Privacy Statement Visitor Registration
and Identity Management
Visitor Registration and Identity Management Privacy Statement at SAP premises across the Philippines
This Privacy Statement was updated on 10 June 2024.
Protecting the individual’s privacy is crucial to the future of business. We have created this Privacy Statement to demonstrate the firm commitment of SAP (hereinafter "We", "SAP", "Us" or "Our") to the individual`s right to data protection and privacy. It outlines how SAP processes information that can be used to directly or indirectly identify an individual (hereinafter “Personal Data”). Processing in the context of this Privacy Statement means any collection, use, transmission, disclosure, erasure or any other similar operation based on Personal Data (hereinafter “Processing” or “Process”).
Visitor Registration and Identity Management systems (‘VRIM’) at SAP are used to ensure the security of personnel and assets at SAP’s premises.
General Information
Who do We mean when We say SAP in this Privacy Statement
The controller of VRIM is:
SAP Philippines, Inc.
MNL02, 27th Floor, NAC Tower, 32nd Street, Bonifacio Global City, Taguig City 1630
MNL04, 12th and 14th Floor, Robinsons Cyberscape Gamma, between Topaz & Ruby Road, Ortigas Center, Pasig City 1605
Concur (Philippines) Inc.
MNL85, 7th Floor, Alphaland Southgate Tower, 2258 Chino Roces Avenue corner Edsa, Makati City 1232
You can reach SAP data protection officer any time at privacy[@]sap.com.
For what purposes does SAP process your Personal Data?
We require your Personal Data in order to ensure an adequate level of safety and security for and at SAP's premises.
SAP may use your Personal Data for the following purposes:
to control access to SAP's premises;
to ensure adequate security for and at SAP's premises;
to ensure the safety of SAP employees and visitors to SAP's premises;
to prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;
to prevent malicious/suspicious activities, attacks and incidents, sabotage, theft, data breaches and leakages and material damage to SAP’s property and/or physical/online/virtual assets; and to support the rightful and valid requests of public authorities for support in an investigation. This process allows SAP to provide appropriate access to SAP premises and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This process supports SAP to comply with relevant security requirements requiring protection of information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction as per applicable statutory obligations which may apply in your jurisdiction.
Depending on the applicable law, the Processing of Personal Data is subject to a justification, sometimes referred to as legal basis.
SAP’s compliance with statutory obligations
SAP processes your Personal Data for the purpose of ensuring an adequate level of technical and organizational security of SAP's products, services, online events, facilities, and premises. For this, SAP will take the measures necessary to verify or maintain the quality and safety of a product or service which is owned, manufactured by or for, or controlled by SAP. This may comprise the use of Personal Data for sufficient identification and authorization of designated users, internal quality control through auditing, analysis, and research, debugging to identify and repair errors that impair existing or intended functionality, account and network security, replication for loss prevention, detecting security incidents, protection against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such kind of activity. We may further process your name, likeness, and other contact or compliance related data when you visit a local SAP affiliate or lab in the context of access management and video surveillance to protect the security and safety of Our locations and assets.
SAP and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. Applicable export laws, trade sanctions, and embargoes issued by these countries oblige SAP to prevent organizations, legal entities and other parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through SAP’s websites or other delivery channels (e.g. the European Union Sanctions List, the US sanctions lists including the Bureau of Industry and Security’s (BIS) Denied Persons Lists (DPL), the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (SDN-List) and the US DOCs Bureau of Industry and Security’s Entity Lists and the United Nations Security Council Sanctions). SAP processes Personal Data to the extent necessary to comply with these legal requirements. Specifically, SAP processes Personal Data to conduct automated checks against applicable sanctioned-party lists, to regularly repeat such checks whenever a sanctioned-party list is updated or when a user updates his or her information. In case of a potential match, SAP will block the access to SAP’s services and systems and contact the user to confirm his or her identity.
If necessary, SAP uses Personal Data to prevent or prosecute criminal activities such as any form of cybercrime, the illegal use of Our products and services or fraud, to assert Our rights or defend SAP against legal claims.
To comply with data protection and unfair competition law related requirements. Depending on the country in which the relevant SAP Group company operates, SAP may process Personal Data necessary to accommodate your data protection and privacy choices for the receipt of such information and, when necessary to ensure compliance, exchange such information with the other entities of the SAP Group.
When ensuring compliance, SAP processes your Personal Data if and to the extend necessary to fulfill legal requirements under European Union or EU Member State law to which SAP is subject, and laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations).
What categories of Personal Data does SAP process?
As a visitor to SAP’s premises, we may collect the following information.
Contact Data: SAP processes the following categories of Personal Data as contact data: first name, last name, email address and telephone number.
Personal Data related to the business relationship with SAP (if appropriate): SAP processes the following category of Personal Data in the context of established business relationships: company name.
SAP Visitor Identity Data: SAP processes the following categories of Personal Data as Visitor Identity Data: visit location, visit registration date and time, date and time of check-in/check-out, visitor Confidentiality Disclaimer signature, host name(s), visitor type (i.e., Visitor, SAP VIP, Event), visitor sub-type (i.e., Auditor, Business Meeting, Contractor/Vendor, Customer, Event, Government, Job Interview, Personal, Sales Partner, Tenant, Training, VIP, VIP (non-SAP)) and visit reason.
From What Types of Third Parties does SAP obtain Personal Data?
SAP generally aims to collect Personal Data directly from you. If you obliged by statutory law or contractual requirements to provide Personal Data to SAP and you fail to provide such Personal Data, then kindly note that SAP may not be able to provide you with the respective service and/or business relationship.
