ESA title
Agency

Reporting personal data protection incidents

334 views 0 likes
ESA / About Us

The European Space Agency collects and/or processes personal data concerning various individuals, in particular – but not only – ESA staff members and personnel engaged by ESA contractors and their subcontractors. The Agency is subject to the ESA Personal Data Protection framework.

This Personal Data Protection framework explains in particular how to report a Data Protection Incident.

Mechanism for action

How to report a Data Protection Incident at ESA?

According to ESA Policy on Personal Data Protection Article 3, Incident or Data Protection Incident means any intentional or unintentional activity which violates the provisions set forth in that Policy.

According to the Annex to ESA Policy on Personal Data Protection Article I, the Data Protection Officer shall act as first point of contact concerning Personal Data matters.

To report any Data Protection Incident, here is the process to follow:

First: Make sure the elements you wish to provide are eligible for reporting, as defined above

Then: Report clearly the observed facts to the ESA Data Protection Officer (DPO), by sending an email to dpo@esa.int.

In case, as a second step, you wish to submit a complaint, you are required to comply with the Rules of Procedure for the Data Protection Supervisory Authority set forth by ESA Personal Data Protection Framework, including the following:

According to the Rules of Procedure for the Data Protection Supervisory Authority, Articles 2 and 3:

  • Before filing a complaint with the Supervisory Authority, the complainants shall inform the Agency’s function or body whose decision is concerned about their intention to file a complaint with the Supervisory Authority and the ground for such complaint and reasonably seek for an amicable resolution of the case.
  • In case the complainants and the Agency have not reached an amicable resolution of the case in a reasonable time (not exceeding two months), the complainants shall lodge their complaints with the Supervisory Authority as follows:
    • with the Registrar of the Supervisory Authority;
    • no later than three months after the date of receipt of the decision which is challenged;
    • dated and signed by the complainants;
    • identifying the decision challenged and, if possible, containing a copy thereof;
    • including a summary of the grounds and the relief claimed, together with any documentary evidence;
    • in the English or French language;
    • demonstrating that the complaint is in relation to their personal data, following a decision of the Agency or at least to justify serious reasons to believe that such incident occurred.