ESA PRIVACY NOTICE FOR ESA EO Data Management and Operations Framework (EOF) website, workshops and document review 

Released by: European Space Agency, as Data Controller 

Addressed to individuals whose personal data are collected and processed 

Concerning collection and processing initiated by: ESA EOP Department

(hereinafter referred to as the “Department”)

The European Space Agency (hereafter “the Agency” or “ESA” or “We”) is committed to protecting Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: http://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations composed of: 

  • the Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
  • the Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
  • the Policy on Personal Data Protection (including its Annex entitled “Governance Scheme of the ESA’s Personal Data Protection”) adopted by the Director General of ESA on 1 March 2022 (“ESA PDP Policy”).

This notice is intended to describe why and how Your personal data are collected and processed by or on behalf of ESA as Data Controller, on the initiative of the ESA above-mentioned Department, as well as what rights You have in relation to Your personal data. It also informs You about the contact details of the Data Protection Officer. This privacy notice was last updated on 16/09/2024. It must be read in conjunction with the ESA PDP Framework and other privacy notices referred to herein. 

ESA process your personal data to organise and manage the Workshops, Conferences, Symposia held on ESA premises or online. ESA is Controller for personal data related to selection of panellists, or selection of abstracts, when ESA processes such data. For these purposes only as well as for the purposes mentioned in Article 5 of ESA Policy on Personal Data Protection, ESA is Data Controller. ESA does not instruct any third party to conduct any web analytics, profiling, or any other processing on ESA’s behalf, other than the purposes mentioned.

Social media, LinkedIn, Twitter, external websites, etc., may be used to publish photographs, video recordings or interviews or information related to the events. These act as separate Controllers, each responsible for their personal data processing activities, please consult their privacy notices and websites for further information. You have the right to decline your participation in such processing

  • How can you contact ESA regarding this notice?

The ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int. Specific information is available upon request from the DPO.

  • What kinds of personal data are collected and further processed?

We collect and process various kinds of personal data and may require You to provide personal data for the purposes mentioned later in this notice. Depending on the purpose for which they are collected and further processed, the personal data may include the following:

Identity Data: including Your name

Contact information: including Your email address; 

Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using; geolocation server logs data, log data;

Audio-video recordings including statements: interviews: name, email address of the meeting organizer and participants, the audio and video of the meeting, including the voices and faces of the participants, the content of the chat messages and files shared during the meeting, the transcript and captions of the meeting, if enabled, the metadata of the meeting, such as the date, time, duration, and location

Other data, such as: 

  • Your messages, date, and time the message was sent;
  • the content of the questions you have asked;
  • other data mentioned in Your messages;
  • data You have made public. 


  • How are Your personal data collected or further processed?

ESA processes Your personal data by: 

  • providing a web portal for registration, document exchange and collaborative review;
  • commissioning a processor, Capgemini Technology Services SAS to manage the registration for the workshop events.

In addition to the personal data, We collect directly from You (e.g. if you complete and submit a form to, or for, ESA, if You use an platform, tool or website operated by ESA or on behalf of ESA, etc.), We may, depending on Your situation, collect certain personal data about You indirectly including collection of personal data from third-parties. For instance, depending on the purpose of processing, third parties may be analytics providers or social media platforms and Your data may result from the content You post on social media You consult, from cookies deposited on Your device under the relevant terms and conditions etc.; third parties (service providers of ESA, investors concerned by ESA programmes, activities or initiatives, etc.) involved in an area relevant to the purpose of processing etc.


  • Why are Your personal data collected and further processed? 

We collect and process Your personal data necessary for the activities conducted to fulfil Our purpose, which is “to provide for and to promote, for exclusively peaceful purposes, cooperation among European States in space research and technology and their space applications, with a view to their being used for scientific purposes and for operational space applications systems” (as per ESA Convention). We serve the public interest, and we wish to foster the public interest in space activities and programmes.

All the processing carried out by, or on behalf of, ESA upon initiative of the above-mentioned Department falls in this general purpose and, in particular, into one of the reasons permitted under ESA PDP Framework, in particular under ESA PDP Policy. 

In any case, we do not process your personal data for activities where our interests are overridden by the impact on you, unless we have your consent or are otherwise required or legally permitted.

  

  • On what legal grounds do We collect and process Your data?

