This website uses cookies to enable essential site functionality. Please see here for more information.Cookies Notice

PRIVACY NOTICE ESACONTACT for Management of Events, Newsletters, Contacts, Subscriptions and Surveys


Released by: European Space Agency, as Data Controller


Addressed to individuals whose personal data are collected and processed


Concerning collection and processing initiated by: ESA HIF-I Department
(hereinafter referred to as the “Department”)

 
The European Space Agency (hereafter “the Agency” or “ESA” or “We”) is committed to protecting Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: http://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations
composed of:
  • the Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
  • the Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
  • the Policy on Personal Data Protection (including its Annex entitled “Governance Scheme of the ESA’s Personal Data Protection”) adopted by the Director General of ESA on 1 March 2022 (“ESA PDP Policy”).
This notice is intended to describe why and how Your personal data are collected and processed by or on behalf of ESA, as Data Controller, on the initiative of the ESA above-mentioned Department, as well as what rights You have in relation to Your personal data. It also informs You about the contact details of the Data Protection Officer. This privacy notice was last updated on 12/06/2024. It must be read in conjunction with the ESA PDP Framework and other privacy notices referred to herein.
 
     1.   How can you contact ESA regarding this notice?
 
The ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int. Specific information is available upon request from the DPO.
 

Separate Controllers
  • To know the point of contact for personal data protection matters concerning separate Controllers (which are independently responsible for the collection and processing of personal data they decide upon), please refer to the privacy notices of these separate Controllers. Your queries regarding these matters will not be dealt with by ESA or its DPO.
  • If you access and use ESA personal data for any other purposes than those established by ESA, you are liable for Your processing as separate controller.
     
     2.   What kinds of personal data are collected and further processed?
 
We collect and process various kinds of personal data and may require You to provide personal data for the purposes mentioned later in this notice. Depending on the purpose for which they are collected and further processed, the personal data may include the following:
  • Identity Data: including Your names, date of birth, passport number or other official identification number, gender indication, nationality avatar and civil status;
  • Copies of identity documents: including copies of Your diplomatic cards, copy of passport (including visa if necessary), the identity card or other identity documents, certificates, Your photograph;
  • Contact information: including Your address, email address and telephone number;
  • Professional information: including job title, email address, phone number and addresses Professional career data: including Your previous positions and professional experience;
  • Application and recruitment information: such as Your curriculum vitae and motivation letter, declarations (when necessary), references, education history and employment history, selection report Education and training information;
  • Employment information details: including job applications, ESA employment history and information on Your time and leave management as well as internal performance information;
  • Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser data, in particular the type plug-in version, user preferences and history; MAC data, device information, uniform resource identifier (URI) address, time zone setting, operating system and platform and other technology of the devices you are using;  geolocation server logs data, log data;
  • Photo: including photographs, Your likeness, Your image;
  • Audio-video recordings, statements, interviews;
  • CCTV (“close circuit television”) and physical security data: CCTV footage and other information relating to access of our facilities obtained through electronic means;
  • Financial data: bank account number and payment card details;
  • Social media data: if you are a user of social media and depending on the circumstances or the social media in question, the personal data that we may collect are derived from: 
    • Your user profile, e.g. Your profile picture published on social media, Your pseudonym, nickname or avatar;
    • Your interactions (such as when You interact with a story, follow or unfollow a web page, link or unlink a web page or post, recommend a web page, share a post, react to a web page or a post, comment on a web page or a post, or perform any other action related to  a specific topic, network and /or connection) on the social media or other information related to Your habits, hobbies, interests, professional and educational background etc.;
    • Your online identifiers, including Technical Data related to Your social media use;
    • personal data processed via third-party platforms, application or websites (connected to a social media platform), tools or services;
    • The audiovisual content that might be published on the social media platforms: this may include information in or about the content provided by a user (e.g., metadata), such as the location / date of a photo, voice recordings, video recordings, or an image of a data subject;
    • Other personal information You may disclose via the social media or in the use thereof.
       
