Privacy Notice for APEx

 
Released by: European Space Agency, as Data Controller
Addressed to individuals whose personal data are collected and processed
Concerning collection and processing initiated by: ESA Departments
(hereinafter referred to as the “Department”)
 

The European Space Agency (hereafter “the Agency” or “ESA” or “We”) is committed to protecting Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: http://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations 
composed of: 

  • the Principles of Personal Data Protection adopted by ESA Council on 13 June 2017 
  • the Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017 
  • the Policy on Personal Data Protection (including its Annex entitled “Governance Scheme of the ESA’s Personal Data Protection”) adopted by the Director General of ESA on 1 March 2022 (“ESA PDP Policy”).

This notice is intended to describe why and how Your personal data are collected and processed by or on behalf of ESA as Data Controller, on the initiative of the ESA above-mentioned Department, as well as what rights You have in relation to Your personal data. It also informs You about the contact details of the Data Protection Officer. This privacy notice was last updated on 18/03/2024. It must be read in conjunction with the ESA PDP Framework and other privacy notices referred to herein.

 

1. How can you contact ESA regarding this notice?

The ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int. Specific information is available upon request from the DPO.

SEPARATE CONTROLLERS:    
To know the point of contact for personal data protection matters concerning separate Controllers (which are independently responsible for the collection and processing of personal data they decide upon), please refer to the privacy notices of these separate Controllers. Your queries regarding these matters will not be dealt with by ESA or its DPO.

 

2. What kinds of personal data are collected and further processed?

We collect and process various kinds of personal data and may require You to provide personal data for the purposes mentioned later in this notice. Depending on the purpose for which they are collected and further processed, the personal data may include the following:

  • Identity Data: Name, surname, gender.
  • Contact information: including Your address, email address, company address and affiliation.
  • Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using;  geolocation server logs data, log data; 
  • Other personal data that You have to the extent you made them public;
  • Other data, such as: 
    Your messages, date, and time the message was sent;
    the content of the questions you have asked;
    other data mentioned in Your messages;
    data You have made public.
  • Location Data: Country of residence; Geolocation.

 

3. How are Your personal data collected or further processed?

In addition to the personal data, We collect directly from You (e.g. if you complete and submit a form to, or for, ESA, if You use an platform, tool or website operated by ESA or on behalf of ESA, etc.), We may, depending on Your situation, collect certain personal data about You indirectly including collection of personal data from third-parties.

For instance, depending on the purpose of processing, third parties may be:

  • analytics providers or social media platforms and Your data may result from the content You post on social media You consult, from cookies deposited on Your device under the relevant terms and conditions etc.;
  • third parties (service providers of ESA, investors concerned by ESA programmes, activities or initiatives, etc.) involved in an area relevant to the purpose of processing etc.

4. Why are Your personal data collected and further processed?

We collect and process Your personal data necessary for the activities conducted to fulfil Our purpose, which is “to provide for and to promote, for exclusively peaceful purposes, cooperation among European States in space research and technology and their space applications, with a view to their being used for scientific purposes and for operational space applications systems” (as per ESA Convention). We serve the public interest, and we wish to foster the public interest in space activities and programmes.

All the processing carried out by, or on behalf of, ESA upon initiative of the above-mentioned Department falls in this general purpose and, in particular, into one of the reasons permitted under ESA PDP Framework, in particular under ESA PDP Policy.

In any case, we do not process your personal data for activities where our interests are overridden by the impact on you, unless we have your consent or are otherwise required or legally permitted.

What is the purpose of processing Your personal data?

4.1 BASIC INFORMATION  

Your personal data are collected and further processed for the following purposes:

  • Contact details and location data are processed to manage users registered for use of the APEx portal and services and to manage administration, access and security of the portal users and services. 


 

5. On what legal grounds do We collect and process Your data?

We process Your personal data pursuant to the ESA PDP Framework, in particular pursuant to Article 5 of the ESA PDP Policy, for fair, specified and legitimate purposes or for purposes compatible therewith. Other ESA Rules and Regulations may serve as legal basis, as they may be indicated to You in additional notices, as appropriate.

What are the legal basis for processing Your personal data?

