Introduction
The European Space Agency (herein the “Agency” or “ESA”) is an intergovernmental organisation established by its Convention opened for signature in Paris on 30 May 1975 having its headquarters located at 24 rue du Général Bertrand, CS 30798, 75345 Paris Cedex 07, France.
Protection of Personal Data is of great importance for ESA, which strives to ensure a high level of protection as required by the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) which applies in this field, available at:http://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations.
ESA PDP Framework is composed of the following elements:
- the Principles of Personal Data Protection, as adopted by ESA Council Resolution (ESA/C/CCLXVIII/Res.2 (Final)) adopted on 13 June 2017;
- the Rules of Procedure for the Data Protection Supervisory Authority, as adopted by ESA Council Resolution (ESA/C/CCLXVIII/Res.2 (Final)) adopted on 13 June 2017; and
- the Policy on Personal Data Protection adopted by Director General of ESA on 5 February 2018 and effective on 1 March 2018.
This notice is also enables ESA to inform you relating to the collection and further processing of your personal data, under ESA PDP Framework.
(1) Who is the Data Controller?
Your personal data are collected and further processed as shown below upon the decision taken alone by:
ESA HIF
Thus the Data Controller is ESA.
(2) What are the contact details of ESA Data Protection Officer?
According to ESA PDP Framework, your first point of contact concerning personal data matters is the ESA Data Protection Officer (“DPO”), who may be contacted at DPO@esa.int.
(3) What kind of personal data about you are collected and further processed?
The personal data which may be collected and further processed for the purposes mentioned below are in particular.
- Name, Surname, Username, Email address, IP address, anonymous analytics on the use of the website;
- The Archives Portal contains pictures for Historical and archiving purposes. These pictures contain metadata (no personal information) in according with the Dublin Core Standard for the metadata.
You are required not to send to the Agency any sensitive information (including information that indicate, directly or indirectly, the personnel’s race and ethnic origin, political opinions, adhesion to unions, parties etc., religious or philosophical believes, health information, genetic or biometric data, sexual orientation or preferences, criminal convictions or children’s data (if applicable).
(4) How are your personal data collected or further processed?
For Employees personal data are collected via the ESA Active Directory (DAM).
For Registered users, data is collected at the creation of your account and in the management of the profile.
(5) Why are your personal data collected and further processed?
Your personal data are collected and further processed so that ESA can:
- Username and Email are used to identify and authenticate users in order to provide access to the portal. The Name and/or surname are used in order to identify individuals on the pictures archived.
- Name surname and email address of ESA staff members is used to access ESA Archives Portal.
- Integration with ADFS/DAM, only query results and authorization from DAM are processed. The account remains with DAM.
- Analytics data on the use of the website: visits, access to pages, partial IP of the user). These analytics are done using the ESA web analytics tool.
- The activity consists of archiving pictures for ESA and for Historical purposes. These pictures may include individuals that participated to events or work projects of ESA.
In addition to these purposes, the Agency may use your personal information for any of the purposes mentioned in Article 5 of the Policy on Personal Data Protection.
(6) What is the legitimate ground to collect your personal data?
Your personal data will be collected because it is necessary for:
- the Agency’s management and functioning.
(7) To whom might we disclose your personal data?
The Agency may disclose your personal data to any of the following recipients for the fulfilment of all or part of the purposes of the collection and processing of personal data, which are mentioned above:
- DB Seret (Italy) is the company developing the web application underlying the ESA Archives Portal;
- ImmediaIT (Spain) ensures the maintenance of the Archives Portal and therefore may have access to personal data during administration interventions.
The Agency does not consider your personal data as an asset for sale and, thus, does not sell your personal data to any third parties.
(8) How long do we retain your personal data for?
The Agency may keep your personal data:
- For up to 2 years after the last access to the portal in order to maintain an access to the portal to the user. Above this period, user access is not considered as required or reasonable to maintain.
(9) How can you access, erase, rectify, complete or amend your personal data?
You may request the access, erasure, rectification, completion or amendment of your personal data if, and to the extent that it is considered necessary, having regard to the purposes for which they are collected and processed, or if they are processed in violation with the principles referred in ESA PDP Framework.
If you choose to make a request for the erasure of personal data, you understand and agree that you may not receive corporate communication.
The above-mentioned request should be submitted to the ESA DPO, as first point of contact, by sending an email to: dpo@esa.int.
You may also be allowed access to your personal data and have the possibility to erase, rectify, complete or amend it, according to the following modalities:
Contact esait.servicedesk@esa.int or the DPO at dpo@esa.int.
(10) What could you do in case of a data protection incident?
In case of a data protection incident, you should contact ESA DPO, as first point of contact, by sending an email to: dpo@esa.int.
In case you wish to submit a complaint, you are required to comply with the Rules of Procedure of the Supervisory Authority set forth by ESA PDP Framework. You will be required to demonstrate that a data protection incident occurred in relation to your personal data, following a decision of the Agency or at least to justify serious reasons to believe that such incident occurred.