Privacy Notice
ESA PRIVACY NOTICE FOR ESA-STAR
Released by: European Space Agency, as Data Controller
Addressed to individuals whose personal data are collected and processed
Concerning collection and processing initiated by: ESA CIC-I & CIC-C Departments (hereinafter referred to as the “Department”) – DPNR 2153
The European Space Agency (hereafter “the Agency” or “ESA” or “We”) is committed to protecting Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: http://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations composed of:
- the Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
- the Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
- the Policy on Personal Data Protection (including its Annex entitled “Governance Scheme of the ESA’s Personal Data Protection”) adopted by the Director General of ESA on 1 March 2022 (“ESA PDP Policy”).
-
How can you contact ESA regarding this notice?
The ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int. Specific information is available upon request from the DPO.
SEPARATE CONTROLLERS:
To know the point of contact for personal data protection matters concerning separate Controllers (which are independently responsible for the collection and processing of personal data they decide upon), please refer to the privacy notices of these separate Controllers. Your queries regarding these matters will not be dealt with by ESA or its DPO. -
What kinds of personal data are collected and further processed?
We collect and process various kinds of personal data and may require You to provide personal data for the purposes mentioned later in this notice. Depending on the purpose for which they are collected and further processed, the personal data may include the following:
esa-star Registration,
- Identity Data: including your first name and surname, nationality in case of an individual private investor in an economic operator registering with ESA;
- Professional information: including job title, business e-mail address, business phone number;
- Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using; geolocation server logs data, log data.
esa-star Tendering
- Identity Data: including Your first and surname;
- Professional information: including job title, office email address, office phone number;
- Professional career data: the curriculum vitae of key personnel uploaded by Tenderers;
- Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using; geolocation server logs data, log data.
esa-star Publication
- Identity Data: including Your first and surname;
- Identity Data: including Your first and surname;
- Professional information: including job title, office email address, office phone number;
- Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using; geolocation server logs data, log data.
esa-match
- Identity Data: including Your first and surname;
- Identity Data: including Your first and surname;
- Professional information: including job title, office email address, office phone number;
- Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using; geolocation server logs data, log data.
esa-star ECM
- Identity Data: including Your first and surname;
- Identity Data: including Your first and surname;
- Professional information: including job title, office email address, office phone number;
- Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using; geolocation server logs data, log data.
esa-star CCD
- Identity Data: including Your first and surname;
- Identity Data: including Your first and surname;
- Professional information: including job title, office email address, office phone number;
- Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using; geolocation server logs data, log data.
esa-star ASTRA
- Identity Data: including Your first and surname;
- Identity Data: including Your first and surname;
- Professional information: including job title, office email address, office phone number;
- Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using; geolocation server logs data, log data.
General (applicable to all esa-star modules)
- Username: to enable users to authenticate and log on esa-star system and modules.
- Other data, such as:
- Your messages, date, and time the message was sent;
- the content of the questions you have asked;
- other data mentioned in Your messages;
- data You have made public.
-
How are Your personal data collected or further processed?
Personal data are collected in esa-star Registration as described in the corresponding esa-star User Manual available at the following link: https://esastar-emr.sso.esa.int/Account/DownloadFile Moreover, additional limited and locally based personal data collection is performed in the the esa-star Tendering, -Publication, esa-match, -ECM, -CCD and -ASTRA modules. Additional information can be found in the relevant User Manuals.
ESA processes Your personal data to manage ESASTAR and interoperable applications.
In addition to the personal data, We collect directly from You (e.g. if you complete and submit a form to, or for, ESA, if You use a platform, tool or website operated by ESA or on behalf of ESA, etc.), We may, depending on Your situation, collect certain personal data about You indirectly including collection of personal data from third-parties.
For instance, depending on the purpose of processing, third parties may be: - analytics providers or social media platforms and Your data may result from the content You post on social media You consult, from cookies deposited on Your device under the relevant terms and conditions etc.; - third parties (service providers of ESA, investors concerned by ESA programmes, activities or initiatives, ESA partners, ESA BICs, Brokers, etc.) involved in an area relevant to the purpose of processing etc.
-
Why are Your personal data collected and further processed?
ESASTAR is used for the purpose of managing tenders, registration and the ESA procurement process. Your contact details are used for:
- ESA to contact the economic operators (e.g. to announce an ESA audit, or to communicate with ESA BIC supported startups, including providing information about relevant opportunities, launching surveys, etc);
- economic operators to communicate between themselves (e.g. ESA BIC supported start-ups) in a CRM or other similar ecosystem;
- ESA contractors and partners (e.g. ESA BICs, Brokers, Ambassadors, EPIC partners) to communicate with economic operators to provide information about relevant opportunities, to launch surveys, etc;
- the purpose of supporting the European Space Technology Harmonisation Process.
