Privacy noticE: Nav-FG:          GENESIS Science Workshop

Released by: European Space Agency, as Data Controller

Addressed to: individuals whose personal data is collected and processed

The European Space Agency (herein the “Agency” or “ESA” or “We”) is committed to protect Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: http://www.esa.int/About_Us/Law_at_ESA/Highlights_of_ESA_rules_and_regulations composed by:

  • The Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
  • The Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
  • The Policy on Personal Data Protection (including its Annex “Governance Scheme of the Agency’s Personal Data Protection”) adopted by Director General of ESA on 1 March 2022 (“ESA PDP Policy”).

This notice is intended to describe why and how Your personal data are collected and processed by, or on behalf of, ESA, as Data Controller, upon initiative of ESA NAV F Department, as well as what rights You have in relation to Your personal data. It also informs You about the contact details of the Data Protection Officer. This privacy notice was last updated on 25/09/2023. It must be read in conjunction with the ESA PDP Framework and other privacy notices referred to herein.

ESA process your personal data to organise and manage the Workshops, Conferences, Symposia held on ESA premises or online, commissioning ATPI (the Netherlands) Services as Processor. ESA is Controller for personal data related to selection of panellists, or selection of abstracts, when ESA processes such data. For these purposes only as well as for the purposes mentioned in Article 5 of ESA Policy on Personal Data Protection, ESA is Data Controller. ESA does not instruct any third party to conduct any web analytics, profiling, or any other processing on ESA’s behalf, other than the purposes mentioned.

Members of selection committees or bodies that select abstracts may act as separate Controllers and may be in territories not having an Adequate Level of Protection such that ESA implements appropriate protection for Disclosures of personal data.

Social media, LinkedIn, Twitter, external websites, etc., may be used to publish photographs, video recordings or interviews or information related to the events. These act as separate Controllers, each responsible for their personal data processing activities, please consult their privacy notices and websites for further information. You have the right to decline your participation in such processing.

(1)   What are the relevant contact details for this notice?

The ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int  or: ESA Headquarters; Data Protection Officer; 8-10 RUE MARIO NIKIS; CS 45741; 75738 PARIS CEDEX 15; FRANCE.

As the collection and processing concerned by this notice is performed upon initiative of the ESA HIF-E Department, questions may also be addressed to: the ESA Conference Bureau (ATPI Corporate Events) ESAConferenceBureau@atpi.com

(2)   What kind of personal data are collected and further processed?

ESA collects and processes a variety of Your personal data and may requires You to provide personal data for the purposes mentioned further below. Depending on the purpose for which they are collected and further processed, the personal data may include:

  • Identity Data: including names, nationality, country of residence;
  • Contact information: including address, email address and telephone number;
  • Professional information: including job title and address;
  • Technical data, including online identifiers: for example, internet protocol (IP) address or domain names of the devices utilised, login data, browser type and version, uniform resource identifier (URI) address, time zone setting and location, browser plug-in types and versions, ESA or other operating system and platform and other technology on the devices you are using - collected when you access our Website, our electronic portals and platforms which we offer or which we have agreed with you to use or made available to you where you have agreed to their use;
  • Photo: including photographs, likeness, image, where you have consented;
  • Audio-video recording, statements, interviews, where you have consented;
  • CCTV (“close circuit television") and physical security data: CCTV footage and other information relating to access of our facilities obtained through electronic means;
  • Other personal information You may provide, in particular content of exchanges with the Agency, as for instance dietary preferences, assistance requests;
  • Sensitive personal data subject to ESA PDP Framework. ESA does not require you to provide special categories of personal data, e.g., sensitive personal data about health, religion, philosophical beliefs, or disabilities. If you do provide such data, it is only processed for providing disability support or essential dietary requirements upon your explicit request. 

(3)   How are Your personal data collected or further processed?

ESA commissions the Processors, ATPI Services to deliver ESA Conference Bureau services.

Dropbox: may be used by ESA to exchange data / personal data.

ESA Cisco Webex Videoconferencing Service may be used to enable participation during the event. For this purpose, some personal data (including Audio and Video Data) may be processed by Cisco Systems, strictly limited to the European Union as per contractual obligations implemented between ESA and Cisco Systems Inc. Personal Data collected is limited to the necessary. The Webex privacy notice is made available to you when you use the tool.

ESA Processor: ATPI / Letsgetdigital processes personal data under ESA contract in Europe.

(4)   Why are Your personal data collected and further processed?

