Information about Data Protection

Information
about Data Protection

DLR
takes the protection of personal data very seriously. We want you to
know when we store data, which types of data are stored and how it is
used. As an incorporated entity under German civil law, we are
subject to the provisions of the EU General
Data Protection Regulation (GDPR),
the Federal
Data Protection Act (BDSG)
and the Telemedia
Act (TMG).
We have taken technical and organisational measures to ensure our
compliance and the compliance of external service providers with the
data protection regulation.

This
website uses SSL – that is, TLS encryption – in order to protect
the transfer of personal data and other confidential information (for
example, orders or enquiries sent to the controller). A connection is
encrypted if you see the character sequence 'https://' and the
padlock icon in your browser's address bar.

I.
Name and address of the controller

The
controller in the meaning of the General Data Protection Regulation,
other national data protection laws in the Member States and related
data protection regulations is:

Deutsches
Zentrum für Luft- und Raumfahrt e. V. (DLR)

Linder Höhe

51147
Cologne

Telephone:
+49 2203 601-0

Email: datenschutz@dlr.de

WWW:
https://www.dlr.de

 

II.
Name and address of the data protection officer

The
controller’s appointed data protection officer is:

Uwe
Gorschütz, Deutsches Zentrum für Luft- und Raumfahrt e. V., Linder
Höhe, 51147 Cologne

Email: datenschutz@dlr.de

 

III.
Definition of terms

Among
others, we use the following terms in this Privacy Policy, set out in
the General Data Protection Regulation and the Federal Data
Protection Act:

1.
Personal data

Personal
data refers to any information relating to an identified or
identifiable natural person (hereinafter: ‘data subject’). An
identifiable natural person is one who can be identified – directly
or indirectly – in particular by reference to an identifier such as
a name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that
natural person.

2.
Data subject

A
data subject is any identified or identifiable natural person whose
personal data is processed by the controller.

3.
Processing

Processing
is any operation or set of operations performed on personal data or
on sets of personal data – whether or not by automated means –
such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment
or combination, restriction, deletion or destruction.

4.
Restriction of processing

Restriction
of processing means the marking of stored personal data with the aim
of limiting its processing in the future.

5.
Profiling

Profiling
means any form of automated processing of personal data consisting of
the use of personal data to evaluate certain personal aspects
relating to a natural person, in particular to analyse or predict
aspects concerning that natural person’s performance at work,
economic situation, health, personal preferences, interests,
reliability, behaviour, location or movements.

6.
Pseudonymisation

Pseudonymisation
means the processing of personal data in such a manner that the
personal data can no longer be attributed to a specific data subject
without the use of additional information, provided that such
additional information is kept separately and is subject to technical
and organisational measures to ensure that the personal data are not
attributed to an identified or identifiable natural person.

7.
Controller or data processing controller

Controller
or data processing controller means the natural or legal person,
public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of
personal data; where the purposes and means of such processing are
determined by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for by Union or
Member State law.

8.
Processor

Processor
means a natural or legal person, public authority, agency or other
body that processes personal data on behalf of the controller.

9.
Recipient

Recipient
means a natural or legal person, public authority, agency or another
body, to which the personal data are disclosed, whether a third party
or not. However, public authorities that may receive personal data in
the framework of a particular inquiry in accordance with Union or
Member State law shall not be regarded as recipients.

10.
Third party

Third
party means a natural or legal person, public authority, agency or
body other than the data subject, controller, processor and persons
who, under the direct authority of the controller or processor, are
authorised to process personal data.

11.Consent

Consent
of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject’s wishes by which he or
she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her.

 

IV.
General information on data processing

1.
Scope of processing of personal data

We
process personal data concerning our users exclusively to the extent
required to provide a functioning website, as well as our content and
services. Ordinarily, we will only process the personal data of our
users after obtaining their consent. An exception to this rule is
where obtaining prior consent is factually impossible and the
processing of the data is permitted by law.

2.
Legal grounds for the processing of personal data

Where
we obtain consent from the data subject for the processing of
personal data, the legal grounds are set out in Art. 6, paragraph 1,
part (a) of the EU General Data Protection Regulation (GDPR).

Where
personal data is processed for the performance of a contract in which
the data subject is a contractual partner, the legal grounds are set
out in Art. 6, paragraph 1, part (b) of the GDPR. This also applies
to processing that is necessary for pre-contractual measures.