We collect and process Your personal data necessary for the activities conducted to fulfil Our purpose, which is “to provide for and to promote, for exclusively peaceful purposes, cooperation among European States in space research and technology and their space applications, with a view to their being used for scientific purposes and for operational space applications systems” (as per ESA Convention). We serve the public interest, and we wish to foster the public interest in space activities and programmes.
All the processing carried out by, or on behalf of, ESA upon initiative of the above-mentioned Department falls in this general purpose and, in particular, into one of the reasons permitted under ESA PDP Framework, in particular under ESA PDP Policy.
In any case, we do not process your personal data for activities where our interests are overridden by the impact on you, unless we have your consent or are otherwise required or legally permitted.
Further information on the purpose of processing is provided by clicking on links associated with each section below, which correspond to various situations that may be relevant to You.
What is the purpose of processing Your personal data?
4.1 IF YOU SUBSCRIBE TO ESA NEWSLETTER(S) OR OTHERWISE EXPRESS YOUR INTEREST IN RECEIVING INFORMATION RELATED TO ESA ACTIVITIES AND PROGRAMMES AND ABOUT OTHER RELEVANT OPPORTUNITIES FROM ESA OR ESA CONTRACTORS OR PARTNERS
Your personal data are collected and further processed for the following purposes:
- provide you with information about ESA activities and programmes as well as about ESA and ESA contractor and partner events an opportunities, via newsletters and other means;
- to collect feedback to help ESA monitor and improve ESA activities and programmes as well the relevant opportunities provided by ESA partners and contractors;
- to defend ESA from possible liability claims that may arise in connection with your use of the information You have received;
- to respond to your requests related to ESA activities and programmes and, generally, to space-related matters, initiatives and activities;
- to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.
4.2 IF YOU VISIT AN ESA WEBSITE (operated by ESA or on behalf of ESA)
Your personal data are collected and further processed for the performance of public service tasks related to ESA’s mission under the ESA Convention, including for ESA for the purposes of communication activities, such as sending e-mails and invitations (this entails the management of contact lists for correspondence), for statistical and analytical purposes and, generally, for the promotion of ESA’s activities, programmes and initiatives. In particular, Your personal data are collected and further processed:
- to inform and raise awareness among the general public in particular in ESA Member States;
- to perform qualitative media monitoring;
- to conduct analytics with the aim to raise awareness or to conduct surveys on topics related to space activities, programmes, initiatives and to ESA missions, programmes and activities;
- to analyse and monitor Your interactions with the website, including monitoring and analysis of website use, traffic and interactions;
- to deal with your current and future queries or requests submitted via website(s) or to otherwise engage with you;
- to analyse and monitor Your reactions to ESA activities, programmes and initiatives as well as to various posts, statements or declarations made in connection with space activities, programmes, and initiatives, in particular to optimise Our communication and Your engagement on websites;
- to ensure audience measurement;
- to grant a user access to specific functionalities of the website that require authentication;
- to better understand the needs and the browsing experience of ESA website visitors;
- to gather statistics with a view to improving our communication and to enhance the user experience;
- to identify and track unauthorised access or any attempts to access our servers without permission;
- to delete comments that seem to us as not relevant to the topic of website or account, offensive, abusive, etc.
- to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise in connection with Our communication activities.
When using ESA websites You may find information (such as links to third-party websites) governed by separate terms and conditions. If You voluntarily register for and use such third-party websites, their applicable terms and conditions and privacy policies apply, and ESA has no control thereof. The use of third-party websites accessible via information present on ESA websites does not entail endorsement by ESA of the related terms and conditions or privacy policies.
4.3 IF YOU FORMULATE A REQUEST OR A COMPLAINT IN THE EXERCISE OF YOUR RIGHTS
In particular, Your personal data are collected and further processed for the following purposes:
- to handle any questions or complaints you submit to ESA;
- to respond to any request relating to your rights;
- to defend ESA from possible liability claims that may arise.
4.4 IF YOU INTERACT WITH ESA ON ESA PROGRAMMES, ACTIVITIES OR INITIATIVES, AND WITH ESA CONTRACTORS AND PARTNERS,
Your personal data are collected and further processed for the following purposes:
- to perform public service tasks related to ESA’s mission under the ESA Convention;
- to facilitate your participation in opportunities (call for ideas, call for proposals), face-to-face events and online Events such as workshop, conferences, webinars;
- to manage your relationship with ESA as well as your requests and applications in relation to the ESA programmes, activities and initiatives, and
- to facilitate interactions with relevant entities and pursue or exchange on the resulting opportunities;
- to conduct actions whose purpose is to know, predit and – as applicable – stimulate Your interest in ESA programmes, activities and initiatives as well as those of ESA Contractors and Partners;
- to collect information to help ESA monitor and improve ESA activities and programmes as well the relevant opportunities provided by ESA partners and contractors;
- to deliver information and reports to delegations of ESA Member States or of the states participating to ESA programmes, as required under the applicable legal framework;
- to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.