  • Other personal information You may provide: in particular the content of exchanges with ESA, for instance dietary preferences or assistance data;
     
  • Other personal data that You have to the extent you made them public;
     
  • Other data, such as
    • Your messages, date, and time the message was sent;
    • the content of the questions you have asked;
    •  other data mentioned in Your messages;
    • data You have made public.
       3.   How are Your personal data collected or further processed?
ESA processes Your personal data and commissions providers to provide services as per contract, including provision of access and security, maintain and operate infrastructure and software, continuously update the product with latest improvements and security patches, monitor the service for issues and ensure near-constant uptime, manage the product according to the SLA’s, provisioning end-user support and troubleshooting for applications and features related to CRM services, manage tool settings, support, operate, and maintain the service in accordance to the provider’s Online Services, provisioning/management of access for services to data related to requirements of Contacts, preferences, usage data for analytics services.

In addition to the personal data, we collect directly from You (e.g. if you complete and submit a form to, or for, ESA, if You use a platform, tool or website operated by ESA or on behalf of ESA, etc.), We may, depending on Your situation, collect certain personal data about You indirectly including collection of personal data from third parties. 

For instance, depending on the purpose of processing, third parties may be:
- analytics providers or social media platforms and Your data may result from the content You post on social media You consult, from cookies deposited on Your device under the relevant terms and conditions etc.
- third parties (service providers of ESA, investors concerned by ESA programmes, activities or initiatives, etc.) involved in an area relevant to the purpose of processing etc.

For these purposes only as well as for the purposes mentioned in Article 5 of ESA Policy on Personal Data Protection, ESA is Data Controller. ESA does not instruct any third party to conduct any web analytics, profiling or any other processing on ESA’s behalf, other than for the purposes mentioned.

       4.   Why are Your personal data collected and further processed? 
 
We collect and process Your personal data necessary for the activities conducted to fulfil Our purpose, which is “to provide for and to promote, for exclusively peaceful purposes, cooperation among European States in space research and technology and their space applications, with a view to their being used for scientific purposes and for operational space applications systems” (as per ESA Convention). We serve the public interest, and we wish to foster the public interest in space activities and programmes.

All the processing carried out by, or on behalf of, ESA upon initiative of the above-mentioned Department falls in this general purpose and, in particular, into one of the reasons permitted under ESA PDP Framework, in particular under ESA PDP Policy. 

In any case, we do not process your personal data for activities where our interests are overridden by the impact on you, unless we have your consent or are otherwise required or legally permitted.

Further information on the purpose of processing is provided below, as corresponding to the various situations that may be relevant to You.

   
What is the purpose of processing Your personal data?

4.1 IF YOU ARE A (PROSPECTIVE) PARTICIPANT TO AN EVENT
 
Your personal data are collected and further processed for the following purposes:
  1. to manage Your registration for the event; to correspond with You about the event, including sending you pre- and post-event information;
  2. to secure Your access to the premises of the event (admission checks);
  3. to deliver the event You have registered for;
  4. to accommodate special needs in terms of dietary restrictions or special health needs You may have and communicate to us;
  5. to take photos and audio-video recordings; possibly to distribute / publish them (offline and/or online/ internally or publicly) for documenting the event, or for event reporting or; for ESA outreach purposes; photos/recordings taken under private capacity do not fall under the responsibility of ESA;
  6. to provide you with feedback on the current event (purpose of evaluating the event and optimizing future events) and/or invitations to future events;
  7. as the case may be (if so, provided in the terms applicable to the event), to ensure reimbursement of certain (e.g. travel) expenses;
  8. as the case may be (if so, provided in the terms applicable to the event), to ensure creation of an account of a platform used for the organization of the event;
  9. to conduct surveys about the event and produce statistics;
  10. to enable the analysis of the participation indicators in order to better manage the events in the future;
  11. to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.
Any CCTV and security data are collected and processed to ensure that only authorized persons enter the event premises and to protect the legitimate interests of ESA, of the participants, including You.
 

