Privacy Statement Visitor Registration
and Identity Management
Visitor Registration and Identity Management systems (“VRIM”) at SAP are used to ensure the security of personnel and assets at SAP’s premises.
This Privacy Statement was updated on 11 September 2024 .
Protecting the individual’s privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter “We”, “SAP”, “Us” or “Our”) to the individual’s right to data protection and privacy. It outlines how We handle information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”).
Who do We mean when We say SAP in this Privacy Statement?
The data controller of VRIM is:
SAP Malaysia Sdn Bhd, Level 29, Menara Southpoint, Mid Valley City, Medan Syed Putra Selatan, 59200 Kuala Lumpur, Malaysia.
You can reach SAP Group’s data protection officer any time at privacy[@]sap.com.
For what purposes does SAP process your Personal Data?
We require your Personal Data in order to ensure an adequate level of safety and security for and at SAP's premises.
SAP may use your Personal Data for the following purposes:
to control access to SAP's premises;
to ensure adequate security for and at SAP's premises;
to ensure the safety of SAP employees and visitors to SAP's premises;
to prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;
to prevent sabotage, theft and material damage; and
to support the rightful and valid requests of public authorities for support in an investigation.
This process allows SAP to provide appropriate access to SAP premises and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This process supports SAP to comply with relevant duty of care or other/ statutory obligations which may apply, including identification verification prior to or during access to any SAP-owned or leased premises.
Although providing Personal Data during VRIM is voluntary, without your Personal Data, SAP cannot provide you with access to SAP premises.
What categories of Personal Data does SAP process?
We may collect the following information:
Contact Data: SAP processes the following categories of Personal Data as contact data: first name, last name, email address and phone number.
Personal Data related to the business relationship with SAP (if appropriate): SAP processes the following category of Personal Data in the context of established business relationships: company name.
SAP Visitor Identity Data: SAP processes the following categories of Personal Data as Visitor Identity Data: visit location, visit registration date and time, date and time of check-in/check-out, visitor Confidentiality Disclaimer signature, visitor photograph, host name(s), visitor type (i.e., Visitor, SAP VIP, Event), visitor sub-type (i.e., Auditor, Business Meeting, Contractor/Vendor, Customer, Event, Government, Job Interview, Personal, Sales Partner, Tenant, Training, VIP, VIP (non-SAP)) and visit reason.
How long does SAP store your Personal Data?
SAP does only store your Personal Data for as long as it is required:
To fulfill SAP’s legitimate business purposes as further described in this Privacy Statement, unless you object to SAP’s use of your Personal Data for these purposes.
SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.
Who are the recipients of your Personal Data?
Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:
Companies within the SAP Group, as this is a global organization with global security obligations;
Third-party service providers, including contracted security agencies that are contracted to provide security services at SAP;
Law enforcement agencies, insurance companies etc. as appropriate in terms of any corporate criminal or other security investigations.
What are your data protection rights?
Right to access and correct and delete: You can request from SAP at any time access to information about which Personal Data SAP processes about you and, if necessary, the correction or deletion of such Personal Data. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it.
Right to obtain a copy of Personal Data: You can further request from SAP a copy of the Personal Data you provided to SAP. In this case, please contact SAP-Physical-Sec-Privacy@sap.com and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data. SAP will carefully consider your request and discuss with you how it can best be fulfilled.
Right to restrict: You can request from SAP that SAP restricts your Personal Data from further processing in any of the following events:
you state that the Personal Data SAP has about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant Personal Data;
there is no legal basis for SAP to process your Personal Data and you demand that SAP restricts your Personal Data from further processing;
SAP no longer requires your Personal Data, but you state that you require SAP to retain such data in order to claim or exercise legal rights or to defend against third party claims, or;
in case you object to the processing of your Personal Data by SAP for legitimate business purposes (as further set out below), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.
Right to revoke consent: Wherever SAP is processing your Personal Data based on your consent, you may at any time withdraw your consent by giving Us respective notice of withdrawal. In case of withdrawal, SAP will not process Personal Data subject to this consent any longer unless legally required or permitted to do so (e.g. if your Personal Data is needed by SAP do assert or defend against legal claims). In case SAP is required or permitted to retain your Personal Data for other legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law or fulfil the other purpose. However, any withdrawal has no effect on past processing of Personal Data by SAP up to the point in time of your withdrawal. Furthermore, if your use of an SAP offering requires your prior consent, SAP will no longer be able to provide the relevant service, offer or event to you after your revocation.
Right to lodge a complaint: If you take the view that SAP is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with the data protection authority of the country or state where SAP has its registered seat.
How can you exercise your data protection rights?
Written inquiries, requests or complaints can be sent to the Data Protection and Privacy Coordinator for Malaysia via email: SAP-Physical-Sec-Privacy@sap.com or can be reached via phone +60 3-2202 6000. SAP has implemented technology, security features and strict policy guidelines to safeguard the privacy of users’ Personal Data.
How will SAP verify requests to exercise data protection rights?
SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.
Can you use SAP’s services if you are a minor?
In general, the VRIM is not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use this VRIM.
Why does SAP need to use your personal data and on what legal basis is SAP using it?
SAP can use your personal data for legitimate business purposes as follows:
to control access to SAP´s campus and premises;
to ensure adequate security for and at SAP´s campus and premises;
to ensure the safety of SAP employees and visitors on SAP´s campus and premises;
to prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;
to prevent sabotage, theft and material damage.
You can reach out to Us by sending an email at SAP-Physical-Sec-Privacy@sap.com.
In addition, SAP can use your personal data based on a legal obligation to support the rightful and valid requests of law enforcement agencies for support in an investigation.
How does SAP justify international data transfers?
As part of a global group of companies operating internationally, SAP has affiliates (the “SAP Group”) and third-party service providers outside of Malaysia and may transfer your Personal Data to countries outside of Malaysia. SAP uses the EU standard contractual clauses to contractually require that your Personal Data receives a level of data protection consistent with the laws of Malaysia. You can obtain a copy (redacted to remove commercial or irrelevant) of such standard contractual clauses by sending a request to privacy[@]sap.com.
Employees and contractors within appropriate SAP functions are authorized to operate the system and access the information it contains. These team members are located in all regions and follow SAP Global Security (SGS) policies and procedures.