4.5 IF YOU USE ESA information and communication technology (IT) infrastructure, tools, and services (operated by ESA or on behalf of ESA)
Your personal data may be collected and further processed for the following purposes:
- to provide You access to the IT infrastructure, tools and services operated by or on behalf of ESA;
- to provide optimal data flow between target environments in an automated manner;
- to provide access and proper performance of the service to end-users;
- to provide support services and to ensure the management and maintenance of the service;
- to manage provision of IT services such as identity and access management; incident prevention, management, reporting;
- to ensure data subject rights management;
- to ensure personal data quality and accuracy.
- to provide tools that facilitate transcription, evaluation, reporting or automated processing.
4.6 IF YOU ARE INTERACTING WITH ESA IN THE CONTEXT OF PROCUREMENT OR PROVISION OF SERVICES
Your personal data may be collected and further processed for the following purposes:
- to conduct and document all processes related to the procurement or provision of services;
- to ensure the performance, management, monitoring of the work related to the procurement or provision of services, to conduct the related audits as well as to ensure the fulfilment of the obligations set out in the Agreements;
- to manage the relationship of the Parties in relation to the related contracts or other relevant arrangements, notably for administrative, financial, audit or for communication purposes;
- to comply with legal or regulatory obligations to which the Agency is subject;
- to comply with requirements under the related contracts or other contractual arrangements, in particular necessitating access to the relevant parties’ premises, with the health, safety and security requirements, legal or regulatory obligations applicable to the respective Party in such matters.
NOTA BENE:If Your personal data processing is subject to one of the situations above, other sections may be relevant to You. You are thus invited to take knowledge of information provided under all the sections that are relevant to your case. In the description of the purpose, we made the choice to avoid duplication.
- On what legal grounds do We collect and process Your data?
We process Your personal data pursuant to the ESA PDP Framework, in particular pursuant to Article 5 of the ESA PDP Policy, for fair, specified and legitimate purposes or for purposes compatible therewith. Other ESA Rules and Regulations may serve as legal basis, as they may be indicated to You in additional notices, as appropriate.
What are the legal basis for processing Your personal data?
5.1 General basis for processing under ESA PDP Policy
Generally, the processing referred to in this notice falls under Article 5.2.1 of the ESA PDP Policy, i.e.:
- for the performance of an activity carried out by ESA within its purpose and in the framework of, and in conformity with, the ESA Convention, the Policy on Personal Data Protection adopted by Director General of ESA on 1 March 2022 “Agreement between the States Parties to the Convention for the establishment of a European Space ESA and the European Space ESA for the protection and the exchange of classified information” done in Paris on 19 August 2002, and the applicable rules and procedures, including ESA Security Regulations and Directives; this includes Processing necessary for ESA’s management and functioning, Dispute Resolution Procedure, and or Investigation Procedures; or
- for compliance with a legal obligation to which ESA is subject; or
- for security; or
- for the performance of a contract concluded by ESA within its purpose in relation with an activity carried out by ESA in the framework of, and in conformity with, the ESA Convention and the applicable rules and procedures.
- In which circumstances may We transfer or provide access to Your personal data?
At times, it is necessary for us to disclose Your personal data to authorised recipients, to the extent this is necessary for carrying out the processing operations referred to in this notice. Typically, the third-party recipients include:
1/ third party providers: We may engage various service providers such as:
- providers in charge with the organisation and management of communication activities,
- providers involved in the management of social media accounts,
- providers involved in marketing, advertising activities, managing newsletters, managing statistics and media services,
- providers of cloud/data hosting services,
- providers of website related services,
- providers enabling Us to manage our contracting process,
- providers ensuring the security of our premises,
- providers enabling Us to provide you with working tools, etc.
2/ partners and contractors of ESA (including ESA BICs, Brokers, EPIC, etc), in relation to ESA activities and programmes and, generally, in relation to ESA mission as foreseen in ESA Convention, whether they are individuals, companies, investors, education institutions, research organisations or other legal entity;
3/ ESA governing bodies and authorities and their subordinate bodies, as required by the legal framework applicable to ESA, including ESA Member States’ delegations, experts and advisors, for the purposes of performing their role in relation to the Agency, in the light of the ESA Convention and all the applicable rules and regulations;
4/ other third parties interacting with ESA under a specific framework.
These third-party recipients are generally situated in the European Union, the European Economic Area or in countries that offer an adequate level of protection equivalent to that offered within the European Union and the European Economic Area (e.g. Argentina, Canada, Japan, Switzerland, United-Kingdom).