4.2 IF YOU ARE A SPEAKER AT AN EVENT
 
Your personal data is collected and further processed for all the purposes mentioned in 4.1 above, which more particularly may include:
  1. to facilitate Your registration for, and attendance at the speaking engagement, to communicate with you regarding event logistics, scheduling and any updates related to Your speaking engagement;
  2. to enable You to deliver a speech during the event which may be recorded for public distribution via any media world-wide;
  3. to communicate with, or to send marketing materials about, and invitations to, ESA events to potential participants, etc.;
  4. to publish information and content from the event on websites or media belonging to, or used by, ESA, in particular in our newsletters and/or in social media channels;
  5. to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.

4.3 IF YOU SUBSCRIBE TO ESA NEWSLETTER(S) OR OTHERWISE EXPRESS YOUR INTEREST IN RECEIVING INFORMATION RELATED TO ESA ACTIVITIES AND PROGRAMMES
 
Your personal data are collected and further processed for the following purposes:
  1. to provide you with information about ESA activities and programmes and about ESA events, via newsletters and updates;
  2. to collect feedback to help ESA monitor and improve future newsletters;
  3. to defend ESA from possible liability claims that may arise in connection with your use of the information You have received;
  4. to respond to your requests related to ESA activities and programmes and, generally, to space-related matters, initiatives and activities;
  5. to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.

4.4 IF YOU VISIT AN ESA WEBSITE (operated by ESA or on behalf of ESA)
 
Your personal data are collected and further processed for the performance of public service tasks related to ESA’s mission under the ESA Convention, including for ESA for the purposes of communication activities, such as sending e-mails and invitations (this entails the management of contact lists for correspondence), for statistical and analytical purposes and, generally, for the promotion of ESA’s activities, programmes and initiatives. In particular, Your personal data are collected and further processed:
  1. to inform and raise awareness among the general public in particular in ESA Member States;
  2. to perform qualitative media monitoring;
  3. to conduct analytics with the aim to raise awareness or to conduct surveys on topics related to space activities, programmes, initiatives and to ESA missions, programmes and activities;
  4. to analyse and monitor Your interactions with the website, including monitoring and analysis of website use, traffic and interactions;
  5. to deal with your current and future queries or requests submitted via website(s) or to otherwise engage with you;
  6. to analyse and monitor Your reactions to ESA activities, programmes and initiatives as well as to various posts, statements or declarations made in connection with space activities, programmes, and initiatives, in particular to optimise Our communication and Your engagement on websites;
  7. to ensure audience measurement;
  8. to grant a user access to specific functionalities of the website that require authentication;
  9. to better understand the needs and the browsing experience of ESA website visitors;
  10. to gather statistics with a view to improving our communication and to enhance the user experience;
  11. to identify and track unauthorised access or any attempts to access our servers without permission;
  12. to delete comments that seem to us as not relevant to the topic of website or account, offensive, abusive, etc.
  13. to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise in connection with Our communication activities.
When using ESA websites You may find information (such as links to third-party websites) governed by separate terms and conditions. In You voluntarily registration for and use such third-party websites, their applicable terms and conditions and privacy policies apply, and ESA has no control thereof. The use of third-party websites accessible via information present on ESA websites does not entail endorsement by ESA of the related terms and conditions or privacy policies.