ESA processes the personal data of participants for the following purposes: managing invitations, registrations, participation requests, facilitating remote participation and distribution of the list of participants, managing on premises presence, badges and identity verification for security, promoting the event in social media. ESA also processes personal data of participants for reporting on the event, to distribute presentations to participants and potentially for satisfaction surveys. Where you have consented, ESA may keep your contact details in order to invite you to future similar events or future meetings within the scope of the activity. Your personal data may be accessed by the ESA event organisation team and service providers (ESA Conference Bureau, ATPI Services) under ESA contract, ESA workforce members of the HIF-E team and ESA IT support teams.

We collect and process Your personal data because it is necessary for the activities conducted to fulfil Our purpose, which is “to provide for and to promote, for exclusively peaceful purposes, cooperation among European States in space research and technology and their space applications, with a view to their being used for scientific purposes and for operational space applications systems” (as per ESA Convention). We serve the public interest, and we seek to foster the public interest in space activities and programmes. All the processing carried out by, or on behalf of, ESA upon initiative of the HIF-E Department falls in this general purpose and, in particular, into one of the reasons permitted under ESA PDP Framework, in particular under ESA PDP Policy. ESA initiates webinars, conferences, symposia, events and workshops for the purpose of promoting the space industry and enhancing collaboration. Video recordings are created to enable those not present at the event or the interested public to view it for educational purposes via ESA social media or websites, etc. In any case, we do not use your personal data for activities where our interests are overridden by the impact on you, unless we have your consent or are otherwise required or legally permitted.

(5)   On what legal grounds do We collect and process Your data?

We process Your personal data pursuant to the ESA PDP Framework, in particular pursuant to Article 5 of the ESA PDP Policy, for fair, specified and legitimate purposes or for purposes compatible therewith. The processing of your personal data by ESA for this event is lawful as it is necessary for the performance of a task carried out in the public interest.

Generally, the processing referred to in this notice falls under Article 5.2.1.i. of the ESA PDP Policy, i.e.:

  • (a) for the performance of an activity carried out by the Agency within its purpose and in the framework of, and in conformity with, the ESA Convention, the Policy on Personal Data Protection adopted by Director General of ESA on 1 March 2022 “Agreement between the States Parties to the Convention for the establishment  of a European Space Agency and the European Space Agency for the protection and the exchange of classified information” done in Paris on 19 August 2002, and the applicable rules and procedures, including ESA Security Regulations and Directives; this includes Processing necessary for the Agency’s management and functioning, Dispute Resolution Procedure, and or Investigation Procedures; or
  • (d) for security; or
  • (e) for the performance of a contract concluded by the Agency within its purpose in relation with an activity carried out by the Agency in the framework of, and in conformity with, the ESA Convention and the applicable rules and procedures;
  • (f) for Your legitimate interest; or
  • (g) for purposes covered by Your Consent, where applicable, as it may be obtained from You under a separate document (e.g., Consent form).

In addition, We may process Your data under Article 5.2.2 of the ESA PDP Policy concerning Sensitive Personal Data, i.e. when the processing:

i. is covered by the Consent of the Data Subject; or

ii. relates to Sensitive Personal Data which are manifestly made public by any means (for instance, social media) by the Data Subject; or

iii. is necessary for:

  • (a) the protection of the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving Consent; or
  • (b) Dispute Resolution and Investigation Procedures; or
  • (d) the protection against serious threats to security or individual or public health.
  • Other ESA Rules and Regulations may serve as legal basis, as they may be indicated to You in additional notices, as appropriate.

Depending on the situation, we may consider that your consent is given by various modalities and may result from affirmative motions (e.g., swiping on a screen), browser settings, written statements, filling an electronic online form, sending an email, uploading a scanned document with their signature, using an electronic signature and other modalities that may appear in the future.

(6)   In which circumstances may We transfer or provide access to Your personal data?

Where relevant, We may disclose Your personal data to recipients (e.g. ESA staff members, advisors, contractors), under a “need to know” principle, for carrying out the processing operations referred to in this notice. They are generally located in the European Union, the European Economic Area or in countries that offer an adequate level of protection equivalent to that offered within the European Union and the European Economic Area (e.g. Argentina, Canada, Japan, Switzerland, United-Kingdom).

When the third-party data recipients are located in a country or international organisation not offering an adequate level of protection (e.g. Australia, United States, etc.), We will not proceed to the transfer of Your data unless You consented to it or unless the conditions set forth in ESA PDP framework (see Article 5.3 of ESA PDP Policy) are fulfilled. As appropriate, We take adequate safeguards (e.g. via appropriate contractual clauses) in order to obtain from third-party recipients a level of protection equivalent to that offered within the European Union and the European Economic Area.

