Privacy notice
Released by: European Space Agency, as Data Controller
Addressed to: individuals whose personal data is collected and processed
Concerning collection and processing initiated by: ESA Communication Department
European Space Agency (herein the “Agency” or “ESA” or “We”) is committed to protect Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: https://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations composed by
- The Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
- The Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
- The Policy on Personal Data Protection (including its Annex “Governance Scheme of the Agency’s Personal Data Protection”) adopted by Director General of ESA on 1 March 2022 (“ESA PDP Policy”).
This notice is intended to describe why and how Your personal data are collected and processed by, or on behalf of, the Agency, as Data Controller, upon initiative of ESA Communication Department, as well as what rights You have in relation to Your personal data. It also informs You about the contact details of the Data Protection Officer. This privacy notice was last updated on 18/10/2023. It must be read in conjunction with the ESA PDP Framework and other privacy notices referred to herein.
(1) What are the relevant contact details for this notice?
ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int. As the collection and processing concerned by this notice is performed upon initiative of the ESA Communications Department, questions may also be addressed to the e-mail address: commppdp@esa.int.
(2) What kind of personal data are collected and further processed?
We collect and process a variety of Your personal data and may require You to provide personal data for the purposes mentioned further below. Depending on the purpose for which they are collected and further processed, the personal data may include:
- Identity Data: including names, date of birth, passport number or other official identity number, gender indication, nationality, marital status;
- Contact information: including address, email address and telephone number;
- Professional information: including job title, email address, phone number and addresses,;
- Professional career data: including your previous positions and professional experience;
- Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser type and version, uniform resource identifier (URI) address, time zone setting and location, browser plug-in types and versions, ESA or other operating system and platform and other technology on the devices you are using – collected when you access our Website, our electronic portals and platforms which we offer or which we have agreed with you to use or made available to you where you have agreed to their use; logs;
- Photo: including photographs, likeness, image;
- Audio-video recording, statements, interviews;
- CCTV (“close circuit television”) and physical security data: CCTV footage and other information relating to access of our facilities obtained through electronic means,
- Financial data: bank account number, payment card details;
- Social media data: when you are an user of social media and depending on the circumstances or the social media in question, the personal data that we may collect are derived from:
- Your user profile, e.g. Your profile picture published on social media, your pseudonym, nickname or avatar),
- Your interactions (e.g. interacting with a story, following or unfollowing a web page, linking or unlinking a web page or post, recommending a web page, sharing a post, reacting to a web page or a post, commenting a web page or a post, or other action related to a specific topic, network and /or connection) on the social media or other information related to your habits, hobbies, interests, professional and educational background etc
- Your online identifiers, including Technical Data related to your social media use;
- personal data processed via third-party platform, app or a website (connected to social media platform) that may be obtained when a user visits or uses their services;
- the audiovisual content that might be published on the social media platforms; this may include information in or about the content provided by a user (e.g., metadata), such as the location / date of a photo, voice recordings, video recordings, or an image of a data subject
- other personal information You may disclose via the social media or in the use thereof.
- Other personal information You may provide, in particular content of exchanges with the Agency, as for instance dietary preferences, assistance data;
- Other personal data, to the extent you made them public;
- Other data, such as :
- Your messages, date, and time the message has been sent;
- the content of the questions you asked
- other data mentioned in Your messages,
- data You made public.
(3) How are Your personal data collected or further processed?
In addition to the personal data, We collect directly from You (e.g. you fill in a form submitted by, or for, ESA), We may, depending on Your situation, collect certain personal data about You indirectly by various means. This includes collection of personal data from availably sources or from third parties, including from analytics providers or from social media platforms (e.g., from the content you post on your social media, cookies deposited on your device if you have accepted their deposit etc.).
(4) Why are Your personal data collected and further processed?
We collect and process Your personal data because it is necessary for the activities conducted to fulfil Our purpose, which is “to provide for and to promote, for exclusively peaceful purposes, cooperation among European States in space research and technology and their space applications, with a view to their being used for scientific purposes and for operational space applications systems” (as per ESA Convention). We serve the public interest, and we wish to foster the public interest in space activities and programmes.
All the processing carried out by, or on behalf of, the Agency upon initiative of the Communication Department falls in this general purpose and, in particular, into one of the reasons permitted under ESA PDP Framework, in particular under ESA PDP Policy.
In any case, we do not use your personal data for activities where our interests are overridden by the impact on you, unless we have your consent or are otherwise required or legally permitted.
