Privacy Notice
European Test Services (ETS) B.V.ETS’ CUSTOMER & SUPPLIER PRIVACY NOTICE
In this privacy notice we explain how we collect and use your personal data. This privacy notice applies to all personal data we process about you when you order, purchase or use our products and services, visit our websites, use our customer support or otherwise interact with ETS.
ETS respects privacy and acknowledges that processing personal data in a lawful and proper manner is an important social responsibility and declares that it will strive to protect personal data. This privacy notice applies to all personal data that we process concerning “you”, our prospective, current and former customers and suppliers, and concerning your usage of our products and services, our website at www.european-test-services.net, or otherwise when you conduct business with ETS. In this privacy notice, we explain which personal data we collect and how we use these data. Therefore, we encourage you to read this notice carefully.
1. Who we are
We are European Test Services B.V., located at Keplerlaan 1, 2201AZ Noordwijk, the Netherlands.. We are responsible for the collection and use of your personal data, as described in this privacy notice. References to “ETS”, “we” and “our” throughout this notice, depending on the context. We collaborate with the European Space Agency (‘ESA’). We have determined our respective responsibilities for compliance with the obligations under applicable privacy legislation for processing your personal data in relation to our global processing activities by means of an arrangement between us. In summary, we have arranged that if you want to exercise your rights, such as your right to access, correct, erase, restrict, object or port personal data or to withdraw your consent, or if you have any questions or complaints about the processing of your personal data, you can contact ETS in accordance with Paragraph 9. ETS and ESA will assist each other where necessary to ensure that you can exercise your rights and your questions and complaints will be handled.
2. Personal data we collect and what we do with your data
We have outlined our data processing operations and the purposes for which we process your personal data in the Overview ETS Customer & supplier processing activities.
In summary, we use various systems to deliver products and services to you. For example, we have sales, invoicing and procurement processes.
Legal basis
ETS processes your personal data to provide our products and services to you or the organisation you work for, to comply with legal obligations we are subject to or if it is necessary for our legitimate interests or the interests of a third party.
When we process your personal data for our legitimate interests or the interests of a third party, we will take reasonable measures to prevent unwarranted harm to you. Our legitimate interests may for example include our interest in improving our product and services delivery by storing contact details, reducing our costs, our Facebook, Twitter, LinkedIn pages and our websites by analysing which parts of our communications are most relevant for you. Also, we do so to provide our services and facilities, such as the purposes mentioned in the Annex. In specific cases we may process your personal data with your consent. More information on how we balance your privacy interests against our legitimate interests is available upon request. Where we process your personal data for our legitimate interests or the interests of a third party, you have the right to object to our processing at any time on grounds relating to your particular situation (please see Section 7. Your rights below).
Where we process your personal data for a purpose other than that for which we collected it initially (and we rely on a legal basis other than consent or complying with legal obligations for this new purpose), we will ascertain whether processing for this new purpose is compatible with the purpose for which the personal data were initially collected. More information on this assessment is available upon request (please see Section 7. Your rights below).
3. How we collect your data
Most of the personal data we process is information that you knowingly provide to us directly or through third parties. However, in some instances, we process personal data that we are able to infer about you based on other information you provide to us or on our interactions with you, or personal data about you that we receive from a group company or a third party with your knowledge (please see Section 0 and the Annex below).
If you refuse to provide personal data that we require for the performance of a contract or compliance with a legal obligation, we may not be able to provide all or parts of the services you have requested from us.
4. Information sharing
ETS will process some of your personal data locally. However, as a global organization, many of our business activities can also be carried out (and business efficiencies achieved) by processing or consolidating information about you in specific or centralized databases and systems located at specific secured facilities worldwide. As a result, your information may be shared with ESA. Moreover, internally we maintain a strict access policy with regard to the processing of personal data. Only a limited group of authorized ETS staff on a need to know basis may have access to your personal data. You also have the right to have your personal data erased, which means the deletion of your data by us and, where possible, any other controller to whom your data has previously been disclosed by us. Erasure of your personal data will only take place in certain cases, prescribed by law and listed under article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data are no longer necessary in relation to the initial purposes for which they were processed, as well as situations where they were processed unlawfully. Due to the way we maintain certain services, it may take some time before backup copies are erased.
