Legal requirements

Published by Tobias Hofmann on

10 min read

*** update *** A day after I published my post the Disco site received several updates. I summarized them at the end of this post. *** update ***

In the EU we are not famous for a startup culture or recognized as a place where you can find many global leading IT companies. As a compensation, the EU and the national governments are good at laws. The most known impact of the EU to the internet experience is GDPR and the “cookie banner”. There is also Directive 2000/31/EC with article 5:

[…] Member States shall ensure that the service provider shall render easily, directly and permanently accessible to the recipients of the service and competent authorities, at least the following information […]” followed by a list of what must be included. This information is known as legal disclosure or impressum. The EU directive was transformed into local German law. The legal requirement is given by §5 (1) TMG.

Diensteanbieter haben für geschäftsmäßige, in der Regel gegen Entgelt angebotene Telemedien folgende Informationen leicht erkennbar, unmittelbar erreichbar und ständig verfügbar zu halten”.

When the law was put in place, there was confusion a legal disclosure is needed for everyone or just commercial website and where to place it. The conclusion, and what everyone recommends, is to include a link to the legal disclosure at every website. Best practice is to have it added to the footer of each page. It can be placed somewhere else in the page – like header – but the footer is the easiest option. Why at each page? It is the easiest way to fulfill the requirement of “unmittelbar erreichbar” (directly accessible). Because of this requirement, the legal disclosure cannot be login protected, or asking you to fill out a form to be able to access it. Having it 2 clicks away is also an option. It cannot be just some link name; it must be understandable to a person that the legal discloser can be found there. Possible is a link named contact or legal information. Demanding the usage of e.g. JavaScript should also be avoided if the page loads also with JavaScript disabled.

The footer is the established place to add other legal required information like the privacy statement. Having the privacy statement directly accessible is important regarding GDPR and cookie management. A user must be able to change the settings, e.g. for opt-out, and a description how this can be done by the user must be provided in the data privacy document.

As you can see, hosting web sites is complicated. Companies have a certain business interest and therefore have no excuse. They have employees to take care of (legal) requirements and processes to ensure that rules are followed. The larger the company, the better the process and quality assurance when delivering content via web sites.

SAP Discovery Center

I am currently using more and more the SAP Discovery Center. It is one of the best tools provided by SAP to learn, understand, architect, and develop SAP based solutions. Although I really miss the Enterprise Architecture Explorer. I already covered the SAP Discovery Center (or as it is called by SAP: Disco). I posted some of my finding already and don’t assume I posted everything. For a service that was already shown to need more QA attention I hoped to never come across something that raises my attention. What got this time my attention this time is how Disco is implementing the legal requirements of TMG §5 (1). A one click access to egal disclosure / impressum is not always provided. In most cases you need 2 clicks, or even more.

The Disco start page contains a footer with all the legal information. The following pages miss the footer and therefore the legal disclosure – and all other information provided in the footer like a link to the privacy policy.

Start page:


Legal Disclosure is a link to SAP’s impressum.

Navigating to the mission catalog shows the missions page and no footer.

Selecting a mission shows the mission page, but no footer.

To get to the legal disclosure, you first have to navigate back to the start page via Home or Disco logo link, and then find the link in the footer.

That’s 2 clicks. I am just not sure if under Home/Disco a user would expect to find the legal disclosure. I guess the missing footer in the pages is a bug. Other sites of SAP have a footer that is always included. I assume adding a footer on any page is SAP standard.

Starting a mission and opening a card exceeds stays in the 2 clicks “limit” thanks to the Disco logo link. Opening in the mission “Getting Started with Discovery Center Missions” a card brings you to a new page where you can open a card.

Note: if someone from SAP Data Privacy is reading this: YouTube video integration*

The card offers no link to Disco home, nor a footer, but still the Disco logo link at the top left. I am not sure this navigation path counts as directly accessible.

Without consequences

For those wondering what the legal consequences are. For a normal user of Disco there are little to none legal actions that can be taken. A missing legal disclosure is nothing for data privacy nor security. Your personal data is not affected. Indirectly it might be something for data privacy at SAP as with the missing footer also a link to the data privacy document is missing. That one is needed for opting in/out to cookies. But for the missing legal disclosure? A direct competitor to SAP can use the missing (?) legal disclosure to sue SAP. Might therefore be of interest for SAP shareholders, too.


Missing to include a footer can happen. If this is the intended behavior, I’d be interested to hear why placing the legal disclosure link only on the home page counts as directly accessible. Given that the navigation name is home and not e.g., contact us. The information demanded (reminder: EU Directive 2000/31/EC Article 5 and TMG §5 (1)) needs to be directly accessible. Having to navigate back to the home page is directly accessible?

As this is the live, production version of a web site, intended for SAP customers to use, I wonder how the quality assurance process works. In general, at SAP, not specific to Disco. What keeps me thinking is the constant lack of quality delivered by SAP, specially regarding legal requirements. There is also SAP Universal ID. A service made mandatory and available since years yet failed to comply with legal requirements like cookies. And yes, SAP UID also missed to include a legal disclosure in the footer. Event website like for SAP Connect failed too. Above examples are what is publicly available. They even get advertised by SAP. These are not web sites and services offered by a single person as a hobby, nor a small company struggling with staff or budget shortage. SAP has the money, people, expertise to ensure that a certain quality is ensured. These sites and services went through a publish process.

I wonder what is the level of quality SAP sees as acceptable? Are these QA issues just exceptions? SAP wants customers to go to their cloud offerings and go back to standard. Who assures that the quality delivered by SAP standard is better than the one of their public SAP services?

* Based on some of my interactions on this topic already, I’d say that the YouTube integration violates the data privacy. In the cookie preference I stated to only accept technically required cookies. Which means: only cookies from Disco. Accessing the card gives me a range of cookies from YT. Cookies from YT is not in the list of cookies of the Disco cookie preferences. If someone from the Disco teams reads this: maybe you should talk to the people that are responsible for the SAP Connect event website (btw: hello SAP Data Privacy. I saw that the SAP Connect event website was updated to ensure it is GDPR compliant. I’d highly appreciate an information from you confirming that this was done, by email, or post, fax, SMS, dove, singing telegram, something. Black hole communication is not very nice). Or to the people responsible for That site is full with videos, just not hosted on YT.

Update: 24. Feb. 2023

The day after I published my post the Disco site received an update, adressing the above discussed legal issues. Links to the footer information is now available in the header – click the legal icon to open a menu that contains basically the same information as the footer on the home page.


The YouTube integration was changed to use the no cookie of YouTube. Clicking the video is now not any longer setting cookies. This makes the cookie handling aligned with the cookie and privacy statement.


These changes came jsut one day after I wrote my post. Assuming the best I’d say: the Disco app had only a bug that was already worked on. I think the cookie preference option is not in the new header menu because in both the privacy and cookie statement docs it is refered to as being in the footer.

Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.