HomePrivacy notice
Privacy notice

Privacy notice

European Space Agency (herein the “Agency” or “ESA” or “We”) is committed to protect Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: https://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations

The ESA PDP Framework is composed of the following elements:

  • The Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
  • The Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
  • The Policy on Personal Data Protection (including its Annex “Governance Scheme of the Agency’s Personal Data Protection”) adopted by Director General of ESA on 1 March 2022 (“ESA PDP Policy”).

This notice is intended to describe why and how Your personal data are collected and processed by, or on behalf of, the Agency, as Data Controller, as well as what rights You have in relation to Your personal data. It also informs You about the contact details of the Data Protection Officer. This privacy notice was last updated on 18/10/2023. It must be read in conjunction with the ESA PDP Framework and other privacy notices referred to herein.

(1) What are the relevant contact details for this notice?

The ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int or: ESA Headquarters; Data Protection Officer; 8-10 RUE MARIO NIKIS; CS 45741; 75738 PARIS CEDEX 15; FRANCE.

As the collection and processing concerned by this notice is performed upon initiative of ECSS, questions may also be addressed to: ecss-secretariat@esa.int

(2) What kind of personal data are collected and further processed?

ESA collects and processes a variety of Your personal data and may require You to provide personal data for the purposes mentioned further below. The personal data which may be collected and further processed for the purposes mentioned below are in particular:

  • Name
  • Phone number
  • E-mail
  • Organisation
  • Geographical location of your organisation
  • Information in connection with your use of the website, such as information in server logs, including information on how the website was used by you, your search queries,
  • IP (internet protocol) address and data about your [system activity, hardware settings, browser settings, date and time of your request]
  • Cookies
  • Other information that you provide and which may directly or indirectly identify you;

You are required not to send to the Agency any sensitive information (including information that indicate, directly or indirectly, the personnel’s ethnic origin, political opinions, adhesion to unions, parties etc., health situation, sexual orientation).

(3) How are Your personal data collected or further processed?

Your personal data may be collected by various means, including via registration to the ECSS website and your Website usage.

(4) Why are Your personal data collected and further processed?

We collect and process Your personal data because it is necessary for the activities conducted to fulfil Our purpose, which is “to provide for and to promote, for exclusively peaceful purposes, cooperation among European States in space research and technology and their space applications, with a view to their being used for scientific purposes and for operational space applications systems” (as per ESA Convention). We serve the public interest, and we wish to foster the public interest in space activities and programmes.

Your personal data are collected and further processed so that ESA (on behalf of ECSS) can:

  • send you notifications in connection with the ECSS activities
  • provide you access to, and enable the use of the website ; to improve the you user experience and customise this experience to your stated / selected needs;
  • highlight and promote the website / training events and to communicate news regarding ECSS on the website
  • to send you newsletters and new features in relation to ECSS activities
  • to conduct surveys and gather user feedback
    • the information is used for the purpose of optimising the ECSS users when using the ECSS website, ECSS products or training.
    • may be used to categorise the browser on your computer and support us in storing user preferences and usage trends such as preferred documents or searches.

In addition to these purposes, the Agency may use your personal information for any of the purposes mentioned in Article 5 of the Policy on Personal Data Protection.

(5) On what legal grounds do We collect and process Your data?

We process Your personal data pursuant to the ESA PDP Framework, in particular pursuant to Article 5 of the ESA PDP Policy, for fair, specified and legitimate purposes or for purposes compatible therewith. Other ESA Rules and Regulations may serve as legal basis, as they may be indicated to You in additional notices, as appropriate.

What are the legal grounds for processing Your personal data?

5.1 General grounds for processing under ESA PDP Policy

Generally, the processing referred to in this notice falls under Article 5.2.1 of the ESA PDP Policy, i.e.:

  1. for the performance of an activity carried out by the Agency within its purpose and in the framework of, and in conformity with, the ESA Convention, the Policy on Personal Data Protection adopted by Director General of ESA on 1 March 2022 “Agreement between the States Parties to the Convention for the establishment of a European Space Agency and the European Space Agency for the protection and the exchange of classified information” done in Paris on 19 August 2002, and the applicable rules and procedures, including ESA Security Regulations and Directives; this includes Processing necessary for the Agency’s management and functioning, Dispute Resolution Procedure, and or Investigation Procedures; or
  2. for compliance with a legal obligation to which the Agency is subject; or
  3. for tasks in the frame of the Agency’s cooperation with the competent authority of Member States, in order to facilitate the proper administration of justice; or
  4. for security; or
  5. for the performance of a contract concluded by the Agency within its purpose in relation with an activity carried out by the Agency in the framework of, and in conformity with, the ESA Convention and the applicable rules and procedures;
  6. for Your legitimate interest; or
  7. for purposes covered by Your Consent, as it may be obtained from You as mentioned herein or under a separate document (e.g. Consent form).

(6) In which circumstances may We transfer or provide access to Your personal data?

