SAP Global Physical Security 

Video Surveillance (CCTV) Privacy Statement for United Kingdom

Last updated on 12 January, 2023

 

Protecting an individual's privacy is crucial to the future of business. SAP has created this Privacy Statement to demonstrate our firm commitment to the individual's right to data protection and privacy. This Privacy Statement outlines how we handle information that can be used to directly or indirectly identify an individual.

Video surveillance installations at the SAP premises in United Kingdom

 

Video surveillance cameras (also known as closed-circuit televisions, or CCTV) are directed at viewing and / or recording the images of individuals to ensure an adequate level of security for and at a company's premises in preventing, detecting and / or investigating break-ins, destruction, or other malicious activities.

The surveillance cameras are installed:

  • at the various entry and exit points of the SAP buildings;

  • at security relevant areas in the SAP buildings;

  • at parking entrances or parking areas located at the SAP Campus;

  • at the outer area of ​​the SAP buildings within SAP Campus.

All locations where your personal data may be captured are clearly marked by warning signs.

 

 

Who is the data controller?

 

The data controller for video surveillance is identified as the appropriate legal entity for respective SAP locations in the United Kingdom. The data protection officer can be reached at privacy@sap.com .

Depending on the specific location, this will include one of the following legal entities:

  • SAP (UK) Ltd. Clockhouse Place, Bedfont Road, Feltham TW14 8HD. United Kingdom

  • Concur Technologies (UK) Ltd, Clockhouse Place, Bedfont Road, Feltham TW14 8HD. United Kingdom 

  • Emarsys UK Ltd, The Scalpel, 52 Lime Street, London. EC3M 7AF. United Kingdom

 

What personal data does SAP collect?

 

If you move about SAP's campus or access SAP's premises, we collect your images via video surveillance cameras, consisting of a recording of your activities except sound or voice. In addition, we collect a picture of your license plate in the parking areas (your "personal data").

 

 

Why does SAP need your personal data?

 

SAP processes your personal data in order to ensure an adequate level of security for and at SAP's premises.

This process allows SAP to provide you with access to SAP facilities and to ensure the security and safety of all SAP employees, suppliers, visitors, and assets across all global SAP locations. This allows SAP to comply with statutory obligations, including identification verification prior to or during access to any SAP-owned or leased facility.

Although providing personal data is voluntary, without your personal data, SAP cannot provide you with access to SAP-owned or leased facilities.

 

 

On what legal basis does SAP collect your personal data?

 

The legal basis for the collection of your personal data by SAP is based on Article 6.1 (f) of the UK GDPR (legitimate interest) as follows:

  • to control access to SAP's campus and premises;

  • to ensure adequate security for and at SAP's campus and premises;

  • to ensure the safety of SAP employees and visitors to SAP's campus and premises;

  • to prevent, deter, and if necessary, detect and investigate unauthorized physical access, including unauthorized access to secure premises and protected rooms, IT infrastructure, or operational information;

  • to prevent sabotage, theft and material damage.

You can at any time object to SAP's use of your personal data as set forth in this section by sending an email to SAP-Physical-Sec-Privacy@sap.com. In this case, SAP will carefully review your objection and cease further use of the relevant information, subject to SAP's compelling legitimate grounds for continued use of the information, which override your interest in objecting, or if SAP requires the information for the establishment, exercise or defense of legal claims.

 

In addition, SAP can use your personal data based on a legal obligation (Article 6.1 (c) of the UK GDPR or Article 9.2 (g) of the UK GDPR together with Schedule 1 paragraph 10 of the DPA 2018) to support the rightful and valid requests of public authorities for support in an investigation.

 

 

How long does SAP store my personal data?

 

SAP will store your personal data for a period of maximum 90 days. If the video surveillance recording is required for the investigation of an incident it can be kept for as long as necessary to conclude the investigation. Your personal data is securely and irreversibly deleted once the retention period expires.

 

SAP will also retain your personal data for additional periods if it is required by mandatory law to retain your personal data longer or where your personal data is required for SAP to assert or defend against legal claims, SAP will retain your personal data until the end of the relevant retention period or until the claims in question have been settled.

 

 

Who are the recipients of my personal data and where will it be processed?

 

Your personal data will be passed on to the following categories of third parties to process your personal data:

  • Companies within the SAP Group , as this is a global organization with global security obligations

  • Third-party service providers, including contracted security agencies that are contracted to provide security services at SAP

  • SAP legal or competent authorities such as law enforcement agencies, as the result of any corporate criminal or other security investigations

As part of a global group of companies operating internationally, SAP has affiliates (the “SAP Group”) and third-party service providers outside of the United Kingdom (the “UK”) or from a region with a legal restriction on international data transfers and will transfer your personal data to countries outside of the UK. If these transfers are to a country for which the UK has not issued an adequacy regulation, SAP uses the international data transfer agreement (“IDTA”) or the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (“Addendum”) to contractually require that your personal data receives a level of data protection consistent with the UK. You can obtain a copy (redacted to remove commercial or irrelevant) of these documents by sending a request to privacy@sap.com. You can also obtain more information from the Information Commissioner’s Office on the international dimension of data protection from the ICO.

 

 

What are your data protection rights?

 

At any time, you can request from SAP: access to information about which personal data SAP processes about you and the correction or deletion of such personal data. Please note that SAP can or will delete your personal data only if there is no statutory obligation or prevailing right of SAP to retain it.

 

Furthermore, you can request from SAP that SAP restricts your personal data from any further processing in any of the following events: (i) you state that the personal data SAP has about you is incorrect, subject to the time SAP requires to check the accuracy of the relevant personal data, (ii) there is no legal basis for SAP processing your personal data and you demand that SAP restricts your personal data from further processing, (iii) SAP no longer requires your personal data, but you state that you require SAP to retain such data in order to claim or exercise legal rights or to defend against third-party claims, (iv ) in case you object to the processing of your personal data by SAP based on SAP's legitimate interest (as further set out above), subject to the time required for SAP to determine whether it has a prevailing interest or legal obligation in processing your personal data .

 

Please note, however, that SAP can or will delete your personal data only if there is no statutory obligation or prevailing right of SAP to retain it.

 

Please direct any requests to exercise your rights to SAP-Physical-Sec-Privacy@sap.com .

 

 

How will SAP verify requests to exercise data protection rights?

 

SAP will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, SAP will match personal data provided by you in submitting a request to exercise your rights with information already maintained by SAP. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by SAP.

 

SAP will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law.

 

 

What are my rights to lodge a complaint?

 

If you are unhappy with how we use your data, please let us know by emailing privacy@sap.com.

 

If you take the view that SAP is not processing your personal data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can lodge a complaint at any time with the Information Commissioner’s Office (“ICO”).

 

ICO

icocasework@ico.org.uk

Telephone: 0303 123 1113

 

Information Commissioner’s Office

Wycliffe House Water Lane 

Wilmslow 

Cheshire 

SK9 5AF   

twitter pixeltwitter pixeltwitter pixeltwitter pixeltwitter pixeltwitter pixeltwitter pixeltwitter pixeltwitter pixeltwitter pixeltwitter pixeltwitter pixel