SAP Global Physical Security
SAP PRIVACY STATEMENT
Protecting the individual’s privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter “We”, “SAP”, “Us” or “Our”) to the individual’s right to data protection and privacy. It outlines how We handle information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”).
A. General Information
Who do We mean when We say SAP in this Privacy Statement
The controller of SAP Visitor Management is identified as the appropriate legal entity for each SAP location. A list of data controllers within the APJ region can be found in Annex I. You can reach SAP Group’s data protection officer at privacy[@]sap.com.
For what purposes does SAP process your Personal Data?
To provide you with access to SAP owned or leased facilities, while ensuring the security of personnel and assets of SAP.
SAP processes your personal data in order to ensure an adequate level of security for and at SAP´s premises.
This process allows SAP to provide you with access to SAP facilities and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This allows SAP to comply with statutory obligations, including identification verification prior to or during access to any SAP-owned or leased facility.
Although providing personal data is voluntary, without your personal data, SAP cannot provide you with access to SAP-owned or leased facilities.
What categories of Personal Data does SAP process?
SAP processes the following categories of Personal Data as contact data: first name, last name, email address and telephone number.
Personal Data related to the business relationship with SAP
SAP processes the following category of Personal Data in the context of established business relationships: company name.
SAP Visitor Identity Data
SAP processes the following categories of Personal Data as visitor identity data: visit location, visit registration date and time, date and time of check-in/check-out, visitor photo, visitor Confidentiality Disclaimer signature, host name(s), visitor type, visitor sub-type and visit reason.
From what types of third parties does SAP obtain Personal Data?
In most cases, SAP collects Personal Data from you. SAP might also obtain Personal Data from a third party if the applicable national law allows SAP to do so. SAP will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided SAP with it or the applicable national law.
These third-party sources include:
SAP and/or SAP Group’s business dealings with your employer
Third parties you directed to share your Personal Data with SAP
How long does SAP store your Personal Data?
SAP does only store your Personal Data for as long as it is required to fulfill SAP’s legitimate business purposes as further described in this Privacy Statement, unless you object to SAP’s use of your Personal Data for these purposes. In these circumstances, SAP may restrict your access to SAP owned or leased facilities.
SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.
Who are the recipients of your Personal Data?
Your personal data will be passed on to the following categories of third parties to process your personal data:
Companies within the SAP Group, as this is a global organization with global security obligations
Third-party service providers, including contracted security agencies that are contracted to provide security services at SAP
SAP legal or local or federal law enforcement agencies, as the result of any corporate criminal or other security investigations
As part of a global group of companies operating internationally, SAP has affiliates (the “SAP Group”) and third-party service providers outside of the European Economic Area (the “EEA”) or from a region with a legal restriction on international data transfers and will transfer your personal data to countries outside of the EEA. If these transfers are to a country for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require that your personal data receives a level of data protection consistent with the EEA. You can obtain a copy (redacted to remove commercial or irrelevant) of such standard contractual clauses by sending a request to email@example.com. You can also obtain more information from the European Commission on the international dimension of data protection from the European Commission.
What are your data protection rights?
Right to access, correct and delete
You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. If you request from SAP to delete your Personal Data, you may not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.
Right to obtain a copy of Personal Data
If SAP uses your Personal Data based on your consent or to perform a contract with you, you can further request from SAP a copy of the Personal Data you provided to SAP. In this case, please contact [SAP-Physical-Sec-Privacy@sap.com] and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best be fulfilled.
Right to restrict
You can request from SAP to restrict your Personal Data from further processing in any of the following events:
you state the Personal Data about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data,
there is no legal basis for SAP to process your Personal Data and you demand SAP to restrict your Personal Data from further processing,
SAP no longer requires your Personal Data, but you state you require SAP to retain such data to claim or exercise legal rights or to defend against third party claims, or
in case you object to the processing of your Personal Data by SAP based on SAP’s legitimate interest (as further set out below), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
Right to object
If and to the extent SAP is processing your Personal Data based on SAP's Legitimate Interest, specifically where SAP pursues its legitimate interest to engage in SAP Visitor Registration and Identity Management, you have the right to object to such a use of your Personal Data at any time.
When you object to SAP's processing of your Personal Data for SAP Visitor Management, SAP will immediately cease to process your Personal Data for such purposes. In all other cases, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP’s compelling legitimate grounds for continued use of the information, which may override your interest in objecting, or if SAP requires the information for the establishment, exercise, or defense of legal claims.
Right to revoke consent
Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required to do so. In case SAP is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal.
Right to lodge a complaint
If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with your locally relevant data protection authority, specifically when you are located in an EEA country, or with the data protection authority of the country or state where SAP has its registered seat.
How can you exercise your data protection rights?
Please direct any requests to exercise your rights to [SAP-Physical-Sec-Privacy@sap.com]
How will SAP verify requests to exercise data protection rights?
SAP will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.
Can you use SAP’s services if you are a minor?
In general, SAP Visitor Management is not directed to children below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use SAP Visitor Management.
B. Additional Country and Regional Specific Provisions
Where SAP is subject to privacy requirements in the EU/EEA or a country with national laws equivalent to GDPR
Who is the relevant Data Protection authority?
You may find the contact details of your competent data protection supervisory authority here. SAP’s lead data protection supervisory authority is in Germany, the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg and can be reached at Lautenschlagerstraße 20, 70173 Stuttgart.
What are the legal permissions for SAP to process Personal Data?
SAP is processing your Personal Data for the business purposes set out above based on the following legal permissions:
Where We refer to GDPR Article 6.I (f), consequently SAP’s legitimate business interest as Our legal permission to process your Personal Data, SAP is pursuing its legitimate business interests
to efficiently manage and perform its business operations,
to maintain and operate intelligent and sustainable business processes in a group structure optimized for the division of labor and in the best interest of Our employees, customers, partners, and shareholders,
to operate sustainable business relationships with SAP customers and partners including you (each of which as further set out below),
serve you with the best possible user experience when using SAP Visitor Management,
comply with extraterritorial laws and regulations, or
assert or defend itself against legal claims
We believe that Our interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain processing for such purpose. In any of these cases, We duly factor into Our balancing test:
the business purpose reasonably pursued by SAP in the given case,
the categories, amount and sensitivity of Personal Data that is necessarily being processed,
the level of protection of your Personal Data which is ensured by means of Our general data protection policies, guidelines, and processes, and
the rights you have in relation to the processing activity
If you wish to obtain further information on this approach, please contact SAP-Physical-Sec-Privacy@sap.com.
How does SAP justify international data transfers?
As a global group of companies, SAP has group affiliates and uses third party service providers also in countries outside the European Economic Area (the “EEA”). SAP may transfer your Personal Data to countries outside the EEA as part of SAP’s international business operations. If We transfer Personal Data from a country in the EU or the EEA to a country outside the EEA and for which the EU Commission has not issued an adequacy decision, SAP uses the EU standard contractual clauses to contractually require the data importer to ensure a level of data protection consistent with the one in the EEA to protect your Personal Data. You may obtain a copy (redacted to remove commercial or irrelevant information) of such standard contractual clauses by sending a request to privacy[@]sap.com. You may also obtain more information from the European Commission on the international dimension of data protection here.