SAP Global Physical Security

Visitor registration and identity management systems at SAP are used to ensure the security of personnel and assets at SAP’s premises. 

 

 

General Information

 

Who is the data controller?

 

The data controller for visitor registration and identity management is identified as the appropriate legal entity for each SAP location. The data controllers within Hong Kong include the following:

• HongKong (HKG02) 35F, Tower 2, Times Square, 1 Matheson Street - Causeway Bay, Hong Kong

The data protection officer can be reached at privacy@sap.com.

 

Employees and contractors within appropriate SAP functions are authorized to operate the system and access the information it contains. These team members are located in all regions and follow SAP Global Security (SGS) policies and procedures. 

 

What Personal Data does SAP collect?

 

As a visitor to SAP’s premises, we may collect the following information.  

 

Contact Data

SAP processes the following categories of Personal Data as contact data: first name, last name, email address and telephone number.

 

Personal Data related to the business relationship with SAP (if appropriate)

SAP processes the following category of Personal Data in the context of established business relationships: company name.

 

SAP Visitor Identity Data

SAP processes the following categories of Personal data as visit data: visit location, visit registration date and time, date and time of check-in/check-out, visitor photo, visitor Confidentiality Disclaimer signature, host name(s), visitor type (i.e., Visitor, SAP VIP, Event), visitor sub-type (i.e., Auditor, Business Meeting, Contractor/Vendor, Customer, Event, Government, Job Interview, Personal, Sales Partner, Tenant, Training, VIP, VIP (non-SAP)) and visit reason. 

 

Why does SAP need your personal data?

 

SAP processes your personal data in order to ensure an adequate level of safety and security for and at SAP's premises.

This process allows SAP to provide appropriate access to SAP premises and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This process supports SAP to comply with relevant duty of care or other/ statutory obligations which may apply, including identification verification prior to or during access to any SAP-owned or leased premises.

 

Although providing personal data during a visitor registration process is voluntary, without your personal data, SAP cannot provide you with access to SAP premises.

 

How long does SAP store my personal data?

 

SAP does only store your Personal Data for as long as it is required:

• To fulfill SAP’s purposes as further described in this Privacy Statement, unless you object to SAP’s use of your Personal Data for these purposes.

SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. 

 

Who are the recipients of my personal data and where will it be processed?

 

Your personal data will be passed on to the following categories of third parties to process your personal data:

• Companies within the SAP Group, as this is a global organization with global security obligations

• Third-party service providers, including contracted security agencies that are contracted to provide security services at SAP

• Law enforcement agencies, insurance companies etc. as appropriate in terms of any corporate criminal or other security investigations

As part of a global group of companies operating internationally, SAP may transfer your personal data to countries outside of the country of collection. Data transfers outside of your home country may be subject to lawful access requests from relevant authorities in the relevant jurisdiction. Where applicable, if these transfers are to a country for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require that your personal data receives a level of data protection consistent with local standards.  You can obtain a copy (redacted to remove commercial or irrelevant provisions) of such standard contractual clauses by sending a request to privacy@sap.com. 

 

What are your data protection rights?

 

At any time, you can request from SAP access to information about which personal data SAP processes about you and the correction or deletion of such personal data. Please note that SAP can or will delete your personal data only if there is no statutory obligation or prevailing right of SAP to retain it.

 

Furthermore, you can request from SAP that SAP restricts your personal data from any further processing in the event SAP no longer requires your personal data, but you state that you require SAP to retain such data in order to claim or exercise legal rights or to defend against third-party claims.

 

Please note, however, that SAP can or will delete your personal data only if there is no statutory obligation or prevailing right of SAP to retain it.

 

Please direct any requests to exercise your rights to SAP-Physical-Sec-Privacy@sap.com .

 

How will SAP verify requests to exercise data protection rights?

 

SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match personal data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.

 

SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.  Visitor Registration and Identity information, by its nature can include personal data related to many individuals which would need to be removed or redacted before any request can be processed. As this process is extremely burdensome, SAP may consider such requests as excessive by default depending on the circumstances and nature of your request.

 

What are my rights to lodge a complaint?

 

If you take the view that SAP is not processing your personal data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can lodge a complaint at any time with the relevant data protection authority.

 

Why does SAP need to use my personal data?

 

SAP can use your personal data for the following purposes:

• to control access to SAP's premises;

• to ensure adequate security for and at SAP's premises;

• to ensure the safety of SAP employees and visitors to SAP's premises;

• to prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;

• to prevent sabotage, theft and material damage; and

• support the rightful and valid requests of public authorities for support in an investigation.

You can object to SAP's use of your personal data at any time as set forth in this section by sending an email to SAP-Physical-Sec-Privacy@sap.com . In this case, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP's compelling legitimate grounds for continued use of the information, which override your interest in objecting, or if SAP requires the information for the establishment, exercise, or defense of legal claims.