ESA title

Privacy Policy

ESA PRIVACY NOTICE FOR GDA Knowledge-Hub Website Released by: European Space Agency, as Data Controller Addressed to: individuals whose personal data are collected and processed Concerning collection and processing initiated by: ESA EOP-S Department (hereinafter referred to as the “Department”)
The European Space Agency (hereafter “the Agency or “ESA” or “We”) is committed to protecting Personal Data in line with the ESA Framework on Personal Data Protection (herein the “ESA PDP Framework”) available at: ESA PDP Framework link, composed of:
  • Principles of Personal Data Protection adopted by ESA Council on 13 June 2017
  • Rules of Procedure for the Data Protection Supervisory Authority adopted by ESA Council on 13 June 2017
  • Policy on Personal Data Protection (including its Annex entitled “Governance Scheme of the ESA’s Personal Data Protection”) adopted by the Director General of ESA on 1 March 2022 (“ESA PDP Policy”)
This notice describes why and how Your personal data are collected and processed by or on behalf of ESA as Data Controller, on the initiative of the above-mentioned Department, as well as what rights You have in relation to Your personal data. It also informs You about the contact details of the Data Protection Officer. This privacy notice was last updated on 24/07/2025. It must be read in conjunction with the ESA PDP Framework and other privacy notices referred to herein.

1. How can you contact ESA regarding this notice?

The ESA Data Protection Officer (“DPO”) may be contacted in line with the ESA PDP Framework at DPO@esa.int. Specific information is available upon request from the DPO.
SEPARATE CONTROLLERS: To know the point of contact for personal data protection matters concerning separate Controllers (which are independently responsible for the collection and processing of personal data they decide upon), please refer to the privacy notices of these separate Controllers. Your queries regarding these matters will not be dealt with by ESA or its DPO.

2. What kinds of personal data are collected and further processed?

We collect and process various kinds of personal data and may require You to provide personal data for the purposes mentioned later in this notice. Depending on the purpose for which they are collected and further processed, the personal data may include:
  • Identity Data: first name, last name, country/region, timezone
  • Contact information: email address
  • Professional information: job title, email, role type, organisation name and type
  • Technical data, including online identifiers: IP, device info, browser, session history, geolocation logs, analytics data, etc.
  • Other personal data made public by You
  • Other data: messages, dates, content of messages, public posts, etc.

3. How are Your personal data collected or further processed?

  • Providing a web portal for registration
  • Commissioning a consortium (ReMedia, Imperative Space, Ignite Education, Caribou Space) to manage registration
  • Processing user inputs and metadata provided to the chat bot
  • Collecting indirect personal data from third parties, analytics providers, social media, cookies, etc.

4. Purpose of processing personal data

4.2 If you visit an ESA website Personal data are collected and processed for ESA’s public service tasks, including communication, statistics, analytics, audience measurement, user access, and engagement.
4.8 If you formulate a request or complaint Data are processed to handle queries, respond to rights requests, and defend ESA from liability claims.
4.10 ESA IT infrastructure use Data are processed to provide services, ensure security, manage access, and defend ESA’s rights.

5. Legal grounds for processing

  • 5.1 General basis: Security, contract performance, and consent
  • 5.2 Sensitive data: Consent, public data, vital interests, staff regulations, health/social care, security
  • 5.3 Consent: Various modalities: paper, oral, electronic, service-specific interfaces, forms, behaviour

6. Transfers of personal data

  • Third-party service providers (communications, marketing, IT, security, contracting)
  • ESA partners, governing bodies, authorities
  • Other third parties under specific frameworks
  • Transfers may be outside EU/EEA if safeguards applied

7. Retention of personal data

Stored for the shortest necessary time; exceptions for archiving, research, with technical safeguards.

8. Protection and safeguards

All processing operations are carried out in conditions protecting confidentiality, integrity, and security. Technical and organisational measures include pseudonymisation, encryption, and access control.

9. Your rights as data subject

  • Right to be informed about the controller, DPO, purpose, recipients, rectification/erasure, storage limits
  • Right to access personal data
  • Right to have personal data erased or corrected
  • Right to lodge a complaint with the Supervisory Authority
  • Right to withdraw consent where applicable (gda@esa.int, dpo@esa.int)

10. ESA Contractors and Consent

ESA may contract external parties acting as separate controllers or processors. Consent for Knowledge Hub services is given upon registration, including:

  • Processing Personal Data to access and use website and chatbot services
  • Use of contact details for follow-ups, invitations, surveys, and newsletters
  • Collection and analysis of usage data for performance, content, and user experience
  • Storage and processing of chat transcripts for research, service improvement, and reporting
  • Sharing anonymized/aggregated feedback internally