ESA title
Agency

Personal data protection at ESA

560 views 1 likes
ESA / About Us / Corporate news

The European Space Agency established its Personal Data Protection framework (“ESA PDP Framework”) available at ESA Principles of PDP Rules of Procedure for DPSA and Policy.

The ESA PDP Framework is composed of:

  1. The Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
  2. The Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
  3. The Policy on Personal Data Protection (including its Annex “Governance Scheme of the Agency’s Personal Data Protection”) adopted by Director General of ESA on 1 March 2022.

While ESA takes all the measures to ensure protection of personal data, should a data protection incident happen, this page provides general information to:

  • any person (entity or individual) who is aware of an incident and needs guidance on how to report it to the Agency’s Data Protection Officer (“DPO”);
  • any data subject affected by an incident following a decision of the Agency, who needs guidance before lodging a complaint before the ESA Data Protection Supervisory Authority (“DPSA”), under its Rules of Procedure.

Notifying an incident to the ESA DPO

What is a data protection incident?

According to ESA PDP Framework, an “incident” (or “data protection incident”) means any intentional or unintentional activity which violates the provisions set forth in the Policy. As per the Policy’s definition, an “incident” occurs in relation with personal data and following a decision of the Agency. Concretely, it means that an Agency’s decision shall unduly lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Who should notify an incident, when and to whom?

In line with the ESA PDP Framework, any person (entity or individual) aware of an incident, whether or not affecting his/her own personal data, should promptly notify the incident to the ESA Data Protection Officer, at email address dpo@esa.int. The person should send the notification of the incident without undue delay, as soon as becoming aware of the incident.

What is the purpose of the incident notification?

The incident notification informs DPO about the circumstances of the incident, enabling the DPO to take the necessary measures, including to conduct an investigation, to gather evidence and other relevant details, to make recommendations towards mitigating the related risks.

This notification should not be confused with a formal complaint before the DPSA.

What kind of information should be included in the notification?

The notification should include any information available to the person sending the notification, that could contribute to establishing the nature of the incident, its impact, its root causes etc. That includes:

  • a description of the incident, including the categories of personal data and approximate number of individuals affected and records impacted;
  • the contact information of the person notifying the incident;
  • the potential consequences of the incident.

The DPO may ask further questions and the person reporting the incident should promptly provide further clarification and relevant information, to the greatest extent possible.

Lodging a complaint under the DPSA Procedure

In the field on personal data protection, a complaint can be lodged before an independent authority, i.e.  the Data Protection Supervisory Authority (“DPSA”), in line with the DPSA Rules of Procedure. The DPSA is competent to examine incidents and review decisions of the Agency. The decisions of the DPSA are final and binding on both parties.

Who is entitled to lodge a complaint under the DPSA Rules of Procedure?

Every interested data subject (“complainant”) has the right to lodge a complaint in accordance with these Rules of Procedure in case he/she demonstrates or has serious reasons to believe that a data protection incident occurred in relation with his/her personal data, following a decision of the Agency (cf. Rule 1 of the DPSA Rules of Procedure)

Is there a preliminary step before lodging a formal complaint?

Yes, before filing a formal complaint, the complainant is required to undertake “a preliminary complaint and amicable resolution effort”. (cf. Rule 2 of the DPSA Procedure)

Under this mandatory preliminary step, the complainant must:

  1. inform the Agency’s function or body whose decision is concerned about her/his intention to file a complaint with the DPSA and the ground for such complaint; and
  2. reasonably seek for an amicable resolution of the case.

How to lodge a formal complaint and when?

In case the complainant and the Agency have not reached an amicable resolution of the case in a reasonable time period (not exceeding two months) and should the complainant wish to lodge a complaint, then the following conditions must be observed by the complainant:

  1. The complaint must be submitted to the Registrar of the DPSA;
  2. The complaint must be filed no later than three months after the date of receipt of the decision of the Agency which is challenged by the complaint, i.e. the decision which gave rise to the incident affecting the data subject’s personal data;
  3. The complaint must:
    • be dated and signed;
    • clearly identify the decision being challenged (include a copy of the decisions, if possible);
    • provide a summary of the grounds for the complaint and the relief claimed by the data subject;
    • include supporting documentary evidence;
    • be formulated in English or French language.

The Registrar and Deputy Registrar

The ESA Council appointed two staff members to serve as Registrar and Deputy Registrar of the DPSA, as responsible for matters of current administration of the DPSA and for all communications, in accordance with the DPSA Rules of Procedure.

The Registrar and the Deputy Registrar assist the DPSA, they register the complaint, and any evidence, comment, reply or other document communicated to the DPSA, in relation to the complaint.
Registrar Email: DPSA.Registrar@esa.int.

The Members of the DPSA

The DPSA consists of three members (and an alternate member), who have proven expertise and experience in the field of personal data protection and are nationals of ESA Member States. The DPSA members are neither members of staff of the Agency nor of a delegation of an ESA Member State. They shall not seek or accept instructions from anyone.

Eva Souhrada-Kirchmayer (Chair)

Gérard Lommel (Member)

Stewart White (Member)

Nicola Blefari-Melazzi (Alternate Member)

Cases and Decisions

Case 01 (2024)

English