SAP Global Physical Security
SAP PRIVACY STATEMENT
Protecting the individual's privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter "We", "SAP", "Us" or "Our") to the individual`s right to data protection and privacy. It outlines how We handle information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”).
A. General Information
Video Surveillance installations at SAP Malaysia.
Video surveillance cameras (also known as closed-circuit televisions, or CCTV) are directed at viewing and/or recording the images of individuals to ensure an adequate level of security for and at a company´s premises in preventing and/or investigating break-ins, destruction, or other malicious activities.
The video surveillance cameras are installed at:
various entry and exit points of the SAP buildings/offices;
security relevant areas in the SAP buildings/offices;
The following building is in scope of this Privacy Statement:
Level 29, Menara Southpoint, Mid Valley City, Medan Syed Putra Selatan, 59200 Kuala Lumpur, Malaysia.
All locations where your personal data may be captured are clearly marked by warning signs.
Who do We mean when We say SAP in this Privacy Statement?
The data controller for video surveillance is SAP Malaysia Sdn. Bhd., Lvl29, Menara Southpoint, Medan Syed Putra Selatan, Mid Valley City, 59200 Kuala Lumpur
You can reach the data protection officer any time at privacy@sap.com.
For what purposes does SAP process your Personal Data?
SAP processes your personal data in order to ensure an adequate level of security for and at SAP´s premises.
This process allows SAP to provide you with access to SAP facilities and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This allows SAP to comply with statutory obligations, including identification verification prior to or during access to any SAP-owned or leased facility.
Although providing personal data is voluntary, without your personal data, SAP cannot provide you with access to SAP-owned or leased facilities.
What categories of Personal Data does SAP process?
If you move about SAP´s campus or access SAP´s premises, we collect your images via video surveillance cameras, consisting of a recording of your activities except sound or voice (your "personal data").
How long does SAP store your Personal Data?
SAP will store your Personal Data for a period of maximum 90 days. If the video surveillance recording is required for the investigation of an incident it can be kept for as long as necessary to conclude the investigation.
SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.
SAP has implemented technology, security features and strict policy guidelines to safeguard the privacy of users’ Personal Data.
Who are the recipients of your Personal Data and where will it be processed?
Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:
companies within the SAP Group;
third party service providers, including contracted security agencies that are contracted to provide security services at SAP, and
SAP legal or local law enforcement agencies, as the result of any corporate criminal or other security investigations.
These parties are located within and outside of Malaysia.
As part of a global group of companies operating internationally, SAP has affiliates (the “SAP Group”) and third-party service providers outside of Singapore and may transfer your Personal Data to countries outside of Singapore. SAP uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the laws of Malaysia. You can obtain a copy (redacted to remove commercial or irrelevant) of such standard contractual clauses by sending a request to privacy[@]sap.com.
What are your data protection rights?
Right to access and correct and delete
You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it.
Right to obtain a copy of Personal Data
You can further request from SAP a copy of the Personal Data you provided to SAP. In this case, please contact SAP-Physical-Sec-Privacy@sap.com and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data. SAP will carefully consider your request and discuss with you how it can best be fulfilled.
Right to restrict
You can request from SAP that SAP restricts your Personal Data from further processing in any of the following events:
you state that the Personal Data SAP has about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data;
there is no legal basis for SAP to process your Personal Data and you demand that SAP restricts your Personal Data from further processing;
SAP no longer requires your Personal Data, but you state that you require SAP to retain such data in order to claim or exercise legal rights or to defend against third party claims, or;
in case you object to the processing of your Personal Data by SAP for legitimate business purposes (as further set out below), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
Right to lodge a complaint
If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with the data protection authority of the country or state where SAP has its registered seat.
How can you exercise your data protection rights?
Please direct any requests to exercise your rights to.
Data Protection and Privacy Coordinator for Malaysia
Phone No. 60 3-2202 6000
Email address: SAP-Physical-Sec-Privacy@sap.com
How will SAP verify requests to exercise data protection rights?
SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.
Why does SAP need to use my Personal Data and on what legal basis is SAP using it?
SAP can use your personal data based on its legitimate interest exception as follows:
to control access to SAP´s campus and premises;
to ensure adequate security for and at SAP´s campus and premises;
to ensure the safety of SAP employees and visitors on SAP´s campus and premises;
to prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;
to prevent sabotage, theft and material damage.
You can at any time object to SAP’s use of your Personal Data as set forth in this section by sending an email to SAP-Physical-Sec-Privacy@sap.com. In this case, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP’s compelling legitimate grounds for continued use of the information, which override your interest in objecting, or if SAP requires the information for the establishment, exercise or defense of legal claims. In addition, SAP can use your personal data based on a legal obligation to support the rightful and valid requests of law enforcement agencies for support in an investigation.
B. Additional Country and Regional Specific Provisions
Where SAP is subject to privacy requirements in the EU/EEA or a country with national laws equivalent to GDPR
Who is the relevant Data Protection authority?
You may find the contact details of your competent data protection supervisory authority here. SAP’s lead data protection supervisory authority is in Germany, the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg and can be reached at Lautenschlagerstraße 20, 70173 Stuttgart.
What are the legal permissions for SAP to process Personal Data?
SAP is processing your Personal Data for the business purposes set out above based on the following legal permissions:
Where We refer to GDPR Article 6.I (f), consequently SAP’s legitimate business interest as Our legal permission to process your Personal Data, SAP is pursuing its legitimate business interests
to efficiently manage and perform its business operations,
to maintain and operate intelligent and sustainable business processes in a group structure optimized for the division of labor and in the best interest of Our employees, customers, partners, and shareholders,
to operate sustainable business relationships with SAP customers and partners including you (each of which as further set out below),
serve you with the best possible user experience when using SAP Visitor Management,
comply with extraterritorial laws and regulations, or
assert or defend itself against legal claims
We believe that Our interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain processing for such purpose. In any of these cases, We duly factor into Our balancing test:
the business purpose reasonably pursued by SAP in the given case,
the categories, amount and sensitivity of Personal Data that is necessarily being processed,
the level of protection of your Personal Data which is ensured by means of Our general data protection policies, guidelines, and processes, and
the rights you have in relation to the processing activity
If you wish to obtain further information on this approach, please contact SAP-Physical-Sec-Privacy@sap.com.
How does SAP justify international data transfers?
As a global group of companies, SAP has group affiliates and uses third party service providers also in countries outside the European Economic Area (the “EEA”). SAP may transfer your Personal Data to countries outside the EEA as part of SAP’s international business operations. If We transfer Personal Data from a country in the EU or the EEA to a country outside the EEA and for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require the data importer to ensure a level of data protection consistent with the one in the EEA to protect your Personal Data. You may obtain a copy (redacted to remove commercial or irrelevant information) of such standard contractual clauses by sending a request to privacy@sap.com. You may also obtain more information from the European Commission on the international dimension of data protection here.