5. Security measures and data retention
ETS will secure your personal data in accordance with our IT and security policies so that personal data are protected against unauthorized use, unauthorized access and wrongful modifications, loss or destruction. Your personal data will be stored no longer than is necessary for the purpose they were obtained, including compliance with legal and fiscal obligations and for solving any disputes. We have outlined the specific data retention periods in the Overview ETS Customer & supplier processing activities.
6. International transfers of personal data
Given the international nature of our line of business, your personal data may be transferred to ESA, an international organisation, and trusted third parties in countries outside the European Economic Area (‘EEA’) whose laws may not afford the same level of protection of your personal data. Where necessary, ETS will ensure that adequate safeguards are in place to comply with the requirements for the international transfer of personal data under applicable privacy laws. For transfers of personal data outside the European Economic Area, ETS may use Commission approved mechanisms, such as the Privacy Shield certification, and Standard Contractual Clauses as safeguards, such as the “(EU-)controller to (Non-EU/EEA-)controller” Decision 2004/915//EC (see Article 46 GDPR). If you wish to receive a copy of these safeguards, please contact us through the contact details in Section 9. Contact details for your privacy inquiries below.
The European Commission has determined that certain countries outside the European Union offer an adequate level of data protection (see Article 45 GDPR). You can find an overview of these countries here.
7. Your rights
You can contact us (please see Section 9. Contact details for your privacy inquiries below)to exercise any of the rights you are granted under applicable data protection laws, which includes (1) the right to access your data, (2) to rectify them, (3) to erase them, (4) to restrict the processing of your data, (5) the right to receiving a file of your personal data and (6) or the right to object to the processing, and where we have asked for your consent, to withdraw this consent. These rights will be limited in some situations. We will, for example, deny your request for access when necessary to protect the rights and freedoms of other individuals or refuse to delete your personal data in case the processing of such data is necessary for compliance with legal obligations. The right to data portability, for example, does not apply in case the personal data was not provided by you or if we process the data not on the basis of your consent or for the performance of a contract.
When you would like to exercise your rights, please send your request to the contact details in Section 9. Contact details for your privacy inquiries below. Please note that we may need you to provide additional information to confirm your identity. You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens, https://www.dutchdpa.nl, located in The Hague, The Netherlands, or your local Supervisory Authority.
7.1. Right to access
You may ask us whether or not we process any of your personal data and, if so, receive access to that data in the form of a copy. When complying with an access request, we will also provide you with additional information, such as the purposes of the processing, the categories of personal data concerned as well as any other information necessary for you to exercise the essence of this right.
7.2. Right to rectification
You have the right to have your data rectified in case of inaccuracy or incompleteness. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement.
7.3. Right to erasure
You also have the right to have your personal data erased, which means the deletion of your data by us and, where possible, any other controller to whom your data has previously been disclosed by us. Erasure of your personal data will only take place in certain cases, prescribed by law and listed under article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data are no longer necessary in relation to the initial purposes for which they were processed, as well as situations where they were processed unlawfully. Due to the way we maintain certain services, it may take some time before backup copies are erased.
7.4. Right to restriction of processing
You have the right to obtain the restriction of the processing of your personal data, which means that we suspend the processing of your data for a certain period of time. Circumstances which may give rise to this right include situations where you have challenged the accuracy of your personal data but some time is needed for us to verify their (in)accuracy. This right does not prevent us from continuing to store your personal data. We will inform you before the restriction is lifted.
7.5. Right to receive your file (data portability)
Your right to data portability allows you to request from us your personal data in a structured, commonly used and machine-readable format and to have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible we will transmit your personal data directly to the other controller.
7.6. Right to object
You also have the right to object to the processing of your personal data, which means you may request us to no longer process your personal data. This only applies in cases where the ‘legitimate interests’ ground (including profiling) constitutes the legal basis for processing (see par. ‘Legal basis’ above).