We process Your personal data pursuant to the ESA PDP Framework, in particular pursuant to Article 5 of the ESA PDP Policy, for fair, specified and legitimate purposes or for purposes compatible therewith. Other ESA Rules and Regulations may serve as legal basis, as they may be indicated to You in additional notices, as appropriate.

Generally, the processing referred to in this notice falls under Article 5.2.1 of the ESA PDP Policy, i.e.:

  1. for the performance of an activity carried out by ESA within its purpose and in the framework of, and in conformity with, the ESA Convention, the Policy on Personal Data Protection adopted by Director General of ESA on 1 March 2022 “Agreement between the States Parties to the Convention for the establishment  of a European Space ESA and the European Space ESA for the protection and the exchange of classified information” done in Paris on 19 August 2002, and the applicable rules and procedures, including ESA Security Regulations and Directives; this includes Processing necessary for ESA’s management and functioning, Dispute Resolution Procedure, and or Investigation Procedures; or
  2. for security; or
  3. for purposes covered by Your Consent, as it may be obtained from You as mentioned herein or under a separate document (e.g. Consent form).
  • In which circumstances may We transfer or provide access to Your personal data?

At times, it is necessary for us to disclose Your personal data to authorised recipients, to the extent this is necessary for carrying out the processing operations referred to in this notice. Typically, the third-party recipients include:

1/ third party providers: We may engage various service providers such as:

  • providers in charge with the organisation and management of communication activities,
  • providers involved in the management of social media accounts,
  • providers involved in marketing, advertising activities, managing newsletters, managing statistics and media services,
  • providers of cloud/data hosting services,
  • providers of website related services,
  • providers enabling Us to manage our contracting process,
  • providers ensuring the security of our premises,
  • providers enabling Us to provide you with working tools, etc.

2/ partners of ESA, in relation to ESA activities and programmes and, generally, in relation to ESA mission as foreseen in ESA Convention, whether they are individuals, companies, investors, education institutions, research organisations or other legal entity;

3/ ESA governing bodies and authorities and their subordinate bodies, as required by the legal framework applicable to ESA, including ESA Member States’ delegations, experts and advisors, for the purposes of performing their role in relation to the Agency, in the light of the ESA Convention and all the applicable rules and regulations;

4/ other third parties interacting with ESA under a specific framework. 

These third-party recipients are generally situated in the European Union, the European Economic Area or in countries that offer an adequate level of protection equivalent to that offered within the European Union and the European Economic Area (e.g. Argentina, Canada, Japan, Switzerland, United-Kingdom).

When the third-party data recipients are located in a country or international organisation not offering an adequate level of protection (e.g., Australia, United States, etc.), we take necessary measures to safeguard your data, in line with the conditions set forth in ESA PDP framework. 

Additionally, we may utilise services provided by IT providers or integrate social media features into our platforms. In such instances, these IT providers or social media platforms may provide links to their respective websites, where they conduct their own data processing activities. It is entirely at your discretion whether you choose to access and utilise these social media features, depending on the terms and conditions applicable to each platform. If you prefer not to engage with social media or not to accept their terms and conditions, you have the option to refrain from accessing or using these platforms. Your decision regarding social media usage is within your control. 

In case of transfer of personal data to the United States or other countries not offering an adequate level of protection, transfer may expose You to certain risks, particularly the risk of profiling, the risk that the applicable legal framework may allow further processing of the personal data and that any given consent may not be withdrawn. 

In exceptional cases, for instance in case of a criminal offence evidenced by the collection or processing of data, we may share the said data with the appropriate authorities or bodies, including those having an investigative role or those involved in the concerned legal proceedings.


  • How long do We retain Your personal data for? 

Your data are stored for the shortest time possible, considering the reasons why we need to process Your data, as well as all legal obligations applicable to ESA. The ESA established time limits to erase or review the data stored. Retention periods applied by the ESA are proportionate to the purposes for which they were collected. Thus, the ESA will keep Your personal data for as long as necessary for the fulfilment of those purposes and shall be deleted afterwards. By way of exception, We may keep Your personal data for a longer period, for archiving purposes in the public interest or for reasons of scientific or historical research, being reminded that appropriate technical and organisational measures are put in place (e.g. anonymisation, encryption, etc.).