If you or applicable law allows Us to do so, We may obtain Personal Data also from Third Party which may include your employer in the context of its business relationship with SAP and/or the SAP Group.
When We collect Personal Data from Third Parties, established internal controls aim to ensure that the third-party source was permitted to provide this information to SAP and that We may use it for this purpose. SAP will treat this Personal Data according to this Privacy Statement and any additional restrictions imposed by the third party that provided the Personal Data to SAP or by applicable national law.
How long does SAP store your Personal Data?
SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. SAP does only store your Personal Data for as long as it is required:
or SAP to comply with statutory obligations to retain Personal Data, resulting inter alia e.g. from applicable export, finance, tax or commercial laws.
To fulfill SAP’s legitimate business purposes as further described in this Privacy Statement, unless you object to SAP’s use of your Personal Data for these purposes.
Who are the recipients of your Personal Data?
Your Personal Data will be passed on to the following categories of third parties to process your Personal Data:
SAP Group entities: Other entities of the SAP Group may also receive or gain access to Personal Data either when rendering group internal services centrally and on behalf of SAP SE and the other SAP group entities or when Personal Data is transferred to them on a respective legal basis. In these cases, these entities may process the Personal Data for the same purposes and under the same conditions as outlined in this Privacy Statement. The current list of SAP Group entities can be found here
Third-party service providers: TDS (Time Data Security) Ltd.
Other: Law enforcement agencies, insurance companies etc. as appropriate in terms of any corporate criminal or other security investigations.
What are your data protection rights and how can you exercise them?
SAP honors your statutory rights when it comes to the Processing of your Personal Data. To the extent provided by applicable data protection laws, you have the right to:
Access your Personal Data that we have on you, or have it updated.
Data portability of the Personal Data you provided to SAP, if SAP uses your Personal Data based on your consent or to perform a contract with you. In this case, please contact SAP-Physical-Sec-Privacy@sap.com and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. SAP will carefully consider your request and discuss with you how it can best be fulfilled.
Delete your Personal Data we hold about you. Please note, however, that SAP can or will delete your Personal Data only if there is no statutory obligation or prevailing right of SAP to retain it. If you request from SAP to delete your Personal Data, you may not be able to continue to use any SAP service that requires SAP’s use of your Personal Data.
Right to object against SAP further processing your Personal Data, if and to the extent SAP is processing your Personal Data based on its Legitimate Interest. When you object to SAP's processing of your Personal Data, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP’s compelling legitimate grounds for continued use of the Personal Data, which may override your interest in objecting, or if SAP requires the information for the establishment, exercise, or defense of legal claims.
Not to be subject to a decision based solely automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way.
Lodge a complaint to the competent supervisory authority if you are not satisfied with how SAP is processing your Personal Data. Your competent supervisory authority can be found in the country specific section.
Depending on applicable local data protection laws, your rights may be subject to deviations, limitations, or exceptions as set out in the country specific section “B. Additional Country and Regional Specific Provisions”. Please be aware, that SAP honors your statutory rights when it comes to the Processing of your Personal Data to the extent provided by applicable data protection laws.
How you can exercise your data protection rights.
Please direct any requests to exercise your rights to SAP-Physical-Sec-Privacy@sap.com.
SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.
SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.
Can you use SAP’s services if you are a minor?
In general, the VRIM is not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16 or the equivalent minimum age in the relevant jurisdiction, you cannot register with and use this VRIM.
Additional Country and Regional Specific Provisions
Where SAP is subject to privacy requirements in the Philippines
Where SAP is subject to the Philippine Data Privacy Act and its Implementing Rules and Regulations, the following applies:
When you request to update or correct your Personal Data, SAP may deny the request if it is manifestly unfounded, vexatious, or otherwise unreasonable.
When requesting the data portability of the Personal Data you provided to SAP, you must additionally specify the commonly used electronic or structured format in which you would like to receive the Personal Data.
When you request to object against the processing of your Personal Data: (i) You may do so if SAP is processing based on its Legitimate Interest. SAP will carefully review your objection and cease further use of the relevant information, unless SAP has other lawful basis for processing in Sections 12 and 13 of the Data Privacy Act. (ii)You can also object to the processing of your Personal Data for direct marketing, profiling, or in cases of automated processing where your Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect you.
You can reach out via email at to SAP-Physical-Sec-Privacy@sap.com to exercise your data protection rights.
Compensation can only be claimed when National Privacy Commission or the courts determined that you sustained damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, considering any violation of your rights and freedoms. You may likewise seek redress from the National Privacy Commission, but it must be clearly shown that you are the subject of a privacy violation, Personal Data breach, or are otherwise personally affected by a violation of the Data Privacy Act. The contact details of your local Data Protection Officer/s are as follows:
Data Protection Officer, SAP Philippines Inc., 27th Floor NAC Tower, 32nd Street Bonifacio Global City, Taguig City, 1632; email: dpo_sap.ph@sap.com; telephone number: +632-8705-2500
Data Protection Officer, Concur (Philippines) Inc., 7th Floor Alphaland Southgate Mall, Chino Roces, Makati City, email: dpo_concur.ph@sap.com; telephone number: +632-8705-2500
Data Protection Officer, SuccessFactors (Philippines) Inc., 14th and 15th Floors Cyberscape Gamma, Topaz and Ruby Roads, Ortigas Center; Pasig City, email: dpo_successfactors.ph@sap.com; telephone number: +632-8705-2500