SAP Global Physical Security 

Video Surveillance installations at the SAP premises in Australia

 

Video surveillance cameras (also known as closed-circuit televisions, or CCTV) are directed at viewing and/or recording SAP premises which may include images of individuals to ensure an adequate level of security for and at a company’s premises in preventing and/or investigating break-ins, destruction, or other malicious activities (“Video surveillance”).

The surveillance cameras are installed:

• at the various entry and exit points of the SAP buildings/offices; 

• at security relevant areas in the SAP buildings/offices; 

• at parking entrances or parking areas located at the SAP Campus; and

• at the outer area of the SAP buildings within SAP Campus.

The following buildings are in scope of this Privacy Statement:

• Sydney (SYD03) Level 13,1 Denison Street, North Sydney NSW 2060

• Melbourne Level 23, 28 Freshwater Place, Melbourne Southbank VIC 3006

• Queensland (BNE03) Level 20, 140 Creek Street, Brisbane QLD 4101

• Canberra (CBR02) Equinox 4, Level 3, 70 Kent Street, Deakin ACT 2606

• Perth (PER04) Level 15, 109 St George’s Terrace, Perth WA 6000

• Sydney (SYD1) Equinix, 47 Bourke Rd, Alexandria NSW 2015

• Sydney (SYD2) Digital Realty, 1-12 Templar Road, Erskine Park, NSW 2759

• Sydney (SYD3) Equinix, 200 Bourke Road, Alexandria, Sydney, Australia, NSW 2015

All locations where your personal data may be captured are clearly marked by warning signs.
 

 

Who do We mean when We say SAP in this Privacy Statement?

 

The data controller of the Video surveillance are SAP Australia Pty Ltd and Concur Technologies (Australia) Pty Ltd,, Level 13,1 Denison Street, North Sydney NSW 2060 (collectively, “SAP”). 

 

You can reach SAP Group’s data protection officer any time at privacy[@]sap.com.

 

 

For what purposes does SAP process your Personal Data?

 

SAP processes your personal data in order to ensure an adequate level of security for and at SAP´s premises. 

 

This process allows SAP to provide you with access to SAP facilities and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This allows SAP to comply with statutory obligations, including identification verification prior to or during access to any SAP-owned or leased facility.

 

Although providing personal data is voluntary, without your personal data, SAP cannot provide you with access to SAP-owned or leased facilities.
 

 

What categories of Personal Data does SAP process?

 

If you move about or access SAP´s premises, we collect your images via video surveillance cameras, consisting of a recording of your activities excluding sound or voice. In addition, we collect a picture of your license plate in the parking areas (your "personal data").

 

Your Personal Data is predominantly stored in Australia. However, your Personal Data may be stored in systems on our international server. In this event the likely location of the storage will be Japan. 

 

From What Types of Third Parties does SAP obtain Personal Data?

 

In most cases SAP collects Personal Data directly from you.  SAP might also obtain Personal Data from a third party, if the applicable national law allows SAP to do so. SAP will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided SAP with it or the applicable national law. These third-party sources include:

• SAP and/or SAP Group’s business dealings with your employer

How long does SAP store your Personal Data?

 

SAP will store your personal data for a period of maximum, 90 days. If the video surveillance recording is required for the investigation of an incident it can be kept for as long as necessary to conclude the investigation. 

 

SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.
 

 

Who are the recipients of your Personal Data?

 

Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:

• companies within the SAP Group;

• third party service providers, including contracted security agencies that are contracted to provide security services at SAP; and

• SAP legal or local or federal law enforcement agencies, as the result of any corporate criminal or other security investigations

How does SAP justify international data transfers?

 

As part of a global group of companies operating internationally, SAP has affiliates (the “SAP Group”) and third-party service providers outside Australia and may transfer your Personal Data to countries outside Australia. SAP uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the laws of Australia. You can obtain a copy (redacted to remove commercial or irrelevant) of such standard contractual clauses by sending a request to privacy[@]sap.com.

 

 

What are your data protection rights?

 

Right to access and correct

You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it.

 

 

How can you exercise your data protection rights?

 

Please direct any requests to exercise your rights or make a complaint to SAP-Physical-Sec-Privacy[@]sap.com or +61 2 9935 4500. We’ll deal with the matter within a reasonable time and keep you informed of the progress.

 

Right to lodge a complaint

If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with your locally relevant data protection authority, specifically when you are located in an EEA country, or with the data protection authority of the country or state where SAP has its registered seat. In Australia, a complaint should first be made to SAP as required by section 40(1A) of the Privacy Act 1988 (Cth).

 

 

How will SAP verify requests to exercise data protection rights? 

 

SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise.  When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already by SAP. 

 

SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.

 

 

How does SAP comply with reasonable security practises and procedures

 

SAP will regularly review and update its security practices and procedures to reasonably adhere to the international standards such as NIST security requirements, local law enforcement regulations and guidelines, and the appropriate physical security best practices and procedures as defined and implemented by People Protect, Global Physical Security at SAP.

 

 

SAP Privacy Collection Notice

 

SAP Australia Pty. Ltd., Emarsys Pty. Ltd. And Concur Technologies Australia Pvt. Ltd. (“we, our, us, SAP”) will collect your personal information, including your first name, last name, email address, company name, telephone number, visit location, visit registration date and time, date and time of check-in/check-out, visitor signature, host name(s), visitor type and visit reason.

 

We are required to collect and maintain this information in order to ensure adequate level of safety and security for and at SAP’s premises.

 

The purpose for collecting your personal information is to meet our compliance obligations, provide appropriate access to SAP premises and to ensure the safety and security of all SAP employees, suppliers, visitors, and assets.

 

If the personal information is not collected, we may not be able to provide you with access to SAP premises.

 

As SAP is part of a global organisation, we may from time-to-time disclose personal information to an SAP Group company located in another country, or to a third-party contractor located in another country for our general business purposes, including data processing and reporting. We will only do this where it is necessary or appropriate to achieve the purposes set out in this Privacy Collection Notice or SAP’s Privacy Statement.

 

We may disclose your personal information to companies within the SAP Group or a third-party contractor.

 

Your personal information may be stored by SAP or a third-party storage provider, TDS (Time Data Security). In this event, the likely location of the storage will be AWS Germany (Frankfurt) Region. When we provide your personal information to these facilities it is kept secure and is managed by our related entities in strict accordance with our Privacy Statement.

 

More detailed information about the way SAP uses and discloses your personal information is set out in the preceding Privacy Statement.

 

You may seek access or correction of your personal information. Our Privacy Statement also includes information about how you may make a complaint about how your personal information has been handled.

 

Please address all requests or questions about how we deal with your personal information and requests for access to your personal information to SAP-Physical-Sec-Privacy@sap.com.