4.5 IF YOU USE SOCIAL MEDIA OR INTERACTING WITH AN ESA ACCOUNT ON SOCIAL MEDIA
 
Your personal data are collected and further processed to inform and raise awareness with the broad public in particular in ESA Member States and performs qualitative media monitoring, including monitoring and analysis of website use, traffic and interactions. These are public service tasks related to ESA’s mission under the ESA Convention.
The processing of your social media personal data follows Your voluntary registration and use of social media (including forums, blogs, related APIs) and Your voluntary acceptance of their applicable terms and conditions and privacy policies, over which ESA has no control. The use of social media by ESA does not entail endorsement by ESA of the related terms and conditions or of social media privacy policies.
Your social media personal data - collected and processed either directly by ESA or by third-party companies, for ESA or for the social media platforms - is used by or for ESA for the communication activities, such as coordinating social media presence, for sending e-mails and invitations (this entails the management of contact lists for correspondence), for statistical and analytical purposes and, generally, for the promotion of ESA’s communication campaigns and related activities and programmes.
In particular, Your personal data are collected and further processed for the following purposes:
  1. to raise awareness or conduct surveys on topics related to space activities, programmes, initiatives and to ESA mission, programmes, activities or initiatives;
  2. to deal with your current and future queries or requests formulated on such social media, platforms, account(s) or to otherwise engage with you;
  3. to ensure audience measurement;
  4. to gather statistics with a view to improving our communications and to enhance user experience;
  5. to analyse and monitor Your interactions with other users, in relation to space activities, programmes, initiatives and to ESA mission, programmes and activities;
  6. to analyse and monitor Your reactions to ESA activities, programmes and initiatives as well as to various posts, statements or declarations made in connection with space activities, programmes, initiatives in particular to optimise ESA communication and engagement on social media;
  7. to make the decision about involving You in ESA promotional activities after evaluating your public profile, your behaviour on social media and your potential interest;
  8. to identify and collaborate with influencers who may engage in ESA communication activities or otherwise promote ESA activities, programmes or initiatives;
  9. to delete comments that seem to us as not relevant to the topic or account, offensive, abusive, etc.
  10. to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.

4.6 IF YOU ARE A MEMBER OF THE PRESS OR ANY MEDIA OUTLET REPRESENTATIVES
 
In particular, Your personal data are collected and further processed for the following purposes:
  1. to respond to requests;
  2. to ensure that ESA can contact the journalists, or any media outlet representatives interested in ESA activities, programmes and initiatives;
  3. to maintain a dialogue with the press and media;
  4. to disseminate content, press releases, any relevant material and analysing, monitoring thereof;
  5. to raise awareness on topics related to space activities, programmes, initiatives and to ESA mission, programmes and activities;
  6. to deal with your current and future queries or requests;
  7. to analyse and monitor all media publications related to ESA activities, programmes and initiatives as well as other space news;
  8. to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.

4.7 IF YOU GIVE AN INTERVIEW TO ESA IN THE CONTEXT OF ESA PROGRAMMES, ACTIVITIES OR INITIATIVES
When solicited to give an interview, You have most likely received information from ESA on the purpose of processing Your personal data, including as captured in content, e.g. photos, audio or video recordings. In particular, ESA may process Your personal data for the following purposes:
  1. to enable You to deliver the interview and to take photos and audio-video recordings;
  2. to raise awareness on topics related to space activities, programmes, initiatives and to ESA mission, programmes and activities;
  3. possibly to disseminate the interview and the content created using it, including on websites or media belonging to, or used by, ESA, in particular in our newsletters and/or in social media channels;
  4. to analyse and monitor the impact of the interview and, generally, to ensure audience measurement;
  5. to provide you with feedback on the interview;
  6. as the case may be (if so provided in the terms then applicable), to ensure reimbursement of certain (e.g. travel) expenses that You may have incurred in relation to travelling for the interview;
  7. to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise.

4.8 IF YOU FORMULATE A REQUEST OR A COMPLAINT IN THE EXERCISE OF YOUR RIGHTS
In particular, Your personal data are collected and further processed for the following purposes:
  1. to handle any questions or complaints you submit to ESA;
  2. to respond to any request relating to your rights;
  3. to defend ESA from possible liability claims that may arise.

