SAP Global Physical Security

 

General Information

 

Who do We mean when We say SAP in this Privacy Statement

 

The controller of VRIM is:

• SAP Australia Pty. Ltd.

  • Level 13, 1 Denison Street, North Sydney, NSW 2060, Australia

  • Level 21, 25 Grenfell Street, Adelaide, SA 5000, Australia

  • Level 20, 140 Creek Street, Brisbane, QLD 4000, Australia

  • Equinox 4, Level 3, 70 Kent Street, Deakin, ACT 2600, Australia

  • Level 23, 28 Freshwater Place, Melbourne Southbank VIC 3006, Australia

  • Level 15, 109 St. Georges Terrace, Perth, WA 6000, Australia

• Emarsys Pty. Ltd. and Concur Technologies Australia Pvt. Ltd.

  • Level 13, 1 Denison Street, North Sydney, NSW 2060, Australia

You can reach SAP Group’s data protection officer any time at privacy@sap.com.

 

For what purposes does SAP process your Personal Data?

 

We require your Personal Data in order to ensure an adequate level of safety and security for and at SAP's premises.

 

SAP may use your Personal Data for the following purposes:

• to control access to SAP's premises;

• to ensure adequate security for and at SAP's premises;

• to ensure the safety of SAP employees and visitors to SAP's premises;

• to prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;

• to prevent sabotage, theft and material damage; and

• to support the rightful and valid requests of public authorities for support in an investigation.

This process allows SAP to provide appropriate access to SAP premises and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This process supports SAP to comply with relevant duty of care as well as other applicable statutory obligations which may apply in your jurisdiction, including identification verification prior to or during access to any SAP-owned or leased premises.

Although providing Personal Data during VRIM is voluntary, without your Personal Data, SAP cannot provide you with access to SAP premises.

 

What categories of Personal Data does SAP process?

 

As a visitor to SAP’s premises, we may collect the following information.  

 

Contact Data

SAP processes the following categories of Personal Data as contact data: first name, last name, email address and telephone number.

 

Personal Data related to the business relationship with SAP (if appropriate)

SAP processes the following category of Personal Data in the context of established business relationships: company name.

 

SAP Visitor Identity Data

SAP processes the following categories of Personal Data as Visitor Identity Data: visit location, visit registration date and time, date and time of check-in/check-out,  visitor Confidentiality Disclaimer signature, host name(s), visitor type (i.e., Visitor, SAP VIP, Event), visitor sub-type (i.e., Auditor, Business Meeting, Contractor/Vendor, Customer, Event, Government, Job Interview, Personal, Sales Partner, Tenant, Training, VIP, VIP (non-SAP)) and visit reason. 

 

How long does SAP store your Personal Data?

 

SAP does only store your Personal Data for a period of one year or as long as it is required, as discussed below:

• To fulfil SAP’s legitimate purposes as further described in section II of this Privacy Statement, unless you object to SAP’s use of your Personal Data for these purposes.

Once your Personal Data is no longer needed for these purposes, SAP will take reasonable steps to either destroy or de-identify it.

 

SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. In such cases, SAP will retain your Personal Data until the end of the relevant retention period, or until the claims in question have been settled. 

 

Who are the recipients of your Personal Data?

 

Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:

• Companies within the SAP Group, as this is a global organization with global security obligations

• Third-party service providers, including contracted security agencies that are contracted to provide security services at SAP

• Law enforcement agencies, insurance companies etc. as appropriate in terms of any corporate criminal or other security investigations

SAP Group entities

As SAP is selling its products and services to its customers only via local business relationships, SAP may transfer your Personal Data to the locally relevant SAP group entity for the purpose and to the extent necessary to conduct a business relationship. Other entities of the SAP Group may also receive or gain access to Personal Data either when rendering group internal services centrally and on behalf of SAP SE and the other SAP group entities or when Personal Data is transferred to them on a respective legal basis. In these cases, these entities may process the Personal Data for the same purposes and under the same conditions as outlined in this Privacy Statement. The current list of SAP Group entities can be found here. If you would like to find out which SAP group entity is responsible for the business relationship with you or your employer, please contact Us at SAP-Physical-Sec-Privacy@sap.com.

 

What are your data protection rights?

 

Right to access and correct

You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it.

 

Right to revoke consent

Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal.

 

How can you exercise your data protection rights?

 

Please direct any requests to exercise your rights to SAP-Physical-Sec-Privacy@sap.com. In Australia, a complaint should first be made to SAP in writing as required by law. 

 

How will SAP verify requests to exercise data protection rights?

 

SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.

 

SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law. 

 

Can you use SAP’s services if you are a minor?

 

In general, the VRIM is not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use this VRIM.

 

 

Additional Country and Regional Specific Provisions

 

Where SAP is subject to privacy requirements in Australia

 

How does SAP store and secure your Personal Data?

 

Your Personal Data is stored by a third-party data storage provider, TDS (Time Data Security), in the AWS Germany (Frankfurt) Region. 

 

Employees and contractors within appropriate SAP functions are authorized to operate the system and access the information it contains. These team members are located in all regions and follow SAP Global Security (SGS) policies and procedures.  

 

 

SAP Privacy Collection Notice

 

SAP Australia Pty. Ltd., Emarsys Pty. Ltd. And Concur Technologies Australia Pvt. Ltd. (“we, our, us, SAP”) will collect your personal information, including your first name, last name, email address, company name, telephone number, visit location, visit registration date and time, date and time of check-in/check-out, visitor signature, host name(s), visitor type and visit reason.

 

We are required to collect and maintain this information in order to ensure adequate level of safety and security for and at SAP’s premises.

 

The purpose for collecting your personal information is to meet our compliance obligations, provide appropriate access to SAP premises and to ensure the safety and security of all SAP employees, suppliers, visitors, and assets.

 

If the personal information is not collected, we may not be able to provide you with access to SAP premises.

 

As SAP is part of a global organisation, we may from time-to-time disclose personal information to an SAP Group company located in another country, or to a third-party contractor located in another country for our general business purposes, including data processing and reporting. We will only do this where it is necessary or appropriate to achieve the purposes set out in this Privacy Collection Notice or SAP’s Privacy Statement.

 

We may disclose your personal information to companies within the SAP Group or a third-party contractor.

 

Your personal information may be stored by SAP or a third-party storage provider, TDS (Time Data Security). In this event, the likely location of the storage will be AWS Germany (Frankfurt) Region. When we provide your personal information to these facilities it is kept secure and is managed by our related entities in strict accordance with our Privacy Statement.

 

More detailed information about the way SAP uses and discloses your personal information is set out in the preceding Privacy Statement.

 

You may seek access or correction of your personal information. Our Privacy Statement also includes information about how you may make a complaint about how your personal information has been handled.

 

Please address all requests or questions about how we deal with your personal information and requests for access to your personal information to SAP-Physical-Sec-Privacy@sap.com.