5.1 General basis for processing under ESA PDP Policy

Generally, the processing referred to in this notice falls under Article 5.2.1 of the ESA PDP Policy, i.e.:

  • for the performance of an activity carried out by ESA within its purpose and in the framework of, and in conformity with, the ESA Convention, the Policy on Personal Data Protection adopted by Director General of ESA on 1 March 2022 “Agreement between the States Parties to the Convention for the establishment  of a European Space ESA and the European Space ESA for the protection and the exchange of classified information” done in Paris on 19 August 2002, and the applicable rules and procedures, including ESA Security Regulations and Directives; this includes Processing necessary for ESA’s management and functioning, Dispute Resolution Procedure, and or Investigation Procedures; or
  • for security; or
  • for the performance of a contract concluded by ESA within its purpose in 
    relation with an activity carried out by ESA in the framework of, and in conformity with, the ESA Convention and the applicable rules and procedures; 
  • for Your legitimate interest; or
  • for purposes covered by Your Consent, as it may be obtained from You as mentioned herein or under a separate document (e.g. Consent form).
     

5.2. Consent

When consent is the most appropriate lawful basis for processing, it will be requested from You and you can refuse to consent. Depending on the situation, Your consent may be given by various modalities (e.g. written form, verbally) and may in particular result from:

  • filling in paper consent forms, responding to questionnaires,
  • oral statements or gestures (e.g. a nod of the head) that signifies agreement (e.g. for instance, expressed in a video or voice recording), 
  • use of electronic means, such as mouse-click, swipe, keystroke,
  • use of a service-specific user interface (for example, via a website, an app, a log-on account, the interface of an IoT device or by e-mail), choosing certain settings in connection thereof,
  • filling in electronic consent forms, using digital signatures, sending email(s), sending SMS, filling in web forms for newsletter subscriptions, filling in event registration forms, responding to surveys, filling in and submitting applications, 
  • positive behaviour or action, based on the knowledge of the fact that such behaviour or action involves agreement, such as: 
    • you enter into an area covered by a privacy notice on video recording; 
    • you drop your business card in an area dedicated to collecting information for the purposes indicated in that area;
    • you publicly express opinions, make statements, create posts, share declarations, aware of the fact that each of them may trigger responses in connection with the subject matter covered by such opinions, statements, posts, declarations;
    • you send your name and address to us to obtain information from us.

When you consented to specific processing, you may withdraw the consent or exercise your rights in line with Article 9 herein. Unless otherwise advised in a separate notice or by ESA DPO, you can withdraw consent by contacting DPO@esa.int

For example: In case you provided your consent to subscribe to an activity, we may process all the data on your interests to build a profile of the topics you are interested in. If you unsubscribe, we delete retrievable personal data relating to or collected in the context of the activity from our systems and services, including the profile(s) relating to you, where ESA is Controller.

If Your data was processed for several purposes, We will not process personal data for the purposes for which consent has been withdrawn. 


6. In which circumstances may We transfer or provide access to Your personal data?

At times, it is necessary for us to disclose Your personal data to authorised recipients, to the extent this is necessary for carrying out the processing operations referred to in this notice. Typically, the third-party recipients include:

  • third party providers: We may engage various service providers such as:
    • providers in charge with the organisation and management of communication activities,
    • providers involved in the management of social media accounts, 
    • providers involved in marketing, advertising activities, managing newsletters, managing statistics and media services,
    • providers of cloud/data hosting services,
    • providers of website related services,
    • providers enabling Us to manage our contracting process,
    • providers ensuring the security of our premises,
    • providers enabling Us to provide you with working tools, etc.
       
  • partners of ESA, in relation to ESA activities and programmes and, generally, in relation to ESA mission as foreseen in ESA Convention, whether they are individuals, companies, investors, education institutions, research organisations or other legal entity;
  • ESA governing bodies and authorities and their subordinate bodies, as required by the legal framework applicable to ESA, including ESA Member States’ delegations, experts and advisors, for the purposes of performing their role in relation to the Agency, in the light of the ESA Convention and all the applicable rules and regulations;
  • other third parties interacting with ESA under a specific framework.

    These third-party recipients are generally situated in the European Union, the European Economic Area or in countries that offer an adequate level of protection equivalent to that offered within the European Union and the European Economic Area (e.g. Argentina, Canada, Japan, Switzerland, United-Kingdom).

    When the third-party data recipients are located in a country or international organisation not offering an adequate level of protection (e.g., Australia, United States, etc.), we take necessary measures to safeguard your data, in line with the conditions set forth in ESA PDP framework.

    Additionally, we may utilise services provided by IT providers or integrate social media features into our platforms. In such instances, these IT providers or social media platforms may provide links to their respective websites, where they conduct their own data processing activities. It is entirely at your discretion whether you choose to access and utilise these social media features, depending on the terms and conditions applicable to each platform. If you prefer not to engage with social media or not to accept their terms and conditions, you have the option to refrain from accessing or using these platforms. Your decision regarding social media usage is within your control. 