4.9. IF YOU INTERACT WITH ESA ON ESA PROGRAMMES, ACTIVITIES OR INITIATIVES
otherwise than as mentioned in Section 4.5 above
Your personal data are collected and further processed for the following purposes:
  1. to perform public service tasks related to ESA’s mission under the ESA Convention;
  2. to facilitate your participation in opportunities (call for ideas, call for proposals), face-to-face events and online Events such as workshop, conferences, webinars;
  3. to manage your relationship with ESA as well as your requests and applications in relation to the ESA programmes, activities and initiatives, and
  4. to facilitate interactions with relevant entities and pursue or exchange on the resulting opportunities;
  5. to conduct actions whose purpose is to know, predit and – as applicable – stimulate Your interest in ESA programmes, activities and initiatives;
  6. to deliver information and reports to delegations of ESA Member States or of the states participating to ESA programmes, as required under the applicable legal framework;
  7. to defend ESA’s rights and interests, including to defend ESA from possible liability claims that may arise. 

4.10 IF YOU USE ESA information and communication technology (IT) infrastructure, tools, and services (operated by ESA or on behalf of ESA)
 
Your personal data may be collected and further processed for the following purposes:
  1. to provide You access to the IT infrastructure, tools and services operated by or on behalf of ESA;
  2. to provide optimal data flow between target environments in an automated manner;
  3. to provide access and proper performance of the service to end-users;
  4. to provide support services and to ensure the management and maintenance of the service;
  5. to manage provision of IT services such as identity and access management; incident prevention, management, reporting;
  6. to ensure data subject rights management;
  7. to ensure personal data quality and accuracy.
  8. to provide tools that facilitate transcription, evaluation, reporting or automated processing.

4.11 IF YOU ARE INTERACTING WITH ESA IN THE CONTEXT OF PROCUREMENT OR PROVISION OF SERVICES
 
Your personal data may be collected and further processed for the following purposes:
  1. to conduct and document all processes related to the procurement or provision of services;
  2. to ensure the performance, management, monitoring of the work related to the procurement or provision of services, to conduct the related audits as well as to ensure the fulfilment of the obligations set out in the Agreements;
  3. to manage the relationship of the Parties in relation to the related contracts or other relevant arrangements, notably for administrative, financial, audit or for communication purposes;
  4. to comply with legal or regulatory obligations to which the Agency is subject;
  5. to comply with requirements under the related contracts or other contractual arrangements, in particular necessitating access to the relevant parties’ premises, with the health, safety and security requirements, legal or regulatory obligations applicable to the respective Party in such matters.

4.12 IF YOU ARE RECORDING AN ESA MS365 TEAMS MEETING
 
Your personal data may be collected and further processed for the following purposes:
  1. to provide the meeting recording service and enable users to access, play, download, share, and delete the recordings;
  2. to generate and display the transcript and captions of the meeting, if enabled, and allow users to edit and export them;
  3. to improve the quality and performance of the meeting recording service and the Teams platform;
  4. to comply with legal and regulatory obligations and requests;
  5. to protect the rights and interests of Microsoft and its customers;
  6. to provide You access to the IT infrastructure, tools and services operated by or on behalf of ESA.
 
NOTA BENE: If Your personal data processing is subject to one of the situations above, other sections may be relevant to You. You are thus invited to take knowledge of information provided under all the sections that are relevant to your case. In the description of the purpose, we made the choice to avoid duplication.


     5.   On what legal grounds do We collect and process Your data?
 
We process Your personal data pursuant to the ESA PDP Framework, in particular pursuant to Article 5 of the ESA PDP Policy, for fair, specified and legitimate purposes or for purposes compatible therewith. Other ESA Rules and Regulations may serve as legal basis, as they may be indicated to You in additional notices, as appropriate.

       
What are the legal basis for processing Your personal data?