You will find more information on this matter in the below.
What is the purpose of processing Your personal data? |
4.1 IF YOU ARE A (PROSPECTIVE) PARTICIPANT TO AN EVENT Your personal data is collected and further processed for the following purposes:
Any CCTV and security data are collected and processed in order to ensure that only authorised persons enter into the event premises and to be able to take the necessary actions to protect the legitimate interests of the Agency, of the participants, including You. |
4.2 IF YOU ARE A SPEAKER TO AN EVENT Your personal data is collected and further processed for all the purposes mentioned in 4.1 above, which more particularly includes:
|
4.3 IF YOU SUBSCRIBED TO ESA COMMUNICATION NEWSLETTERS OR OTHERWISE EXPRESSED YOUR INTEREST IN RECEIVING INFORMATION RELATED TO ESA ACTIVITIES AND PROGRAMMES Your personal data is collected and further processed for the following purposes:
|
4.4 IF YOU ARE VISITING ESA WEBSITE(S) Informing the broad public (including raising awareness about ESA activities among the general public in ESA Member States) and qualitative media monitoring, including monitoring and analysis of website use, traffic and interactions are public service tasks related to ESA mission as resulting from the ESA Convention. Your personal data are collected and further processed as necessary for the performance of such tasks. Your personal data - collected and/or processed either directly by the Agency or by third-party companies, for the Agency - is used by or for the Agency for the communication activities, such as sending e-mails and invitations (this entails the management of contact lists for correspondence), for statistical and analytical purposes and, generally, for the promotion of the Agency’s communication campaigns and related activities and programmes. In particular, Your personal data is collected and further processed for the following purposes:
In the use of ESA websites You may find information (e.g., links to) third party websites that will be governed by separate Terms and Conditions. In case of voluntary registration and use of such third- party websites, their applicable terms and conditions and privacy policies will apply and the Agency has no control thereof. The use of third-party websites accessible via information present on ESA websites does not entail endorsement by ESA of the related terms and conditions or of their privacy policies. |
4.5 IF YOU ARE USING SOCIAL MEDIA OR INTERACTING WITH ESA ACCOUNT(S) ON SOCIAL MEDIA Informing the broad public (including raising awareness about ESA activities among the general public in ESA Member States) and qualitative media monitoring, including monitoring and analysis of social media activities are public service tasks related to ESA mission as resulting from the ESA Convention. Your personal data are collected and further processed as necessary for the performance of such tasks. The processing of your social media personal data follows Your voluntary registration and use of social media (including forums, blogs, related APIs) and Your voluntary acceptance of their applicable terms and conditions and privacy policies, over which the Agency has no control. The use of social media by ESA does not entail endorsement by ESA of the related terms and conditions or of their privacy policies. Your social media personal data - collected and processed either directly by the Agency or by third-party companies, for the Agency or for the social media platforms - is used by or for the Agency for the communication activities, such as coordinating social media presence, for sending e-mails and invitations (this entails the management of contact lists for correspondence), for statistical and analytical purposes and, generally, for the promotion of the Agency’s communication campaigns and related activities and programmes. In particular, Your personal data is collected and further processed for the following purposes:
|
4.6 IF YOU ARE A MEMBER OF THE PRESS OR ANY MEDIA OUTLET REPRESENTATIVES In particular, Your personal data is collected and further processed for the following purposes:
|
4.7 IF YOU FORMULATED A REQUEST OR A COMPLAINT IN THE EXERCISE OF YOUR RIGHTS In particular, Your personal data is collected and further processed for the following purposes:
|
4.8 IF YOU SUBMIT ANY OF OUR ONLINE FORMS ESA has online forms to allow external entities to request for specific permissions or licenses. When you submit one of these forms to ESA, Your personal data might be processed for the following purposes:
|
4.9 IF YOU FORMULATED A REQUEST OR A COMPLAINT IN THE EXERCISE OF YOUR RIGHTS In particular, Your personal data is collected and further processed for the following purposes:
|
4.10 IF YOU USE ESA INFORMATION AND COMMUNICATION TECHNOLOGY (IT) INFRASTRUCTURE, TOOLS, AND SERVICES (OPERATED BY ESA OR ON BEHALF OF ESA) Your personal data may be collected and further processed for the following purposes of enabling the Agency to comply with its obligations under the ESA Personal Data Protection Framework, in particular:
|
(5) On what legal grounds do We collect and process Your data?