    In case of transfer of personal data to the United States or other countries not offering an adequate level of protection, transfer may expose You to certain risks, particularly the risk of profiling, the risk that the applicable legal framework may allow further processing of the personal data and that any given consent may not be withdrawn.

    In exceptional cases, for instance in case of a criminal offence evidenced by the collection or processing of data, we may share the said data with the appropriate authorities or bodies, including those having an investigative role or those involved in the concerned legal proceedings.

    More specifically, in the context of APEx, ESA will use two different processors as third-party providers, established within the EU, where Your data will be stored:

    1.    Open Telekom Cloud (T-Systems)
    The ESA processor, Open Telekom Cloud will store Your data for authentication and authorization purposes to access and manage APEx services with processing in Europe. The data is limited to what is necessary to ensure the proper functioning of APEx services. Open Telekom Cloud does not send Your data to any other sub-processors or third parties and does not use it for its own purposes.

    2.    ESA EOIAM (ESA)
    ESA processor, EOIAM stores Your data for authentication and authorization to access and manage APEx services. The specific data captured is outlined in its privacy policy. ESA EOIAM does not send Your data to any other sub-processors or third parties and does not use it for its own purposes. More information can be found here: https://eoiam-idp.eo.esa.int/authenticationendpoint/privacy_policy.do.

 

7. How long do We retain Your personal data for?

Your data are stored for the shortest time possible, considering the reasons why we need to process Your data, as well as all legal obligations applicable to ESA. The ESA established time limits to erase or review the data stored. Retention periods applied by the ESA are proportionate to the purposes for which they were collected. Thus, the ESA will keep Your personal data for as long as necessary for the fulfilment of those purposes and shall be deleted afterwards. By way of exception, We may keep Your personal data for a longer period, for archiving purposes in the public interest or for reasons of scientific or historical research, being reminded that appropriate technical and organisational measures are put in place (e.g. anonymisation, encryption, etc.).

 

8. How do We protect and safeguard Your personal data?

All processing operations are carried out pursuant to ESA Rules and Regulations, including ESA PDP Framework and ESA Security Regulations. In particular, the ESA collects and processes personal data in conditions protecting confidentiality, integrity and security of personal data.

In order to protect Your personal data, ESA has implemented a number of technical and organisational measures against the risks of loss as well as against unauthorised access, destruction, use, modification or disclosure of personal data, in particular when such risks concern sensitive personal data.

These measures consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. They may include, as appropriate, the pseudonymisation and encryption of personal data.

 

9. What are Your rights as data subject and how can you exercise them?

Under conditions detailed in the ESA PDP Framework, You have:

  • the right to be informed about the identity of the data controller, the contact details of the data protection officer, the purpose of the data processing, the data recipients to whom the personal data shall be disclosed, the rights of rectification or erasure of his/her data, the storage time-limits (if any), the practical modalities of exercising the rights, etc. ; this is the purpose of this privacy notice and any other notice referred to herein ;
  • the right to access the personal data We process about You; unless you have access to such data via an account, you may send us your request by email to dpo@esa.int;
  • the right to have Your personal data erased, rectified, completed; if you want to review and correct the personal information, you can either do it yourself, in case you have access to such data via an account, or you may send us your request by email to dpo@esa.int;
  • the right to lodge a complaint before the Supervisory authority, in accordance with the latter’s rules of procedure. In case You demonstrate, or have serious reasons to believe, that a data protection incident occurred in relation with Your personal data, following a decision of ESA, you may send notify us thereof by email to dpo@esa.int.

Once a request to erase data is received, we will ensure that the data are deleted unless it can be processed on another legal ground, as mentioned in Article 5.1 above. If Your data was processed for several purposes, We do not process personal data for the part of the processing for which consent has been withdrawn.

For instance:

  • Your personal data may continue to be processed for the performance of a legal obligation of ESA or where such data is necessary for the establishment, exercise, or defence of legal claims;
  • If there are multiple processing concerning You, based on consent, You have to expressly indicate which consent you wish to withdraw.

When the processing of Your personal data are based on Your consent and unless a specific case applies (e.g. see Article 6 above), You have also the right to withdraw Your consent.

You may wish to exercise any of the above-mentioned rights, by sending a request explicitly specifying Your query to the ESA DPO via e-mail at dpo@esa.int 
You may be asked additional information to confirm your identity and/or to assist ESA to locate the data You are seeking.

 

10. CONSENT

CONSENT FORM FOR APEx

Your consent
The processing of personal data is described in this privacy notice. Where consent is required, You may provide your consent by accepting this privacy notice (selecting the ‘I accept’ checkbox) prior to submitting the registration form. 
By registering, I accept and consent to:

    O  the processing of my Personal Data to enable my use of the APEx website and services.