5.1 General basis for processing under ESA PDP Policy
Generally, the processing referred to in this notice falls under Article 5.2.1 of the ESA PDP Policy, i.e.:
    1. for the performance of an activity carried out by ESA within its purpose and in the framework of, and in conformity with, the ESA Convention, the Policy on Personal Data Protection adopted by Director General of ESA on 1 March 2022 “Agreement between the States Parties to the Convention for the establishment  of a European Space ESA and the European Space ESA for the protection and the exchange of classified information” done in Paris on 19 August 2002, and the applicable rules and procedures, including ESA Security Regulations and Directives; this includes Processing necessary for ESA’s management and functioning, Dispute Resolution Procedure, and or Investigation Procedures; or
    2. for compliance with a legal obligation to which ESA is subject; or
    3. for tasks in the frame of ESA’s cooperation with the competent authority of Member States, in order to facilitate the proper administration of justice; or
    4. for security; or
    5. for the performance of a contract concluded by ESA within its purpose in relation with an activity carried out by ESA in the framework of, and in conformity with, the ESA Convention and the applicable rules and procedures;
    1. for Your legitimate interest; or
    2. for purposes covered by Your Consent, as it may be obtained from You as mentioned herein or under a separate document (e.g. Consent form).

5.2 Grounds for processing sensitive personal data under ESA PDP Policy
In addition, We may process Your data under Article 5.2.2 of the ESA PDP Policy concerning Sensitive Personal Data, i.e. when the processing:
  1. is covered by Your Consent, as it may be obtained from You under a separate document (e.g. Consent form); or
  2. relates to Sensitive Personal Data which are manifestly made public by any means (for instance, social media) by You;
  3. is necessary for:
  • the protection of Your vital interests or of another natural person where the You are physically or legally incapable of giving Consent;
  • Dispute Resolution and Investigation Procedures;
  • the purposes of carrying out obligations of ESA under the applicable Staff Regulations, Rules and Instructions or Pension Rules or the provision of health or social care or the treatment or the management of health or social care systems and services;
  • the protection against serious threats to security or individual or public health.

5.3 Consent
When consent is the most appropriate lawful basis for processing, it will be requested from You and you can refuse to consent. Depending on the situation, Your consent may be given by various modalities (e.g. written form, verbally) and may in particular result from:
  1. filling in paper consent forms, responding to questionnaires,
  2. oral statements or gestures (e.g. a nod of the head) that signifies agreement (e.g. for instance, expressed in a video or voice recording),
  3. use of electronic means, such as mouse-click, swipe, keystroke,
  4. use of a service-specific user interface (for example, via a website, an app, a log-on account, the interface of an IoT device or by e-mail), choosing certain settings in connection thereof,
  5. filling in electronic consent forms, using digital signatures, sending email(s), sending SMS, filling in web forms for newsletter subscriptions, filling in event registration forms, responding to surveys, filling in and submitting applications,
  6. positive behaviour or action, based on the knowledge of the fact that such behaviour or action involves agreement, such as:
       - you enter into an area covered by a privacy notice on video recording;
       - you drop your business card in an area dedicated to collecting information for the purposes indicated in that area;
       - you publicly express opinions, make statements, create posts, share declarations, aware of the fact that each of them may trigger responses in connection with the subject matter covered by such opinions, statements, posts, declarations;
       - you send your name and address to us to obtain information from us.
When you consented to specific processing, you may withdraw the consent or exercise your rights in line with Article 9 herein. Unless otherwise advised in a separate notice or by ESA DPO, you can withdraw consent by contacting DPO@esa.int
For example: In case you provided your consent to subscribe to an activity, we may process all the data on your interests to build a profile of the topics you are interested in. If you unsubscribe, we delete retrievable personal data relating to or collected in the context of the activity from our systems and services, including the profile(s) relating to you, where ESA is Controller.
If Your data was processed for several purposes, We will not process personal data for the purposes for which consent has been withdrawn.

​​​​​     6.   In which circumstances may We transfer or provide access to Your personal data?
 