Where
personal data is processed for compliance with a legal obligation to
which our research centre is subject, the legal grounds are set out
in Art. 6, paragraph 1, part (c) of the GDPR.

Where
processing of personal data is necessary for the protection of vital
interests of the data subject or another natural person, the legal
grounds are set out in Art. 6, paragraph 1, part (d) of the GDPR.

Where
processing is necessary for the legitimate interests of our research
centre or a third party, and where the fundamental rights and
freedoms of the data subject do not override the first interests, the
legal grounds are set out in Art. 6, paragraph 1, part (f) of the
GDPR.

3.
Data deletion and duration of data storage

The
personal data of the data subject will be deleted or blocked as soon
as the purpose of storage no longer applies. In addition, storage
takes place if authorised by Union or Member State directives, laws
or other regulations to which the controller is subject. Blocking or
deletion of the data shall also take place when a storage period
stipulated by one of the above standards comes to an end, except
where it is necessary to continue storing the data to enter into or
perform a contract.

 

V.
Provision of the website and generation of log files

a)
Description and scope of data processing

Our
system automatically collects data and information from the accessing
computer system each time our website is visited.

The
following data is collected in this context:

  1. Information
    about the browser type and version

  2. The
    user’s operating system

  3. The
    user’s Internet Service Provider

  4. The
    user’s IP address

  5. The
    date and time of access

  6. Referrer
    website(s)

  7. Websites
    accessed by the user from our website

The
data is also stored in log files kept on our system. This data is not
stored together with other personal data concerning the user.

b) Legal
grounds for data processing

The
legal grounds for temporary storage of the data and log files are set
out in Art. 6, paragraph 1, part (f) of the EU General Data
Protection Regulation (GDPR).

c) Purpose
of data processing

Temporary
storage of the IP address by our system is necessary to deliver the
website to the computer of the user. For this purpose, the user’s
IP address must be stored for the duration of the session.

Storage
in log files takes place to ensure functionality of the website. In
addition, the data is used to optimise the website and to ensure
security of our Information Technology systems. Data analysis for
marketing purposes does not take place in this context.

The
DLR website collects a variety of general data and information each
time it is accessed by a data subject or an automated system. This
general data and information is stored in server log files. The data
and information collected include the (1) browser types and versions;
(2) the operating system used by the accessing system; (3) the
website from which the accessing system arrives on our website (the
referrer); (4) the sub-pages visited by the accessing system; (5) the
date and time of accessing our website; (6) an Internet Protocol
address (IP address); (7) the Internet service provider of the
accessing system and (8) other similar data and information that is
used to protect against risks in the case of attacks on our
Information Technology systems.

DLR
does not draw any conclusions about the identity of the data subject
during use of this general data and information. Instead, this
information is necessary to (1) deliver the contents of our website
in their correct form; to (2) optimise the contents of our website
and promote it; to (3) guarantee the permanent functionality of our
information technology systems and equipment used for our website;
and to (4) provide the information necessary for law enforcement
organisations to investigate cyber-attacks. This anonymous data and
information is analysed by DLR, firstly for statistical purposes, and
secondly with the objective of increasing data protection and data
security at our research centre, and hence to achieve an optimum
level of protection for the personal data processed by us. The
anonymous data contained in the server log files is stored separately
from all other personal data concerning the data subject.

These
purposes justify our legitimate interests in data processing
according to Art. 6, paragraph 1, part (f) of the GDPR.

d)
Duration of storage

The
data is deleted as soon as it is no longer needed for the purpose for
which it was collected. In the case of data collection for the
provision of this website, this applies at the end of each session.

In
the case of data stored in log files, this occurs after no longer
than seven days. Further storage is possible; in these cases, the
users’ IP addresses are deleted or pseudonymised to prevent any
association with the accessing client.

e)
Right to objection and removal

The
collection of data for the provision of our website and the storage
of data in log files is crucial to operation of the website. Hence,
users are not granted a right to object.

 

VI.
Use of cookies

a)
Description and scope of data processing

Our
website uses cookies. Cookies are text files placed on the user’s
computer system by a browser and stored there.

