SAP Global Physical Security

This Privacy Statement was updated on 8 January 2024.

 

Protecting the individual’s privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter “We”, “SAP”, “Us” or “Our”) to the individual’s right to data protection and privacy. It outlines how We handle information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”).

 

Visitor Registration and Identity Management systems (‘VRIM’) at SAP are used to ensure the security of personnel and assets at SAP’s premises.

 

General Information

 

Who do We mean when We say SAP in this Privacy Statement

 

The controller of VRIM is:

• SAP Labs India Private Limited
  #138, EPIP Zone, Whitefield, Bengaluru – 560 066, Karnataka, India
  RMZ NXT, 2B/2C, Sonnenahalli Village, Mahadevapura, East Taluk, Bengaluru – 560 066, Karnataka, India
  Vatika Towers, 4^th Floor, Sector 54, Golf Course Road, Gurugram – 122 002, Haryana, India

• Concur Technologies India Private Limited
  Level 3, A Block, Lakeview Building, Bagmane Tech Park, C V Raman Nagar, Bangalore – 560 093, Karnataka, India

• SAP India Private Limited
  6^th Floor, RMZ Ecoworld, 9A Campus, Sarjapur-Marathahalli Outer Ring Road, Devarabeesanahalli, Bengaluru – 560 103, Karnataka, India

You can reach SAP data protection officer any time at privacy@sap.com.

 

 

For what purposes does SAP process your Personal Data?

 

We require your Personal Data in order to ensure an adequate level of safety and security for and at SAP's premises.

 

SAP may use your Personal Data for the following purposes:

• to control access to SAP's premises;

• to ensure adequate security for and at SAP's premises;

• to ensure the safety of SAP employees and visitors to SAP's premises;

• to prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;

• to prevent malicious/suspicious activities, attacks and incidents, sabotage, theft, data breaches and leakages and material damage to SAP’s property and/or physical/online/virtual assets; and

• to support the rightful and valid requests of public authorities for support in an investigation.

This process allows SAP to provide appropriate access to SAP premises and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This process supports SAP to comply with relevant security requirements requiring protection of information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction as per applicable statutory obligations which may apply in your jurisdiction.

 

Although providing Personal Data during VRIM is voluntary, without your Personal Data, SAP cannot provide you with access to SAP premises.

 

 

What categories of Personal Data does SAP process?

 

As a visitor to SAP’s premises, we may collect the following information.  

 

Contact Data

SAP processes the following categories of Personal Data as contact data: first name, last name, email address and telephone number.

 

Personal Data related to the business relationship with SAP (if appropriate)

SAP processes the following category of Personal Data in the context of established business relationships: company name.

 

SAP Visitor Identity Data

SAP processes the following categories of Personal Data (and in some cases sensitive Personal Data) as Visitor Identity Data: visit location, visit registration date and time, date and time of check-in/check-out, visitor photo, visitor Confidentiality Disclaimer signature, host name(s), visitor type (i.e., Visitor, SAP VIP, Event), visitor sub-type (i.e., Auditor, Business Meeting, Contractor/Vendor, Customer, Event, Government, Job Interview, Personal, Sales Partner, Tenant, Training, VIP, VIP (non-SAP)) and visit reason. 

 

 

How long does SAP store your Personal Data?

 

SAP does only store your Personal Data for as long as it is required:

• To fulfil SAP’s legitimate/specific purposes as further described in this Privacy Statement, unless you withdraw your consent to SAP’s use of your Personal Data for these purposes.

SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. 

 

 

Who are the recipients of your Personal Data?

 

Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:

• Companies within the SAP Group, as this is a global organization with global security obligations;

• Third-party service providers, including contracted security agencies that are contracted to provide security services at SAP;

• Law enforcement agencies, insurance companies etc. as appropriate in terms of any corporate criminal or other security investigations.

SAP Group entities

As SAP is selling its products and services to its customers only via local business relationships, SAP may transfer your Personal Data to the locally relevant SAP group entity for the purpose and to the extent necessary to conduct a business relationship. Other entities of the SAP Group may also receive or gain access to Personal Data either when rendering group internal services centrally and on behalf of SAP SE and the other SAP group entities or when Personal Data is transferred to them respectively on applicable legal basis. In these cases, these entities may process the Personal Data for the same purposes and under the same conditions as outlined in this Privacy Statement. The current list of SAP Group entities can be found here. If you would like to find out which SAP Group entity is responsible for the business relationship with you or your employer, please contact Us at SAP-Physical-Sec-Privacy@sap.com.

 

What are your data protection rights?

 

Right to access, correct and delete/erase

You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction, updation, completion or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. If you request from SAP to delete your Personal Data, you may not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.

 

Right to revoke consent

Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal or through a Consent Manager. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain your Personal Data for legal reasons, your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal.

 

Right of grievance redressal

You can request from SAP, the right to have readily available means of grievance redressal provided by SAP or Consent Manager in respect of (a) any act or omission of SAP regarding the performance of SAP’s obligations in relation to your personal data; or (b) the exercise of your rights under the applicable law and the rules made thereunder.

 

Right to nominate

You can request from SAP, the right to nominate, to any other individual, who shall, in the event of your death or incapacity, exercise your data protection rights in accordance with the applicable law and the rules made thereunder.

 

 

How can you exercise your data protection rights?

 

Please direct any requests to exercise your rights to SAP-Physical-Sec-Privacy@sap.com.

In India, after exhausting the opportunity of redressing the right of grievance (per section VI above), you may lodge a complaint to the Data Protection Board of India. 

 

 

How will SAP verify requests to exercise data protection rights?

 

SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in the course of submitting a request in exercise of your rights under the applicable law, with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.

SAP will decline to process requests that are not required by local law to be processed or found to be inauthentic or submitted through impersonation.  VRIM, by its nature can include Personal Data related to many individuals.

 

 

Can you use SAP’s services if you are a minor?

 

In general, the VRIM is not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use this VRIM.