At times, it is necessary for us to disclose Your personal data to authorised recipients, to the extent this is necessary for carrying out the processing operations referred to in this notice. Typically, the third-party recipients include:
1/ third party providers: We may engage various service providers such as:
  1. providers in charge with the organisation and management of communication activities,
  2. providers involved in the management of social media accounts,
  3. providers involved in marketing, advertising activities, managing newsletters, managing statistics and media services,
  4. providers of cloud/data hosting services,
  5. providers of website related services,
  6. providers enabling Us to manage our contracting process,
  7. providers ensuring the security of our premises,
  8. providers enabling Us to provide you with working tools, etc.
2/ partners of ESA, in relation to ESA activities and programmes and, generally, in relation to ESA mission as foreseen in ESA Convention, whether they are individuals, companies, investors, education institutions, research organisations or other legal entity;
3/ ESA governing bodies and authorities and their subordinate bodies, as required by the legal framework applicable to ESA, including ESA Member States’ delegations, experts and advisors, for the purposes of performing their role in relation to the Agency, in the light of the ESA Convention and all the applicable rules and regulations;
4/ other third parties interacting with ESA under a specific framework.
These third-party recipients are generally situated in the European Union, the European Economic Area or in countries that offer an adequate level of protection equivalent to that offered within the European Union and the European Economic Area (e.g. Argentina, Canada, Japan, Switzerland, United-Kingdom).
When the third-party data recipients are located in a country or international organisation not offering an adequate level of protection (e.g., Australia, United States, etc.), we take necessary measures to safeguard your data, in line with the conditions set forth in ESA PDP framework.
Additionally, we may utilise services provided by IT providers or integrate social media features into our platforms. In such instances, these IT providers or social media platforms may provide links to their respective websites, where they conduct their own data processing activities. It is entirely at your discretion whether you choose to access and utilise these social media features, depending on the terms and conditions applicable to each platform. If you prefer not to engage with social media or not to accept their terms and conditions, you have the option to refrain from accessing or using these platforms. Your decision regarding social media usage is within your control.
In case of transfer of personal data to the United States or other countries not offering an adequate level of protection, transfer may expose You to certain risks, particularly the risk of profiling, the risk that the applicable legal framework may allow further processing of the personal data and that any given consent may not be withdrawn.
In exceptional cases, for instance in case of a criminal offence evidenced by the collection or processing of data, we may share the said data with the appropriate authorities or bodies, including those having an investigative role or those involved in the concerned legal proceedings.
Regarding Microsoft Corporation, Customer Data, Professional Services Data, and Personal Data that Microsoft processes on ESA’s behalf may not be transferred to or stored and processed in a geographic location except in accordance with the DPA Terms and the safeguards provided below.
Microsoft Corporation is at the time of writing an active participant in the EU-U.S. Data Protection Framework (DPF) Certification Scheme (https://www.dataprivacyframework.gov/s/ ) and as such, is considered as per the decision of the European Commission to provide an adequate level of protection for personal data transferred to it as recipient under the EU General Data Protection Regulation (GDPR).
 
​​​​​     7.   How long do we retain personal data for?

Your data are stored for the shortest time possible, considering the reasons why we need to process Your data, as well as all legal obligations applicable to ESA. The ESA established time limits to erase or review the data stored. Retention periods applied by the ESA are proportionate to the purposes for which they were collected. Thus, the ESA will keep Your personal data for as long as necessary for the fulfilment of those purposes and shall be deleted afterwards. By way of exception, We may keep Your personal data for a longer period, for archiving purposes in the public interest or for reasons of scientific or historical research, being reminded that appropriate technical and organisational measures are put in place (e.g. anonymisation, encryption, etc.).
 
Personal Data
Retention
Personal Data as detailed in point (2) of this Privacy Notice.
5 years.
Diagnostic data
Up to 180 days after a user or administrator deletes data, or administrators delete a user. 