At any time and free of charge you can object to direct marketing purposes when your personal data are processed for such purposes, which includes profiling purposes to the extent that it is related to such direct marketing. If you exercise this right, we will no longer process your personal data for such purposes.
8. How we look after this policy
This privacy notice is effective as of 2 November 2018 and replaces our previous privacy notice. We will update this privacy notice from time to time and notify you of any changes, prior to these changes taking effect.
9. Contact details for your privacy inquiries
If you have any questions with regard to this privacy notice or wish to exercise your rights, you can contact the ETS contact person for privacy matters:
ETS Privacy Officer, Keplerlaan 1, 2201 AZ Noordwijk, The Netherlands, phone +31 (0)71 565 4290, ets-privacy@esa.int.
OVERVIEW ETS’ CUSTOMER & SUPPLIER PROCESSING ACTIVITIES
| Processing operation |
Categories of personal data |
Purposes |
Recipients |
Retention period |
Further explanation and source, if applicable |
|---|---|---|---|---|---|
| Visitors registration | Name, company name, e-mail, date, safety and security briefing attendance (and for long-term badge: Birth date, ID number, phone number, address, car plate). | Access control, personal safety and security | Internal use and ESA | Registration at ESA: 1 Year for visitor data, long term badge until 31/12/2023. Registration at ETS: 2 Year for visitor data, 3 years for safety and security briefing attendance. |
|
| Visitors control | Access to doors with badge access, Video recording of CCTV, Medical intervention | ESA | Access control system 2 year, CCTV recording 1 month, Medical intervention 20 years | ||
| Air freight security | Name, birth date, ID number, statement of conduct, security awareness training certificate | Air freight security access control | Internal use and ESA | 3 Years | |
| Safety Procedures | Name, company, e-mail and phone number | Emergency calling lists | Internal use, ESTEC site safety and security | Maximum of 2 years, after project completion. | |
| Sales process | Name, company name, division, address, company location, email, phone number, project name, military or civil, company VAT number | Provision of proposals to potential customers, reception of customer orders, evaluation of projects, client relationship management | Customer, Internal, ESA for general commercial and test data | Maximum of 2 years, after relationship has ended with data subject. | |
| Test Process | Name, company name, division, address, company location, email, phone number, project name, military or civil, company VAT number | Customer test documentation, delivery of facility data reports | Internal use Facility data reports are delivered to ESA. | Until 20 Years after test (for ESA until 20 years, starting 5 years after Launch date). | |
| Remote Testing | Live streaming of test and possibly personnel involved on site via SKYPE or WEBEX or MS Teams | Witnessing test by customer in case the customer cannot come on site | Customer, Internal | No retention, live stream recording is not allowed | |
| Invoicing process | Name, company name, division, address, company location, project name, company VAT number | Invoicing | Customer, Internal, ESA for general commercial and test data | A minimum retention period (“7 years”). | |
| Procurement process | Name, company name, division, address, company location, email, phone number, company VAT number, company bank account, quality certificates | Procurement of goods and services, client relationship management | Supplier, Internal, ESA for general commercial and test data | A minimum retention period (“7 years”). | |
| Google analytics and server log files | Country, Duration, IP address | To know from which countries the visitors are, which pages are visited, frequency and duration of visits | Internal, Google Inc. | Maximum of 2 years, after the calendar year for which the analysis has been performed. | |
| Social Media (LinkedIn, Facebook, Twitter) |
LinkedIn - Amount of followers - Location of follower - Amount of visitors - Job functions of follower and visitors - Impressions and clicks - Amount of page likes - Amount of page views - Amount of publication views - Amount of publication likes - Amount of publication shares - Amount of followers - Gender, language and country of follower - Amount of followers - Amount of publication views - Amount of publication likes - Amount of publication re-tweets |
Marketing analysis | ETS receives from LinkedIn, Facebook, Twitter | Maximum of 2 years, after the calendar year for which the analysis has been performed. |