We process Your personal data pursuant to the ESA PDP Framework, in particular pursuant to Article 5 of the ESA PDP Policy, for fair, specified and legitimate purposes or for purposes compatible therewith. Other ESA Rules and Regulations may serve as legal basis, as they may be indicated to You in additional notices, as appropriate.
What are the legal grounds for processing Your personal data? |
5.1 General grounds for processing under ESA PDP Policy Generally, the processing referred to in this notice falls under Article 5.2.1 of the ESA PDP Policy, i.e.: a. for the performance of an activity carried out by the Agency within its purpose and in the framework of, and in conformity with, the ESA Convention, the Policy on Personal Data Protection adopted by Director General of ESA on 1 March 2022 “Agreement between the States Parties to the Convention for the establishment of a European Space Agency and the European Space Agency for the protection and the exchange of classified information” done in Paris on 19 August 2002, and the applicable rules and procedures, including ESA Security Regulations and Directives; this includes Processing necessary for the Agency’s management and functioning, Dispute Resolution Procedure, and or Investigation Procedures; or b. for compliance with a legal obligation to which the Agency is subject; or c. for tasks in the frame of the Agency’s cooperation with the competent authority of Member States, in order to facilitate the proper administration of justice; or d. for security; or e. for the performance of a contract concluded by the Agency within its purpose in relation with an activity carried out by the Agency in the framework of, and in conformity with, the ESA Convention and the applicable rules and procedures; f. for Your legitimate interest; or g. for purposes covered by Your Consent, as it may be obtained from You as mentioned herein or under a separate document (e.g. Consent form). |
5.2 Grounds for processing sensitive personal data under ESA PDP Policy In addition, We may process Your data under Article 5.2.2 of the ESA PDP Policy concerning Sensitive Personal Data, i.e. when the processing: a. is covered by Your Consent, as it may be obtained from You under a separate document (e.g. Consent form); or b. relates to Sensitive Personal Data which are manifestly made public by any means (for instance, social media) by You; c. is necessary for:
|
5.3. Consent When consent is the most appropriate lawful basis for processing, it will be requested from You and you can refuse to consent. Depending on the situation, Your consent may be given by various modalities (e.g. written form, verbally) and may jn particular result from:
When you consented for a certain processing, you may withdraw the consent or exercise your rights in line with Article 9 herein. Unless otherwise advised in a separate notice or by ESA DPO, you are able to withdraw consent by contacting DPO@esa.int, and to copy communications at: commppdp@esa.int For example: In case you provided your consent to subscribe to an online newsletter, we may process all the data on your interests to build a profile of what articles you consult. Later on, You inform us that You no longer wish to receive the online newsletter, by clicking the “unsubscribed” link in the footer of emails you received from us or by contacting us at commppdp@esa.int. Upon which We will then delete retrievable personal data relating to or collected in the context of the newsletter subscription from our database, including the profile(s) relating to you. If Your data was being processed for several purposes, We will not use the personal data for the part of the processing for which consent has been withdrawn. |
(6) In which circumstances may We transfer or provide access to Your personal data?
At times, it is necessary for us to disclose Your personal data to authorised recipients (e.g., ESA staff members, advisors, contractors), under a “need to know” principle, for carrying out the processing operations referred to in this notice. Typically, the third-party recipients include:
1/ service providers: We may engage various service providers such as:
- providers in charge with the organisation and management of communication activities,
- providers involved in the management of social media accounts,
- providers involved in advertising activities, managing newsletters, managing statistics and media services,
- providers of cloud/data hosting services,
- providers of website related services,
- providers enabling Us to manage our contracting process,
- providers ensuring the security of our premises,
- providers enabling Us to provide you with working tools, etc.
2/ partners of ESA, in relation to ESA activities and programmes and, generally, in relation to ESA mission as foreseen in ESA Convention;
3/ ESA governing bodies ad authorities and their subordinate bodies, as required by the legal framework applicable to ESA.
It is important to note that these third-party recipients are generally situated in the European Union, the European Economic Area or in countries that offer an adequate level of protection equivalent to that offered within the European Union and the European Economic Area (e.g. Argentina, Canada, Japan, Switzerland, United-Kingdom).
When the third-party data recipients are located in a country or international organisation not offering an adequate level of protection (e.g., Australia, United States, etc.), we take necessary measures to safeguard your data, in line with the conditions set forth in ESA PDP framework.
