. To distinguish the anonymized users from each other, a number is
automatically added to the property value of the anonymized user ID/user name. This number
is incremented by one for each additional anonymized user.

Prerequisites
You have the System administrator role.

Procedure
1. Start ARIS Risk and Compliance.

2. Click Administration > Configuration.

3. Click System configuration. The configuration parameters are displayed.
4. To display the anonymization patterns, filter the system configuration by GDPR. The
search result displays all GDPR anonymization patterns with their current values.

5. Click Edit in the row of the parameter you want to change. The Specify parameter
value dialog opens.
6. Copy the current value to the New value box.
7. Make the relevant changes, for example, change the value that is to be displayed for the
user ID.
8. Click OK.
The changes are immediately applied and stored in the database.

Click Reset in the row of the relevant parameter to reset the default value.
Now you can anonymize (page 18) users in ARIS Risk and Compliance.

17
DATA PROTECTION (GDPR)

2.11 Anonymize ARIS Risk and Compliance users

Anonymize users in ARIS Risk and Compliance according to GDPR (page 20) after they were
deleted in ARIS Administration and the data in ARIS Risk and Compliance was synchronized.

Prerequisites
§ You have the System administrator role.
§ You have the ARCM administrator and the User administrator function privileges.

Procedure
1. Start ARIS Risk and Compliance.

2. Click Administration.
3. Click System management > Users. The list is displayed.

4. Select the option Yes for the Deactivated filter and click Apply filter. The
deactivated users are displayed.
5. Click the name of the user whose user data you want to anonymize. The form is displayed.

6. Click Anonymize user.

7. Click OK to confirm the dialog when you are prompted.
The user data is anonymized according to the patterns (page 17) specified.
If the anonymization patterns are changed at a later point but the same pattern must be
applied to all anonymized users, repeat the anonymization for users who were anonymized
before the pattern was changed.

Example
A dismissed employee is deleted from ARIS Administration. Then the user data in ARIS Risk
and Compliance is refreshed with user data based on ARIS Administration/User Management
(Synchronize users with ARIS Administration/User Management). The user data is
deactivated in ARIS Risk and Compliance. However, there is still data containing the name of
this user, such as objects the user edited. This user data must be anonymized.

18
DATA PROTECTION (GDPR)

2.12 Delete and anonymize user data in PPM

PPM saves personal data in the PPM database, PPM log files, and the process data itself, there
are several ways to delete or anonymize this data.
For details on deleting or anonymizing user data, see the How to delete and anonymize
personal data chapter in the PPM Operation Guide:
To comply with the GDPR, you must delete personal data of individuals who are no longer
employed after a defined period of time. Since personal data may be present in the PPM
database, PPM log files, and the process data itself, there are several ways to delete or
anonymize this data.

PPM DATABASE
Deleting a user from UMC will not automatically delete the user in PPM. You must delete the
user also in PPM. To do this, go to the PPM Administration –> User Privileges section, select
the user, and delete it. This will automatically delete the user also in the PPM database and all
his related assignments (process access rights, favorites etc.).

PPM LOG FILES

For some actions, PPM tracks the user ID (user name) and IP address of the executor. This
data is used to analyze and fix potential problems that occur during the system operation.
The tracked user data is stored in client-specific as well as system-specific log files. You must
delete the corresponding log files to remove the relevant personal user data.
For a detailed description of the system messages and PPM log files, see PPM Operation Guide
> chapter PPM system messages.

Warning
If you delete the log files, all logged data is lost and cannot be restored.

PROCESS DATA
You can disguise personal data embedded in process data to import into PPM. PPM provides
functionality for encoding special attributes and fields that contain personal data to be
extracted from the source system. The data is not visible in plain text in PPM afterwards. You
can revert this pseudonymization by providing the correct encryption key in the PPM UI. The
procedure is accessible only to PPM system administrators.
Note that after importing the process data and external data into PPM, you can no longer
change the included personal data. You must configure pseudonymization before importing.

