Space CODEV Privacy Notice
1. Who is responsible for the data processing?
Operator of the Space CODEV Collaboration Platform (space-codev.org, in the following referred to as “Collaboration Platform” only) and the “data controller” is the European Space Agency (ESA). ESA is an intergovernmental organisation established by its Convention opened for signature in Paris on 30 May 1975 having its headquarters located at 24 rue du Général Bertrand, CS 30798, 75345 Paris Cedex 07, France.
2. What is the legal framework?
Protection of personal data is of great importance for ESA, which strives to ensure a high level of protection as required by the ESA Framework on Personal Data Protection (the “ESA PDP Framework”) which applies in this field. ESA implements appropriate measures to preserve the rights of data subjects, to ensure the processing of personal data for specified and legitimate purposes, in a not excessive manner, as necessary for the purposes for which the personal data were collected or for which they are further processed, in conditions protecting confidentiality, integrity and safety of personal data and generally to implement the principles set forth in the PDP Framework, available here.
The ESA PDP Framework is composed of the following elements:
- the “Principles of Personal Data Protection”, as adopted by ESA Council Resolution (ESA/C/CCLXVIII/Res.2 (Final)) adopted on 13 June 2017;
- the “Rules of Procedure for the Data Protection Supervisory Authority”, as adopted by ESA Council Resolution (ESA/C/CCLXVIII/Res.2 (Final)) adopted on 13 June 2017; and
- the “Policy on Personal Data Protection” adopted by Director General of ESA on 5 February 2018 and effective on 1 March 2018.
3. How to contact us?
4. What kind of personal data do we collect?
Automatically generated Collaboration Platform visitor information
We collect information and data that is automatically transmitted or generated by your browser each time you visit the Collaboration Platform. Such information includes the IP address, the URLs of the site you visited before accessing our website (“referrer”), the browser used, the browser language, the operating system and user interface, the access device used, date and time of your access, the pages viewed on our website, and the time you spent on the website.
Account data and user generated data
With respect to user accounts and your use of the Collaboration Platform, we process the following data:
a) User account data, in particular your user name and password and profile data, including e.g. your name, employer or organization and contact information. You may access, modify, or delete your basic user account information by editing your user account or contacting us.
b) User generated data, e.g. your commit history (in particular commit messages including your name and a timestamp) and submissions to repositories (e.g. source code or documentation), code review messages, your communication via issue tracking tools, message boards or similar services.
c) Agreements you made with us (e.g. Contributor Agreement) may include personal information (e.g. name, contact information, your employer or organization).
d) If you contact us directly (e.g. by e-mail), we use the data you provided, usually your contact information and your inquiry, to respond.
The Collaboration Platform sets cookies upon your visit. Cookies are small text files that are stored by your browser on your computer or mobile device and which allow re-identification of your computer or mobile device. These cookies do not contain personal data. Some of the cookies we use are deleted again upon expiry of the session, that is, when you close your browser (these are referred to as session cookies). Other cookies remain stored on your device and allow us, or our business partners to recognize your browser during subsequent visits (persistent cookies).
You may prevent cookies by configuring your browser software accordingly. In that event most functions of the Collaboration Platform probably won’t work.
5. To whom might we disclose data?
Our service providers
We may use third party service providers, in particular technical service providers, e.g. for hosting of our servers. These service providers receive personal data solely for the performance of their services for us on our behalf. They are contractually obliged not to use personal data for other purposes. We are currently using the following service providers:
- CLOUDSIGMA AG, Badenerstrasse 549, 8048 Zürich, Switzerland as a hosting provider. Switzerland provides an adequate level of privacy protection as shown by an adequacy decision of the Commission pursuant to Art. 45 GDPR.
- GMV Innovating Solutions S.L., C/ Isaac Newton, 11. Tres Cantos, 28760 Madrid, Spain as a general IT service provider.
Publicly available data
You are aware that your data, including your user name and profile and your contributions (e.g. code or documentation submissions, postings on discussion forums and issue tracking tools) will be available to the public, either the general public or a closed developer community, depending on the project and the project’s policies.