Numerous
websites and servers use cookies. Many cookies contain what is
referred to as a cookie ID. A cookie ID is a unique cookie
identifier. It consists of a sequence of characters with which
Internet pages and servers can be assigned to the Internet browser in
which the cookie was stored. This enables visited Internet pages and
servers to distinguish the data subject’s individual browser from
other Internet browsers containing different cookies. The unique
cookie ID is used to recognise and identify a particular Internet
browser.

The
use of cookies allows DLR to provide visitors to this website more
user-friendly services than would be possible without cookies.

We
use technically necessary cookies to improve our website’s user
friendliness. Some elements on our website make it necessary to
recognise the accessing browser when moving from page to page.
Cookies can be used to optimise the information and services on our
website in the interests of our users. As stated above, cookies allow
us to recognise visitors to our website. The purpose of this
recognition is to facilitate use of our website by visitors. For
instance, visitors to a website that uses cookies do not need to
enter login details during each visit, as this information is
obtained by the website from the cookie placed on the user’s
computer system.

In
addition, our website uses cookies to analyse Internet usage by
visitors.

The
following data can be transferred in this way:

  • Search
    terms entered

  • Frequency
    of page access

  • Usage
    of website functions

Technical
measures are implemented to pseudonymise the data collected from
users in this way. It is therefore not possible to associate the data
with the accessing user. The data is not stored together with other
personal data concerning the user.

An
information banner referring users to the use of cookies for analysis
purposes is shown when they access our website, and reference to this
Privacy Notice is provided. Users are also informed of how to adjust
their browser settings in order to prevent the storage of cookies.

Users
are informed of our use of cookies for analysis purposes when
accessing our website, and their consent to the processing of
personal data used in this context is obtained. A reference to this
Privacy Notice is provided as well.

Section
IX contains a detailed description of data processing in connection
with the web analysis tools that we use.

b)
Legal basis for data processing

i.
The legal grounds for the processing of personal data using
technically necessary cookies are set out in Art. 6, paragraph 1,
part (f) of the EU General Data Protection Regulation (GDPR).

ii.
The legal grounds for the processing of personal data using cookies
for analysis purposes with consent of the user are set out in Art. 6,
paragraph 1, part (a) of the GDPR.

c)
Purpose of data processing

Technically
necessary cookies are used to make our website user friendly. Some
functions on our website cannot be provided without the use of
cookies, as they require that the browser is recognised when moving
from page to page.

The
user data collected with technically necessary cookies is not used to
produce user profiles.

On
the use of cookies that are not necessary for technical reasons:

Analysis
cookies are used to improve the quality of our website and its
contents. Through the use of analysis cookies, we find out how the
website is used and are therefore able to optimise our service
continuously. A more precise description is contained under Section
IX of this document.

These
purposes represent our legitimate interest in processing personal
data according to Art. 6, paragraph 1, part (f) of the GDPR.

e)
Duration of storage; right to objection and removal

The
data subject can adjust the settings of the Internet browser at any
time to prevent our website from placing cookies as described, and
therefore block cookies on a permanent basis. In addition, the
browser or other software programs can be used to delete cookies that
have already been placed at any time. This is possible with all
standard Internet browsers. The data subject may not be able to use
the full functionality of our website if cookies are disabled in the
active Internet browser.

You
can change the settings of your Internet browser to disable or
restrict the transfer of cookies at any time. Cookies that have
already been placed on your computer can be deleted at any time. This
can take place automatically. Disabling cookies may prevent you from
using the full functionality of our website.


  

XVII.
Rights of the data subject

Where
personal data concerning you is processed, you are the data subject
as defined in the EU General Data Protection Regulation (GDPR) and
you have the following rights with respect to the controller:

a)
Right to information

You
have the right to obtain from the controller confirmation of whether
personal data concerning you is processed by us.

Where
such processing takes place, you have the right to obtain the
following information from the controller:

  • the
    purposes for which the personal data is processed;

  • the
    categories of personal data that is processed;

  • the
    recipients, or categories of recipients to whom the personal data
    relating to you has been or will be disclosed;

  • the
    planned duration of storage of the personal data concerning you, or
    the criteria applied to defining the duration of storage if precise
    information in this regard is not available;

  • the
    existence of a right to correction or deletion of the personal data
    concerning you, the right to restrict processing by the controller
    or the right to object to this processing;

  • the
    right to lodge a complaint with a supervisory authority;

  • all
    information available concerning the origins of the data if the
    personal data was not collected from the data subject;

  • the
    existence of an automated decision-making process, including
    profiling, according to Art. 22 paragraphs 1 and 4 of the GDPR and –
    at least in these cases – meaningful information on the logic and
    implications involved, as well as on the intended effects of this
    kind of processing on the data subject;

  • You
    also have the right to obtain information on whether the personal
    data concerning you has or will be transferred to a third country or
    to an international organisation. In this regard, you are entitled
    to request information on the appropriate guarantees in place with
    regard to this processing in accordance with Art. 46 of the GDPR.