In case of transfer of personal data to the United States or other countries not offering an adequate level of protection, transfer may expose You to certain risks, in particular the risk of profiling, the risk that the applicable legal framework may allow further processing of the personal data and that any given consent may not always be withdrawn.

You may be provided with information regarding the privacy notices of separate controllers of personal data either herein or elsewhere in Our communications to you.

In exceptional cases, for instance in case of a criminal offence evidenced by the collection or processing of data, we may share the said data with the appropriate authorities or bodies, including the ones having an investigative role or the ones involved in the concerned legal proceedings.

Your contact details (Name, E-Mail Address) may be shared with other participants at the event if you have indicated your interest in sharing these when registering for the conference or adding your name to a list for the purpose of sharing contact details.

ATPI, as ESA Processor, processes personal data in the Netherlands. ATPI uses the Sub-processor LegtsgetDigital with a tool configuration and a contract ensuring that processing occurs only in the Netherlands.

(7)   How long do We retain Your personal data for?

Your data are stored for the shortest time possible, taking into account the reasons why we need to process Your data, as well as all legal obligations applicable to the Agency. The Agency established time limits to erase or review the data stored. Retention periods applied by the Agency are proportionate to the purposes for which they were collected. Thus, the Agency will keep Your personal data for as long as necessary for the fulfilment of those purposes, which will be at least for the duration mentioned in the Table below. Your Personal Data is deleted upon expiry of the applicable retention period. By way of exception, We may keep Your personal data for a longer period, for archiving purposes in the public interest or for reasons of scientific or historical research, being reminded that appropriate technical and organisational measures are put in place (e.g. anonymisation, encryption, etc.).

Personal Data

Retention

ESA internal systems

Up to 10 years

ATPI, LetsgetDigital, Conf Tool

5 years as per contract, after the end of the activity, then deletion

ESA Webex/Cisco

Audio/Video data is retained only for the duration of the meeting. Some further Data (chat, signup information) may be retained for 6 months after the event and then automatically deleted.

ESA Teams

For the duration of the meeting, deletion immediately after the meeting ends. For recorded data, up to 5 years, thereafter deleted.

ESA Records of consent

5 years after the end of the activity

Photos, video recordings on websites and social media

Please refer to the privacy notice of the separate Controllers

Dropbox / ESA OneDrive

For the duration of the legitimate purpose, thereafter deleted

ESA held scientific/ technical papers

 

Permanent retention for historic/ research purposes, ESA Archives

To the extent your personal data are collected via a web account, You have the possibility to delete the personal data as well as the account in your account's settings.

(8)   How do We protect and safeguard Your personal data?

All processing operations are carried out pursuant to ESA Rules and Regulations, including ESA PDP Framework and ESA Security Regulations. In particular, the Agency collects and processes personal data in conditions protecting confidentiality, integrity, and security of personal data.

In order to protect Your personal data, ESA has implemented a number of technical and organisational measures against the risks of loss as well as against unauthorised access, destruction, use, modification or disclosure of personal data, in particular when such risks concern sensitive personal data. These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. They may include, as appropriate, the pseudonymisation and encryption of personal data.

(9)   What are Your rights as data subject and how can you exercise them?

Under conditions detailed in the ESA PDP Framework, You have:

  • the right to be informed about the identity of the data controller, the contact details of the data protection officer, the purpose of the data processing, the data recipients to whom the personal data shall be disclosed, the rights of rectification or erasure of his/her data, the storage time-limits (if any), the practical modalities of exercising the rights, etc. ; this is the purpose of this privacy notice and any other notice referred to herein ;
  • the right to access the personal data We process about You,
  • the right to have Your personal data erased, rectified, completed;
  • the right to lodge a complaint before the Supervisory authority, in accordance with the latter’s rules of procedure, in case You demonstrate or have serious reasons to believe that a data protection incident occurred in relation with Your personal data, following a decision of the Agency.

Note however that We may not erase Your personal data in case the processing is based on the performance of a legal obligation of ESA or where such data is necessary for the establishment, exercise, or defence of legal claims.

When the processing of Your personal data is based on Your consent and unless a specific case applies (e.g. see Article 6 above), You have also the right to withdraw Your consent.

You may wish to withdraw Your consent or to exercise any of the above-mentioned rights, by sending a request explicitly specifying Your query to the ESA DPO via e-mail at dpo@esa.int or addressed to the: ESA Headquarters, Data Protection Officer, 8-10 RUE MARIO NIKIS, CS 45741 75738 PARIS CEDEX 15, FRANCE via postal service. You may be requested to provide additional information to confirm your identity and/or to assist ESA to locate the data You are seeking.