Additionally, we may utilise services provided by IT providers or integrate social media features into our platforms. In such instances, these IT providers or social media platforms may provide links to their respective websites, where they conduct their own data processing activities. It is entirely at your discretion whether you choose to access and utilise these social media features, depending on the terms and conditions applicable to each platform. If you prefer not to engage with social media or accept their terms and conditions, you have the option to refrain registering as a user on these platforms. Your decision regarding social media usage is within your control.
In case of transfer of personal data to the United States or other countries not offering an adequate level of protection, transfer may expose You to certain risks, in particular the risk of profiling, the risk that the applicable legal framework may allow further processing of the personal data and that any given consent may not be withdrawn.
In exceptional cases, for instance in case of a criminal offence evidenced by the collection or processing of data, we may share the said data with the appropriate authorities or bodies, including the ones having an investigative role or the ones involved in the concerned legal proceedings.
(7) How long do We retain Your personal data for?
Your data are stored for the shortest time possible, taking into account the reasons why we need to process Your data, as well as all legal obligations applicable to the Agency. The Agency established time limits to erase or review the data stored. Retention periods applied by the Agency are proportionate to the purposes for which they were collected. Thus, the Agency will keep Your personal data for as long as necessary for the fulfilment of those purposes and shall be deleted afterwards. By way of exception, We may keep Your personal data for a longer period, for archiving purposes in the public interest or for reasons of scientific or historical research, being reminded that appropriate technical and organisational measures are put in place (e.g. anonymisation, encryption, etc.).
(8) How do We protect and safeguard Your personal data?
All processing operations are carried out pursuant to ESA Rules and Regulations, including ESA PDP Framework and ESA Security Regulations. In particular, the Agency collects and processes personal data in conditions protecting confidentiality, integrity and security of personal data.
In order to protect Your personal data, ESA has implemented a number of technical and organisational measures against the risks of loss as well as against unauthorised access, destruction, use, modification or disclosure of personal data, in particular when such risks concern sensitive personal data.
These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. They may include, as appropriate, the pseudonymisation and encryption of personal data.
(9) What are Your rights as data subject and how can you exercise them?
Under conditions detailed in the ESA PDP Framework, You have:
- the right to be informed about the identity of the data controller, the contact details of the data protection officer, the purpose of the data processing, the data recipients to whom the personal data shall be disclosed, the rights of rectification or erasure of his/her data, the storage time-limits (if any), the practical modalities of exercising the rights, etc.; this is the purpose of this privacy notice and any other notice referred to herein;
- the right to access the personal data We process about You; unless you have access to such data via an account, you may send us your request by email to dpo@esa.int;
- the right to have Your personal data erased, rectified, completed; if you want to review and correct the personal information, you can either do it yourself, in case you have access to such data via an account, or you may send us your request by email to dpo@esa.int ;
- the right to lodge a complaint before the Supervisory authority, in accordance with the latter’s rules of procedure. In case You demonstrate, or have serious reasons to believe, that a data protection incident occurred in relation with Your personal data, following a decision of the Agency, you may send notify us thereof by email to dpo@esa.int.
Once a request to erase data is received, we will ensure that the data is deleted unless it can be processed on another legal ground, amongst the ones mentioned in Article 5.1 above. If Your data was being processed for several purposes, We will not use the personal data for the part of the processing for which consent has been withdrawn.
For instance:
- Your personal data may continue to be processed for the performance of a legal obligation of ESA or where such data is necessary for the establishment, exercise, or defence of legal claims;
- If there are multiple processing concerning You, based on consent, You have to expressly indicate which consent you wish to withdraw.
When the processing of Your personal data is based on Your consent and unless a specific case applies (e.g. see Article 6 above), You have also the right to withdraw Your consent.
You may wish to exercise any of the above-mentioned rights, by sending a request explicitly specifying Your query to the ESA DPO via e-mail at dpo@esa.int
You may be asked additional information to confirm your identity and/or to assist ESA to locate the data You are seeking.
(10) Specific rules for children
If Your children want to interact or otherwise engage with ESA, they will often need approval from You, as their parent or legal guardian, as the child's personal data will be collected for these purposes.
Your child will no longer need parental consent once they have reached the age of majority according to the applicable jurisdiction. We will by default ask for parental consent for any child that is under 16 years old. We may ask for your contact data (e.g. email address) in order to be able to verify your identity and ensure that We have your explicit consent to collect and use you child’s data.