Community members, in particular project maintainers, may set up project-specific interfaces to permit data exchange with third party ancillary services (e.g. CI/CD runners or maven repositories for binary artefacts). Project related data (e.g. source code submissions) may be transferred to and exchanged with such ancillary services. Such data may include personal data (e.g. personal information included in the source code). Please refer to each project’s documentation if the project is set up to interface with ancillary services and what data is potentially exchanged.
Change of control
Operation of the Collaboration Platform might be taken over at some point in the future by a new provider (e.g. an organization founded by ESA and the space industry). In that event we might transfer the Collaboration Platform as a whole, including all related data and agreements, to the new provider. Legal basis for such transfer are the transfer clauses in the Collaboration Platform Terms & Conditions, the Collaboration Agreements and our legitimate interest in handing over the operation of the Collaboration Platform to a new provider. We will notify you duly in advance if a change of control and data transfer is planned.
If your user account is tied to your employer, your employer might see and modify your account data and see your activities (e.g. your submissions) on the Collaboration Platform.
We may disclose personal information to the extent necessary for the enforcement of rights related to material hosted on the Collaboration Platform or the defense against alleged or actual infringements.
6. For what purposes do we use personal data?
We process personal data for the following purposes:
Performance of an agreement
- Performance of the Collaboration Platform agreement, based on the Collaboration Platform Terms & Conditions;
- Performance of the Contributor Agreement.
- Operation of the Collaboration Platform in the interest of us, yourself and the respective project community; in particular to facilitate and support the development of space community related software projects, ensuring a transparent development process and making related tools, material and information available (including, but not limited to, source codes, documentation, revision and commit histories, issue tracking information, community communication);
- Encouragement of the formation of space related developer and project communities; facilitate and support communication and knowledge transfer within the development communities in the interest of us, yourself and the respective community;
- Enforcement of rights related to copyrighted material hosted on the Collaboration Platform; defense against alleged or actual infringements, in the interest of us and the respective community;
- Improvement of the Collaboration Platform and the services, e.g. by creating usage statistics;
- Prevent, detect, process and investigate malfunctions, incidents, fraudulent or other illegal activities, or mitigate the risk of occurrence of the aforementioned events and to ensure network and information security;
- Ensuring compliance with ESA’s rules and regulations.
7. How long do we retain personal data?
We may keep your personal data for as long as necessary for the fulfilment of the above mentioned purposes. In particular:
- Website visitor information (webserver logfiles) is stored for a period of 30 days and deleted automatically thereafter.
- Contributor Agreements are kept and archived by us for the term of Copyright protection unless you have made no contributions to a project hosted by the Collaboration Platform.
- Collaboration Platform agreements (based on the Collaboration Platform Terms & Conditions) are kept and archived for the term of the agreement and a period of three years thereafter.
- User accounts are usually deleted upon request (either your or your employer’s request, if your account is tied to your employer). However, contributions made by you will remain on the repository (see below).
- Generally, user generated data (e.g. source code or documentation submissions, issues lodged, community communication) will be kept for the lifetime of the respective project and/or the lifetime of the Collaboration Platform. However, we will delete or de-identify personally identifying information including your username and email address from the author field of issues, pull requests, and comments by associating them with a “deleted user”.
For the avoidance of doubt, Git log messages will not be anonymized.
8. What are your rights in respect of your personal data?
Subject to the Policy on Personal Data Protection, in particular Sec. 5.4.1 and 5.4.2 thereof, you have the right:
- to make at any time reasonable request for access to the personal data relating to you, provided that the you demonstrate legitimate grounds (Sec. 5.4.1(ii) of the Policy on Personal Data Protection);
- to have your personal data erased, rectified, completed, amended as per the conditions set under Section 5.1(i) of the Policy on Personal Data Protection (Sec. 5.4.1(iii) of the Policy on Personal Data Protection);
- to lodge a complaint before the Supervisory Authority in case you demonstrate or have serious reasons to believe that a Data Protection Incident (as defined in the Policy on Personal Data Protection) occurred in relation with your personal data, following a decision of ESA (e.g. Data Protection Officer) (Sec. 5.4.1(iv) of the Policy on Personal Data Protection).