     8.   How do We protect and safeguards Your personal data?


All processing operations are carried out pursuant to ESA Rules and Regulations, including ESA PDP Framework and ESA Security Regulations. In particular, the ESA collects and processes personal data in conditions protecting confidentiality, integrity and security of personal data.


In order to protect Your personal data, ESA has implemented a number of technical and organisational measures against the risks of loss as well as against unauthorised access, destruction, use, modification or disclosure of personal data, in particular when such risks concern sensitive personal data.


These measures consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. They may include, as appropriate, the pseudonymisation and encryption of personal data.


ESA has also implemented several safeguards to ensure the availability of the information. This includes safeguards against accidental or unlawful destruction, loss, unauthorised access, use, modification or disclosure of personal data. These internal controls are audited on a yearly basis.  Data is replicated between data centres, redundancy controls are in place and backups are implemented and encrypted in order to prevent any kind of data loss event.

 

     9.   What are Your rights as data subject and how can you exercise them?


Under conditions detailed in the ESA PDP Framework, You have:
  • the right to be informed about the identity of the data controller, the contact details of the data protection officer, the purpose of the data processing, the data recipients to whom the personal data shall be disclosed, the rights of rectification or erasure of his/her data, the storage time-limits (if any), the practical modalities of exercising the rights, etc. ; this is the purpose of this privacy notice and any other notice referred to herein ;
  • the right to access the personal data We process about You; unless you have access to such data via an account, you may send us your request by email to dpo@esa.int ;
  • the right to have Your personal data erased, rectified, completed; if you want to review and correct the personal information, you can either do it yourself, in case you have access to such data via an account, or you may send us your request by email to dpo@esa.int ;
  • the right to lodge a complaint before the Supervisory authority, in accordance with the latter’s rules of procedure. In case You demonstrate, or have serious reasons to believe, that a data protection incident occurred in relation with Your personal data, following a decision of ESA, you may send notify us thereof by email to dpo@esa.int.
Once a request to erase data is received, we will ensure that the data are deleted unless it can be processed on another legal ground, as mentioned in Article 5.1 above. If Your data was processed for several purposes, We do not process personal data for the part of the processing for which consent has been withdrawn.


For instance:
  • Your personal data may continue to be processed for the performance of a legal obligation of ESA or where such data is necessary for the establishment, exercise, or defence of legal claims;
  • If there are multiple processing concerning You, based on consent, You have to expressly indicate which consent you wish to withdraw.
When the processing of Your personal data are based on Your consent and unless a specific case applies (e.g. see Article 6 above), You have also the right to withdraw Your consent.


You may wish to exercise any of the above-mentioned rights, by sending a request explicitly specifying Your query to the ESA DPO via e-mail at dpo@esa.int


You may be asked additional information to confirm your identity and/or to assist ESA to locate the data You are seeking.


     10.   ESA Contractors


ESA may enter into contracts with various contractors who, with regard to Your Personal Data and depending on the contract concluded with ESA, may act either as a separate Data Controller or as a Data Processor.
  • To the extent such contractor act as a separate Data Controller, the separate privacy notice of the contractor will apply for the purposes of collection and processing decided by the contractor.
  • To the extent such contractor act as a Data Processor, this privacy notice applies for the purposes of collection and processing decided by ESA.

​​​​​     11.   Specific rules for children


If Your children want to interact or otherwise engage with ESA, they will often need approval from You, as their parent or legal guardian, as the child's personal data will be collected for these purposes.


Your child will no longer need parental consent once they have reached the age of majority according to the applicable jurisdiction. We will by default ask for parental consent for any child that is under 16 years old. We may ask for your contact data (e.g. email address) in order to be able to verify your identity and ensure that We have your explicit consent to collect and use your child’s data.

ESA applies appropriate organisational measures to protect personal data, in case of data privacy queries, please contact the ESA Data Protection Officer (dpo@esa.int).