19
DATA PROTECTION (GDPR)

3 Glossary
In the glossary you will find explanations of basic technical terms.

GDPR
The General Data Protection Regulation (GDPR) protects individuals’ personal data within the
European Union. It also regulates the export of personal data outside the EU. GDPR is a
regulation by the European Parliament, the Council of the European Union, and the European
Commission.

PERSONAL DATA
Any information related to an identified or identifiable data subject, such as a natural person.

DATA PROTECTION OFFICER

Informs and advises the controller (page 20)/processor (page 20) of their obligations,
monitors compliance, provides advice, and acts as the contact for the supervisory authority.

DATA PROTECTION REPRESENTATIVE

Represents the controller (page 20)/processor (page 20) with regard to their respective
obligations under GDPR.

CONTROLLER
Determines the purpose and means of processing personal data. (Role according to article 4
of the GDPR.)

PROCESSOR
Processes personal data on behalf of the controller (page 20). (Role according to article 4 of
the GDPR.)

20
DATA PROTECTION (GDPR)

4 Legal information

4.1 Documentation scope

The information provided describes the settings and features as they were at the time of
publishing. Since documentation and software are subject to different production cycles, the
description of settings and features may differ from actual settings and features. Information
about discrepancies is provided in the Release Notes that accompany the product. Please
read the Release Notes and take the information into account when installing, setting up, and
using the product.
If you want to install technical and/or business system functions without using the
consulting services provided by Software AG, you require extensive knowledge of the system
to be installed, its intended purpose, the target systems, and their various dependencies. Due
to the number of platforms and interdependent hardware and software configurations, we
can describe only specific installations. It is not possible to document all settings and
dependencies.
When you combine various technologies, please observe the manufacturers' instructions,
particularly announcements concerning releases on their Internet pages. We cannot
guarantee proper functioning and installation of approved third-party systems and do not
support them. Always follow the instructions provided in the installation manuals of the
relevant manufacturers. If you experience difficulties, please contact the relevant
manufacturer.
If you need help installing third-party systems, contact your local Software AG sales
organization. Please note that this type of manufacturer-specific or customer-specific
customization is not covered by the standard Software AG software maintenance agreement
and can be performed only on special request and agreement.

4.2 Support
If you have any questions on specific installations that you cannot perform yourself, contact
your local Software AG sales organization
(https://www.softwareag.com/corporate/company/global/offices/default.html). To get
detailed information and support, use our websites.
If you have a valid support contract, you can contact Global Support ARIS at: +800
ARISHELP. If this number is not supported by your telephone provider, please refer to our
Global Support Contact Directory.

21
DATA PROTECTION (GDPR)

ARIS COMMUNITY
Find information, expert articles, issue resolution, videos, and communication with other ARIS
users. If you do not yet have an account, register at ARIS Community.

PRODUCT DOCUMENTATION
You can find the product documentation on our documentation website.
In addition, you can also access the cloud product documentation. Navigate to the desired
product and then, depending on your solution, go to Developer Center, User Center or
Documentation.

PRODUCT TRAINING
You can find helpful product training material on our Learning Portal.

TECH COMMUNITY
You can collaborate with Software AG experts on our Tech Community website. From here
you can, for example:
§ Browse through our vast knowledge base.
§ Ask questions and find answers in our discussion forums.
§ Get the latest Software AG news and announcements.
§ Explore our communities.
§ Go to our public GitHub and Docker repositories and discover additional Software AG
resources.

PRODUCT SUPPORT
Support for Software AG products is provided to licensed customers via our Empower Portal
(https://empower.softwareag.com/). Many services on this portal require that you have an
account. If you do not yet have one, you can request it. Once you have an account, you can,
for example:
§ Download products, updates and fixes.
§ Add product feature requests.
§ Search the Knowledge Center for technical information and tips.
§ Subscribe to early warnings and critical alerts.
§ Open and update support incidents.

22