The
controller will provide a copy of the personal data that is subject
to processing. Where you request additional copies, the controller is
entitled to charge an appropriate fee based on administrative costs.
If you place the application by electronic means, the information
will be made available in a standard electronic format, except where
otherwise specified by you. The right to receive a copy in accordance
with paragraph 3 of this section must not adversely affect the rights
and freedoms of other persons.

b) Right
to correction

As
a data subject, you have the right to request from the controller the
correction of inaccurate personal data concerning you without undue
delay. Taking into account the purposes of the processing, you have
the right to have incomplete personal data completed, including by
means of providing a supplementary statement.

c) Right
to limit processing

You
have the right to request from the controller restriction of
processing of personal data concerning you under the following
conditions:

  • where
    the accuracy of the personal data is contested by you, for a period
    enabling the controller to verify the accuracy of the personal data;

  • the
    processing is unlawful and you oppose the deletion of the personal
    data, and instead request the restriction of its use;

  • the
    controller no longer needs the personal data for the purposes of the
    processing, but it is required by you for the establishment,
    exercise or defence of legal claims; or

  • if
    you have objected to processing pursuant to Art. 21, paragraph 1, of
    the GDPR, pending the verification of whether the legitimate reasons
    of the controller override your reasons.

Where
processing of the personal data concerning you has been restricted,
such personal data shall, with the exception of storage, only be
processed with your consent or for the establishment, exercise or
defence of legal claims or for the protection of the rights of
another natural or legal person or for reasons of important public
interest of the Union or of a Member State.

Where
you have obtained restriction of processing under the conditions set
out above, you will be informed by the controller before the
restriction of processing is lifted.

d) Right
to deletion

Obligation
to delete

You
have the right to request the controller to delete personal data
concerning you without undue delay, and the controller will be
obliged to delete personal data immediately where one of the
following grounds applies:

  • the
    personal data is no longer necessary in relation to the purposes for
    which it was collected or otherwise processed;

  • you
    withdraw consent on which the processing is based according to part
    (a) of Art. 6, paragraph 1, or part (a) of Art. 9, paragraph 2 of
    the GDPR, and there is no other legal basis for the processing;

  • you
    object to the processing pursuant to Art. 21, paragraph 1 of the
    GDPR and there are no overriding legitimate grounds for the
    processing, or you object to the processing pursuant to Art. 21,
    paragraph 2 of the GDPR;

  • the
    personal data concerning you has been unlawfully processed;

  • the
    personal data has to be deleted to comply with a legal obligation
    under a Union  or Member State law to which the controller is
    subject;

  • The
    personal data concerning you has been collected in relation to the
    offer of information society services referred to in Art. 8,
    paragraph 1 of the GDPR.

    Information to third parties

Information
to third parties

Where
the controller has made the personal data concerning you public and
is obliged pursuant to Art. 17, paragraph 1 of the GDPR to delete the
personal data, the controller, taking account of available technology
and the cost of implementation, is required to take reasonable steps,
including technical measures, to inform controllers who are
processing the personal data that you have requested to be deleted by
such controllers, as well as any links to, copies or replications of
such personal data.

Exceptions

The
right to deletion does not apply to the extent that processing is
necessary:

  • for
    exercising the right of freedom of expression and information;

  • for
    compliance with a legal obligation under Union or Member State law
    to which the controller is subject or for the performance of tasks
    carried out in the public interest or in the exercise of official
    authority vested in the controller;

  • for
    reasons of public interest in the area of public health in
    accordance with parts (h) and (i) of Art. 9, paragraph 2 and Art. 9,
    paragraph 3 of the GDPR;

  • for
    archiving purposes in the public interest, for scientific or
    historical research purposes or for statistical purposes in
    accordance with Art. 89, paragraph 1 of the GDPR, insofar as the
    rights referred to in section (a) are likely to render impossible or
    seriously impair the achievement of the objectives of that
    processing; or

  • for
    the establishment, exercise or defence of legal claims.

e) Right
to notification

Where
you have exercised the right to correction, deletion or restriction
of processing with the data controller, the data controller shall be
obliged to notify all recipients to whom the personal data concerning
you was disclosed of this correction or deletion of data or of the
restriction of processing, except where compliance proves to be
impossible or is associated with a disproportionate effort.