  • How do We protect and safeguard Your personal data? 

All processing operations are carried out pursuant to ESA Rules and Regulations, including ESA PDP Framework and ESA Security Regulations. In particular, the ESA collects and processes personal data in conditions protecting confidentiality, integrity and security of personal data. 

In order to protect Your personal data, ESA has implemented a number of technical and organisational measures against the risks of loss as well as against unauthorised access, destruction, use, modification or disclosure of personal data, in particular when such risks concern sensitive personal data.

These measures consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. They may include, as appropriate, the pseudonymisation and encryption of personal data.


  • What are Your rights as data subject and how can you exercise them?

Under conditions detailed in the ESA PDP Framework, You have:

  • the right to be informed about the identity of the data controller, the contact details of the data protection officer, the purpose of the data processing, the data recipients to whom the personal data shall be disclosed, the rights of rectification or erasure of his/her data, the storage time-limits (if any), the practical modalities of exercising the rights, etc. ; this is the purpose of this privacy notice and any other notice referred to herein ;
  • the right to access the personal data We process about You; unless you have access to such data via an account, you may send us your request by email to dpo@esa.int ;
  • the right to have Your personal data erased, rectified, completed; if you want to review and correct the personal information, you can either do it yourself, in case you have access to such data via an account, or you may send us your request by email to dpo@esa.int ;
  • the right to lodge a complaint before the Supervisory authority, in accordance with the latter’s rules of procedure. In case You demonstrate, or have serious reasons to believe, that a data protection incident occurred in relation with Your personal data, following a decision of ESA, you may send notify us thereof by email to dpo@esa.int.

Once a request to erase data is received, we will ensure that the data are deleted unless it can be processed on another legal ground, as mentioned in Article 5.1 above. If Your data was processed for several purposes, We do not process personal data for the part of the processing for which consent has been withdrawn. 

For instance:

  • Your personal data may continue to be processed for the performance of a legal obligation of ESA or where such data is necessary for the establishment, exercise, or defence of legal claims;
  • If there are multiple processing concerning You, based on consent, You have to expressly indicate which consent you wish to withdraw.

When the processing of Your personal data are based on Your consent and unless a specific case applies (e.g. see Article 6 above), You have also the right to withdraw Your consent. 

You may wish to exercise any of the above-mentioned rights, by sending a request explicitly specifying Your query to the ESA DPO via e-mail at dpo@esa.int

You may be asked additional information to confirm your identity and/or to assist ESA to locate the data You are seeking.


  • ESA Contractors

ESA may enter into contracts with various contractors who, with regard to Your Personal Data and depending on the contract concluded with ESA, may act either as a separate Data Controller or as a Data Processor

  • To the extent such contractor act as a separate Data Controller, the separate privacy notice of the contractor will apply for the purposes of collection and processing decided by the contractor.
  • To the extent such contractor act as a Data Processor, this privacy notice applies for the purposes of collection and processing decided by ESA.

 

  • Specific rules for children

If Your children want to interact or otherwise engage with ESA, they will often need approval from You, as their parent or legal guardian, as the child's personal data will be collected for these purposes. 

Your child will no longer need parental consent once they have reached the age of majority according to the applicable jurisdiction. We will by default ask for parental consent for any child that is under 16 years old. We may ask for your contact data (e.g. email address) to be able to verify your identity and ensure that We have your explicit consent to collect and use your child’s data.

 

CONSENT FORM FOR ESA EO Data Management and Operations Framework (EOF) website, workshops and document review 

Your consent

The processing of personal data is described in this privacy notice. Where consent is required, You may provide your consent by accepting this privacy notice (clicking the ‘Accept’ button) prior to access to the other functionalities. Note that this notice is displayed only at first connection. 

By registering, I accept and consent to:

  • the processing of my Personal Data for participation in workshops in relation to ESA EO Data Management and Operations Framework (EOF) workshops and document review;
  • the use of my contact details by ESA to invite me to future workshops, for follow-up activities;
  • the publication of presentations with my contact details in which I am included within in the ESA EO Data Management and Operations Framework (EOF) website;
  • As Speaker, I agree to be video recorded and to have this published in the ESA EO Data Management and Operations Framework (EOF) website;
  • the disclosure of my contact details to workshop participants
  • No labels