Privacy Notice

Version: 1.2 28/04/2023


The European Space Agency (herein the “Agency” or “ESA”) is an intergovernmental organization established by its Convention opened for signature in Paris on 30 May 1975 having its headquarters located at 24 rue du Général Bertrand, CS 30798, 75345 Paris Cedex 07, France.

Protection of Personal Data is of great importance for ESA, which strives to ensure a high level of protection as required by the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”). ESA implements appropriate measures to preserve the rights of data subjects, to ensure the processing of personal data for specified and legitimate purposes, in a not excessive manner, as necessary for the purposes for which the personal data were collected or for which they are further processed, in conditions protecting confidentiality, integrity and safety of personal data and generally to implement the principles set forth in the PDP Framework, available at: http://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations

ESA PDP Framework is composed of the following elements:

  • the Principles of Personal Data Protection, as adopted by ESA Council Resolution (ESA/C/CCLXVIII/Res.2 (Final)) adopted on 13 June 2017;

  • the Rules of Procedure for the Data Protection Supervisory Authority, as adopted by ESA Council Resolution (ESA/C/CCLXVIII/Res.2 (Final)) adopted on 13 June 2017;

  • the Policy on Personal Data Protection adopted by Director General of ESA on 5 February 2018 and effective on 1 March 2018.

This notice is intended to inform you, as data subject, about:

  • the identity of the data controller and contact details of ESA Data Protection Officer (“DPO”);

  • the type of personal data which is collected and processed;

  • the modalities of collection of personal data;

  • the purpose of the collection and processing;

  • the recipients (if any) to whom the personal data of the data subject shall be disclosed;

  • the time-limits for storing the personal data;

  • the practical modalities of exercising the rights of the data subject under the ESA PDP Framework.

This privacy notice also enables ESA to obtain your consent relating to the collection and processing of your personal data, under ESA PDP Framework.

ESA keeps this privacy notice under regular review and places any updates in this web page. This Privacy Policy was last updated on April 2023.


  1. Who is the Data Controller?

Your personal data are collected and further processed as described in this Privacy Notice upon the decision taken by ESA. Thus, the Data Controller is ESA.


  1. What are the contact details of ESA Data Protection Officer?

According to ESA PDP Framework, your first point of contact concerning personal data matters is the ESA Data Protection Officer (“DPO”), who may be contacted at dpo@esa.int


  1. What kind of personal data about you are collected and further processed?

This privacy notice informs you about esa-star, the e-Tendering system and the Registration tool, that supports the ESA procurement process and the management of data on Economic Operators, that are interested in doing business with ESA. The esa-star Registration, esa-star Publication and esa-star ECM Modules process personal data of natural persons for the following purposes:



    • contact details and identity: e.g. to enable users to register, log on and access their data in esa-star or to enter data on contact points for specific purposes;

    • connection performance and device information: to enable registration of other industrial roles, to allow access to other ESA Corporate systems.


The esa-star Registration module and the esa-star Contract Closure Documentation process the following Data Subject Personal Data:

    • First name and surname

    • Office e-mail address

    • Office phone number

    • Professional role


The esa-star Publication and esa-star ECM modules process the following Data Subject Personal Data:

    • First name and surname

    • Office e-mail address

    • Office phone number


  1. How are your personal data collected?

Regarding the esa-star Registration module, personal data are collected as described in the corresponding esa-star User Manual available at the following link: https://esastar-emr.sso.esa.int/Account/DownloadFile.
Moreover, additional limited and locally based personal data collection is performed in the esa-star Publication and ECM modules. Additional information can be found in the relevant User Manuals.


  1. Why are your personal data collected and further processed?

Personal data is collected and processed for the purpose of managing tenders, registration and the ESA procurement process. Additionally, limited to the personal data listed in section 3 above, personal data are processed for the purpose of supporting the European Space Technology Harmonisation Process.


  1. To whom might ESA disclose your personal data?

Regarding all esa-star modules, the Agency may disclose your personal data to sub-processors, acting as service provider, involved in the running and maintenance of the tool. The processing is performed in the countries ensuring an adequate level of protection of personal data under the ESA and European Union’s legal frameworks.
Specifically regarding esa-star ECM for the purpose of the European Space Technology Harmonisation Process, the Agency may disclose the personal data you might have entered directly into the ECM module or imported from esa-star Registration (see paragraph 3 above) to National Delegates of the ESA Member, Associate and Cooperating States, Industrial Associations, Institutions and other Entities having an active role in the process on behalf of / under contract with the European Space Agency.
The Agency does not consider your personal data as an asset for sale and, thus, does not sell your personal data to any third parties.

The Agency shall not be considered responsible for personal data filled by the entities either intentionally or accidentally in the fields that are visible in the public domain. The fields publicly visible are indicated in the esa-star Registration User Manual for Entity Users. For instance, for the fields that require an email address and that are publicly visible, the Agency recommends the entities to fill in generic or anonymous data (e.g info@entity.com).


  1. How long do we retain your personal data for?

The Agency may keep your personal data for as long as necessary for the fulfilment of the above mentioned purposes. Your Personal Data shall be deleted thereafter.


  1. How can you erase, rectify, complete or amend your personal data?

The Agency is keen to collect and process accurate personal data and to keep it updated.
The registration form allows you to enter your personal data in esa-star system as described in the corresponding esa-star User Manual available at the following link: https://esastar-emr.sso.esa.int/Account/DownloadFile.
You may erase, rectify, complete or amend your personal data as described in the corresponding esa-star User Manual (available at: https://esastar-emr.sso.esa.int/Account/DownloadFile) if, and to the extent that it is inaccurate or incomplete, having regard to the purposes for which they are collected and processed, or if they are processed in violation with the principles referred in ESA PDP Framework


  1. What could you do in case of a data protection incident?

In case of a data protection incident, you should contact ESA DPO, as first point of contact, by sending an email to: dpo@esa.int.
In case you wish to submit a complaint, you are required to comply with the Rules of Procedure of the Supervisory Authority set forth by ESA PDP Framework. You will be required to demonstrate that a data protection incident occurred in relation to your personal data, following a decision of the Agency or at least to justify serious reasons to believe that such incident occurred.


esa-star Ver. 3.11 - Registration   Contact Us Help Privacy Notice Terms & Conditions