In
addition, you are entitled to require that the data controller inform
you about these recipients.

f) Right
to data portability

You
have the right to receive the personal data concerning you, which you
have provided to the controller, in a structured, commonly used and
machine-readable format and have the right to transfer that data to
another controller without hindrance from the controller to which the
personal data have been provided, where:

  • the
    processing is based on consent pursuant to part (a) of Article 6,
    paragraph 1 or part (a) of Article 9, paragraph 2 of the GDPR or in
    a contract pursuant to part (b) of Art. 6, paragraph 1 of the GDPR;
    and

  • the
    processing is carried out by automated means.

In
exercising your right to data portability, you have the right to have
the personal data concerning you transmitted directly from one
controller to another, where technically feasible. This must not
adversely affect the rights and freedoms of other persons.

The
right to data portability does not apply to processing that is
necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the
controller.

g) Right
to object

You
have the right to object, at any time, on grounds relating to your
particular situation, to the processing of personal data concerning
you, which is based on parts (e) or (f) of Art. 6, paragraph 1 of the
GDPR; this includes profiling based on those provisions.

The
controller shall no longer process the personal data concerning you,
unless the controller demonstrates compelling legitimate grounds for
the processing which override your interests, rights and freedoms or
for the establishment, exercise or defence of legal claims.

Where
personal data concerning you is processed for direct marketing
purposes, you have the right to object, at any time, to the
processing of personal data concerning you for the purpose of such
marketing. This applies also to profiling to the extent that it is
related to such direct marketing.

Where
you object to processing for direct marketing purposes, the personal
data will no longer be processed for such purposes.

In
the context of the use of information society services, and
notwithstanding directive 2002/58/EC, you may exercise your right to
object by automated means that use technical specifications.

Where
personal data is processed for scientific or historical research
purposes or for statistical purposes pursuant to Art.
89,
paragraph 1 of the GDPR, you have the right, on grounds relating to
your particular situation, to object to processing of personal data
concerning you, except where the processing is necessary for the
performance of a task carried out for reasons of public interest.

Should
you wish to exercise your right to withdraw consent or to object,
please send an email to datenschutz@dlr.de.

h) Right
to withdraw consent pursuant to Art. 7, paragraph 3 of the GDPR

You
have the right to withdraw your consent to the processing of data at
any time, with future effect. In the event that you withdraw consent,
we will delete the data concerned immediately, except where
processing can be based on legal grounds that do not require consent.
The withdrawal of consent will not affect the lawfulness of
processing carried out prior to withdrawal of consent.

i)
Automated individual decision-making, including profiling

You
have the right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal
effects for you or similarly significantly affects you.

This
does not apply if the decision:

  • is
    necessary for entering into, or performance of, a contract between
    you and the data controller;

  • is
    authorised by Union or Member State law to which the controller is
    subject and which also contains suitable measures to safeguard your
    rights, freedoms and legitimate interests; or

  • is
    based on your explicit consent.

However,
these decisions must not be based on special categories of personal
data referred to in Art 9, paragraph 1 of the GDPR, unless parts (a)
or (g) of Art. 9, paragraph 2 of the GDPR applies and suitable
measures to safeguard your rights, freedoms and legitimate interests
are in place.

In
the cases referred to in parts (1) and (3), the data controller is
required to implement suitable measures to safeguard your rights,
freedoms and legitimate interests, including at least the right to
obtain human intervention on the part of the controller, to express
your own point of view and to contest the decision.

j) Right
to lodge a complaint with a supervisory authority

Without
prejudice to any other administrative or judicial remedy, you have
the right to lodge a complaint with a supervisory authority, in
particular in the Member State of your normal residence, you place of
work or the place of the alleged infringement, if you consider that
the processing of personal data relating to you infringes the GDPR.

The
supervisory authority with which the complaint has been lodged is
required to inform the complainant on the progress and the outcome of
the complaint, including the possibility of a judicial remedy
pursuant to Article 78.