If they're deemed a data processors then yes in fact they do need to care about the application of the laws. SAP has user management at least in terms of companys' own users which will likely have PII.
The personal data handled by SAP, the ERP system not the company, is very well compartementalized and accessible only need-to-know. Assuming proper user rights policies and roles are in place, but that is on SAPs client, amd not SAP themselves.
SAP runs your instance, but isn't responsible for what you do with it.