At times, it is necessary for us to disclose Your personal data to authorised recipients (e.g., ESA staff members, advisors, contractors), under a “need to know” principle, for carrying out the processing operations referred to in this notice. Typically, the third-party recipients include:

1/ service providers: We may engage various service providers such as:

  • providers in charge with the organisation and management of communication activities,
  • providers involved in the management of social media accounts,
  • providers involved in advertising activities, managing newsletters, managing statistics and media services,
  • providers of cloud/data hosting services,
  • providers of website related services,
  • providers enabling Us to manage our contracting process,
  • providers ensuring the security of our premises,
  • providers enabling Us to provide you with working tools, etc.

2/ partners of ESA, in relation to ESA activities and programmes and, generally, in relation to ESA mission as foreseen in ESA Convention;

3/ ESA governing bodies ad authorities and their subordinate bodies, as required by the legal framework applicable to ESA.

It is important to note that these third-party recipients are generally situated in the European Union, the European Economic Area or in countries that offer an adequate level of protection equivalent to that offered within the European Union and the European Economic Area (e.g. Argentina, Canada, Japan, Switzerland, United-Kingdom).

When the third-party data recipients are located in a country or international organisation not offering an adequate level of protection (e.g., Australia, United States, etc.), we take necessary measures to safeguard your data, in line with the conditions set forth in ESA PDP framework.

Additionally, we may utilise services provided by IT providers or integrate social media features into our platforms. In such instances, these IT providers or social media platforms may provide links to their respective websites, where they conduct their own data processing activities. It is entirely at your discretion whether you choose to access and utilise these social media features, depending on the terms and conditions applicable to each platform. If you prefer not to engage with social media or accept their terms and conditions, you have the option to refrain registering as a user on these platforms. Your decision regarding social media usage is within your control.

In case of transfer of personal data to the United States or other countries not offering an adequate level of protection, transfer may expose You to certain risks, in particular the risk of profiling, the risk that the applicable legal framework may allow further processing of the personal data and that any given consent may not be withdrawn.

In exceptional cases, for instance in case of a criminal offence evidenced by the collection or processing of data, we may share the said data with the appropriate authorities or bodies, including the ones having an investigative role or the ones involved in the concerned legal proceedings.

(7) How long do We retain Your personal data for?

Your data are stored for the shortest time possible, taking into account the reasons why we need to process Your data, as well as all legal obligations applicable to the Agency. The Agency established time limits to erase or review the data stored. Retention periods applied by the Agency are proportionate to the purposes for which they were collected. Thus, the Agency will keep Your personal data for as long as necessary for the fulfilment of those purposes and shall be deleted afterwards.

(8) How do We protect and safeguard Your personal data?

All processing operations are carried out pursuant to ESA Rules and Regulations, including ESA PDP Framework and ESA Security Regulations. In particular, the Agency collects and processes personal data in conditions protecting confidentiality, integrity and security of personal data.

In order to protect Your personal data, ESA has implemented a number of technical and organisational measures against the risks of loss as well as against unauthorised access, destruction, use, modification or disclosure of personal data, in particular when such risks concern sensitive personal data.

These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. They may include, as appropriate, the pseudonymisation and encryption of personal data.

(9) What are Your rights as data subject and how can you exercise them?

Under conditions detailed in the ESA PDP Framework, You have:

  • the right to be informed about the identity of the data controller, the contact details of the data protection officer, the purpose of the data processing, the data recipients to whom the personal data shall be disclosed, the rights of rectification or erasure of his/her data, the storage time-limits (if any), the practical modalities of exercising the rights, etc.; this is the purpose of this privacy notice and any other notice referred to herein;
  • the right to access the personal data We process about You; unless you have access to such data via an account, you may send us your request by email to dpo@esa.int;
  • the right to have Your personal data erased, rectified, completed; if you want to review and correct the personal information, you can either do it yourself, in case you have access to such data via an account, or you may send us your request by email to dpo@esa.int ;
  • the right to lodge a complaint before the Supervisory authority, in accordance with the latter’s rules of procedure. In case You demonstrate, or have serious reasons to believe, that a data protection incident occurred in relation with Your personal data, following a decision of the Agency, you may send notify us thereof by email to dpo@esa.int.

Once a request to erase data is received, we will ensure that the data is deleted unless it can be processed on another legal ground, amongst the ones mentioned in Article 5.1 above. If Your data was being processed for several purposes, We will not use the personal data for the part of the processing for which consent has been withdrawn.

For instance:

  • Your personal data may continue to be processed for the performance of a legal obligation of ESA or where such data is necessary for the establishment, exercise, or defence of legal claims;
  • If there are multiple processing concerning You, based on consent, You have to expressly indicate which consent you wish to withdraw.

When the processing of Your personal data is based on Your consent and unless a specific case applies (e.g. see Article 6 above), You have also the right to withdraw Your consent.

You may wish to exercise any of the above-mentioned rights, by sending a request explicitly specifying Your query to the ESA DPO via e-mail at dpo@esa.int

You may be asked additional information to confirm your identity and/or to assist ESA to locate the data You are seeking.

(10) Specific rules for children

If Your children want to interact or otherwise engage with ESA, they will often need approval from You, as their parent or legal guardian, as the child’s personal data will be collected for these purposes.

Your child will no longer need parental consent once they have reached the age of majority according to the applicable jurisdiction. We will by default ask for parental consent for any child that is under 16 years old. We may ask for your contact data (e.g. email address) in order to be able to verify your identity and ensure that We have your explicit consent to collect and use you child’s data.