Please note that withdrawing consent does not affect the lawfulness of any processing based on the consent given before this consent is withdrawn.

In cases where a participants’ request to the ESA relates to the processing of personal data by a separate Controller, it will be forwarded to the separate Controller and vice versa.

(10)ESA Contractors

ESA may enter into contracts with various contractors who, with regard to Your Personal Data and depending on the contract concluded with ESA, may act either as a separate Data Controller or as a Data Processor.

  • To the extent such contractor act as a separate Data Controller, the separate privacy notice of the contractor will apply for the purposes of collection and processing decided by the contractor.
  • To the extent such contractor act as a Data Processor, this privacy notice applies for the purposes of collection and processing decided by ESA.

(11)Third Party Providers and Social Media

ESA may use third party IT Providers or social media for information purposes or to promote an activity (meeting, event, recruitment campaign, etc.). ESA websites may provide links to social media and videos may be made available on ESA social media pages. It is up to You to decide whether You wish, or not, to have access and use those IT tools and social media, in consideration of the fact that they are governed by terms and conditions, including privacy notices, that are not under ESA control and that they may disclose data to territories that do not provide an equivalent protection. If You do not want Your data to be processed by such IT tools or social media, You may decide not to register as user or otherwise accept the applicable third party terms and conditions. Non-essential cookies may be used to process your Personal Data. You may decline such cookies and/or configure your browser privacy and security settings to manage cookies.

Where you have consented to the processing of images/ video recordings taken during the event, upon registering to the event, ESA may process these for archiving purposes and to share them on their social media accounts (e.g., ESA Twitter, ESA LinkedIn, ESA public websites, YouTube, etc.). Please note nevertheless that, if personal data or information is disclosed online, it may be used by third parties for their own purposes, within their platforms and or shared, and at times without informing ESA and it may not be possible for us, apart from any implemented safeguards, to ensure removal of your data from the Internet.

Disclaimer regarding exterior Links, cookies, third parties and Endorsement: websites in the ESA.int domain and ESA associated websites may hold links to external websites in domains not having an Adequate Level of Protection, which may not be maintained by ESA or be under ESA control and for which ESA, is not responsible. If you decide to click on a link to an external website, you leave the ESA domain and become subject to privacy, cookies and legal policies of the external website as separate Controllers, outside the control and responsibility of ESA.

Endorsement disclaimer: ESA websites may offer linked references to external resources or websites or online services, to provide further information, however, linked references, services, information and their providers/organisations are not endorsed by ESA. ESA websites may provide links to third-party sites. To use third party content on ESA websites, may require acceptance of their specific terms and conditions, involving their cookie policies for which ESA has no control.

ESA webpages may provide content from external providers, e.g., YouTube, Facebook, Twitter, etc. Viewing such third-party content means that you must agree to their terms and conditions and their cookies. ESA has no control over these. If you do not want third-party cookies to be installed on your device, you do not have to view this content.

Please note that if information also comprising personal data, is uploaded online (for example, published on social media), it can be used by third parties for their own purposes, on their platforms, and every so often without ESA having been informed. In such cases, ESA, despite any implemented safeguards may not be able to ensure removal from the internet.

(12)Your consent

The processing of personal data is described in this privacy notice. Where consent is required, You may provide your consent by accepting this privacy notice (selecting the ‘I accept’ checkbox) prior to submitting the registration form.

ESA invites you to register for this event, which takes place on ESA premises and online. By submitting your personal information/ by participating in this event, you agree to ESA Framework on Personal Data Protection and to the processing of your Personal Data by, or on behalf of ESA. We encourage you to read the privacy notice which informs you about the processing of your personal data, before providing your consent. For any questions, please email: dpo@esa.int

By registering, I accept and consent to:

  • the processing of my Personal Data for participation in this event;
  • the use of my contact details by ESA to invite me to future workshops, for conference follow-up activities, surveys and newsletters on conference related topics;
  • the disclosure of my contact details to the conference participants;
  • be photographed / video recorded;
  • the public publication in any/specific media of the photographs / video recordings/ presentations with my contact details in which I am included;
  • As Speaker, I agree to be photographed / video recorded and to have this published in any/specific media to promote the ESA conference;
  • As Speaker, have my name, surname and title published publicly in the social media, and on public websites.


     
ESA Conference Bureau / ATPI Corporate Events

      ESA-ESTEC, Keplerlaan 1
      2201 AZ Noordwijk, The Netherlands

       
         Privacy Notice