When the third-party data recipients are located in a country or international organisation not offering an adequate level of protection (e.g., Australia, United States, etc.), we take necessary measures to safeguard your data, in line with the conditions set forth in ESA PDP framework.
Additionally, we may utilise services provided by IT providers or integrate social media features into our platforms. In such instances, these IT providers or social media platforms may provide links to their respective websites, where they conduct their own data processing activities. It is entirely at your discretion whether you choose to access and utilise these social media features, depending on the terms and conditions applicable to each platform. If you prefer not to engage with social media or not to accept their terms and conditions, you have the option to refrain from accessing or using these platforms. Your decision regarding social media usage is within your control.
In case of transfer of personal data to the United States or other countries not offering an adequate level of protection, transfer may expose You to certain risks, particularly the risk of profiling, the risk that the applicable legal framework may allow further processing of the personal data and that any given consent may not be withdrawn.
In exceptional cases, for instance in case of a criminal offence evidenced by the collection or processing of data, we may share the said data with the appropriate authorities or bodies, including those having an investigative role or those involved in the concerned legal proceedings.
- How long do We retain Your personal data for?
Your data are stored for the shortest time possible, considering the reasons why we need to process Your data, as well as all legal obligations applicable to ESA. The ESA established time limits to erase or review the data stored. Retention periods applied by the ESA are proportionate to the purposes for which they were collected. Thus, the ESA will keep Your personal data for as long as necessary for the fulfilment of those purposes and shall be deleted afterwards. By way of exception, We may keep Your personal data for a longer period, for archiving purposes in the public interest or for reasons of scientific or historical research, being reminded that appropriate technical and organisational measures are put in place (e.g. anonymisation, encryption, etc.). The retention periods for curriculum vitae uploaded as part of a tender in esa-star Tendering is 5 years.
- How do We protect and safeguard Your personal data?
All processing operations are carried out pursuant to ESA Rules and Regulations, including ESA PDP Framework and ESA Security Regulations. In particular, the ESA collects and processes personal data in conditions protecting confidentiality, integrity and security of personal data.
In order to protect Your personal data, ESA has implemented a number of technical and organisational measures against the risks of loss as well as against unauthorised access, destruction, use, modification or disclosure of personal data, in particular when such risks concern sensitive personal data.
These measures consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. They may include, as appropriate, the pseudonymisation and encryption of personal data.
- What are Your rights as data subject and how can you exercise them?
Under conditions detailed in the ESA PDP Framework, You have:
- the right to be informed about the identity of the data controller, the contact details of the data protection officer, the purpose of the data processing, the data recipients to whom the personal data shall be disclosed, the rights of rectification or erasure of his/her data, the storage time-limits (if any), the practical modalities of exercising the rights, etc. ; this is the purpose of this privacy notice and any other notice referred to herein;
- the right to access the personal data We process about You; unless you have access to such data via an account, you may send us your request by email to dpo@esa.int;
- the right to have Your personal data erased, rectified, completed; if you want to review and correct the personal information, you can either do it yourself, in case you have access to such data via an account, or you may send us your request by email to dpo@esa.int;
- the right to lodge a complaint before the Supervisory authority, in accordance with the latter’s rules of procedure. In case You demonstrate, or have serious reasons to believe, that a data protection incident occurred in relation with Your personal data, following a decision of ESA, you may send notify us thereof by email to dpo@esa.int.
Once a request to erase data is received, we will ensure that the data are deleted unless it can be processed on another legal ground, as mentioned in Article 5.1 above. If Your data was processed for several purposes, We do not process personal data for the part of the processing for which consent has been withdrawn.
For instance:
- Your personal data may continue to be processed for the performance of a legal obligation of ESA or where such data is necessary for the establishment, exercise, or defence of legal claims;
- If there are multiple processing concerning You, based on consent, You have to expressly indicate which consent you wish to withdraw.
When the processing of Your personal data is based on Your consent and unless a specific case applies (e.g. see Article 6 above), You have also the right to withdraw Your consent.
You may wish to exercise any of the above-mentioned rights, by sending a request explicitly specifying Your query to the ESA DPO via e-mail at dpo@esa.int You may be asked additional information to confirm your identity and/or to assist ESA to locate the data You are seeking.
- ESA Contractors
ESA may enter into contracts with various contractors who, with regard to Your Personal Data and depending on the contract concluded with ESA, may act either as a separate Data Controller or as a Data Processor.
- To the extent such contractor act as a separate Data Controller, the separate privacy notice of the contractor will apply for the purposes of collection and processing decided by the contractor.
- To the extent such contractor act as a Data Processor, this privacy notice applies for the purposes of collection and processing decided by ESA.