Information on Data Protection
The DLR takes the protection of personal data very seriously. We would like you to know when we store which data and how we use it. As a registered association under German civil law, we are subject to the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) as well as the Telemedia Act (TMG). We have taken technical and organisational measures to ensure that the data protection regulations are observed both by us and by external service providers.
For security reasons and to protect the transmission of personal data and other confidential contents (e.g. orders or enquiries to the data controller), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the character string “https://” and the lock symbol in your browser line.
Name and address of the controller
The controller in terms of the General Data Protection Regulation and other national data protection laws of the member states and other data protection provisions is:
Deutsches Zentrum für Luft- und Raumfahrt e. V. (DLR)
Tel: +49 2203 601-0
E-Mail: contact-dlr [at] dlr.de
Name and address of the Data Protection Officer
The controller’s data protection officer is:
Uwe Gorschütz, Deutsches Zentrum für Luft- und Raumfahrt e. V., Linder Höhe, 51147 Cologne
E-Mail: datenschutz [at] dlr.de
In accordance with the General Data Protection Regulation and the Federal Data Protection Act, we use the following terms, among others, in this data protection declaration:
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject means any identified or identifiable natural person whose personal data are processed by the controller.
Processing is any operation or set of operations, performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, querying, use, disclosure by transmission, dissemination or otherwise making available, matching or combination, restriction, deletion or destruction.
Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.
Profiling is any automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, conduct, location or change of location of that natural person.
Pseudonymisation is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the inclusion of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data is not attributed to an identified or identifiable natural person.
Controller or data controller
Controller or data controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union law or by the law of the Member States, provision may be made for the controller or data controller to be designated by Union law or by the law of the Member States, or for the criteria for such designation.
An order processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party. However, authorities which may receive personal data in the course of a specific investigation, in accordance with Union or national law, shall not be considered as recipients.
A third party is any natural or legal person, public authority, agency or body other than the data subject, the controller, the order processor and the persons who, under the direct authority of the controller or the order processor, are authorized to process the personal data.
Consent shall mean any informed and unequivocal expression of the data subject’s free will in a specific case, in the form of a declaration or other unequivocal affirmative act by which the data subject signifies his or her consent to the processing of personal data relating to him or her.
General information on data processing
Scope of the processing of personal data
As a matter of principle, we process personal data of our users only to the extent necessary to provide a functional website and our contents and services. The processing of personal data of our users regularly only takes place with the user’s consent. An exception is made in those cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.
Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 letter a EU General Data Protection Regulation (GDPR) serves as the legal basis.
Art. 6 para. 1 letter b GDPR serves as the legal basis for the processing of personal data necessary for the performance of a contract to which the data subject is a party. This also applies to processing operations which are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our research centre is subject, Art. 6 para. 1 letter c GDPR serves as the legal basis.
In cases where vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 letter d GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our research centre or of a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 letter f GDPR serves as the legal basis for the processing.
Data deletion and storage duration
The personal data of the data subject shall be deleted or blocked as soon as the purpose for which they were stored no longer applies. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible is subject. Data will also be blocked or deleted when a storage period prescribed by the above-mentioned standards expires, unless there is a need to continue storing the data for the purpose of concluding or fulfilling a contract.
Provision of the website and creation of log files
Description and scope of data processing
Whenever our website is accessed, our provider’s hosting system automatically collects data and information from the computer system of the calling computer.
The following data is collected:
- Information about the browser type and version used
- The user’s operating system
- The IP address of the user (anonymized)
- Date and time of access
- Websites from which the user’s system accesses our website
- Websites that are called up by the user’s system via our website
Legal basis for the data processing
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 letter f GDPR.
Purpose of the data processing
The storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
When using this general data and information, the DLR does not draw any conclusions about the data subject. Rather, this information is needed to
(1) to deliver the contents of our website correctly
(2) the contents of our website
(3) to ensure the permanent functionality of our information technology systems and the technology of our website and
(4) to provide law enforcement authorities with information necessary for law enforcement purposes in the event of a cyber-attack.
This anonymously collected data and information is therefore evaluated by the DLR on the one hand statistically and also with the aim of increasing data protection and data security at our research centre, in order to ultimately ensure an optimum level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
These purposes also include our legitimate interest in data processing in accordance with Art. 6 para. 1 letter f GDPR.
Duration of storage
The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session is ended.
In the case of data storage in log files, this is the case after fourteen days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or alienated so that an assignment of the calling client is no longer possible.
Option of objection and removal
The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. There is therefore no option of objection on the part of the user.
Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you are entitled to the following rights vis-à-vis the controller:
Right of access to information
You may request confirmation from the controller as to whether personal data concerning you is being processed by us.
If such processing is carried out, you may request the following information from the controller:
(1) the purposes for which the personal data are processed
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the envisaged duration of the storage of the personal data concerning you or, if it is not possible to give specific details, criteria for determining the duration of storage;
(5) the existence of a right of rectification or deletion of personal data concerning you, a right to have the processing limited by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;
(7) any available information as to the source of the data where the personal data are not collected from the data subject;
(8) the existence of automated decision-making, including profiling, in accordance with Art. 22 para. 1 and 4 of the GDPR and, at least in these cases, meaningful information on the logic involved and the scope and intended impact of such processing on the data subject.
(9) You also have the right to request information as to whether the personal data concerning you are being transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 of the GDPR in connection with the transfer.
The controller shall provide a copy of the personal data being processed. For any further copies that you request, the controller may charge a reasonable fee based on the administrative costs. If you make the request electronically, the information shall be provided in a standard electronic format, unless otherwise specified by the controller. The right to receive a copy in accordance with paragraph 3 shall not prejudice the rights and freedoms of others.
Right of rectification
You, as the data subject, have the right to ask the controller to rectify any inaccurate personal data concerning you without delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
Right to restrict processing
Under the following conditions, you may request the restriction of the processing of personal data concerning you:
(1) if you dispute the accuracy of the personal data concerning you for a period of time which enables the controller to verify the accuracy of the personal data
(2) if the processing is unlawful and you object to the deletion of the personal data and instead demand the restriction of the use of the personal data;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need it for the purpose of exercising or defending legal claims; or
(4) if you have lodged an objection to the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been established whether the legitimate reasons given by the controller outweigh your reasons.
If the processing of personal data relating to you has been restricted, such data may be processed – apart from storage – only with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or of a Member State.
If the restriction on processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
Right to deletion
Duty of deletion
You may request the controller to delete the personal data concerning you without delay and the controller is obliged to delete such data without delay if one of the following reasons applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed
(2) You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 letter a or Art. 9 para. 2 letter a GDPR, and there is no other legal basis for the processing.
(3) You lodge an objection to the processing pursuant to Art. 21 para. 1 GDPR and there are no legitimate reasons for the processing, or you lodge an objection to the processing pursuant to Art. 21 para. 2 GDPR.
(4) The personal data concerning you have been processed unlawfully.
(5) The deletion of personal data relating to you is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
(6) The personal data concerning you have been collected in relation to information society services offered in accordance with Art. 8 para. 1 of the GDPR.
Information to third parties
If the controller has made public the personal data concerning you and is obliged to delete them in accordance with Art. 17 para. 1 of the GDPR, he shall take reasonable measures, including technical measures, taking into account available technology and implementation costs, to inform controllers who process the personal data that you, as a data subject, have requested them to delete all links to these personal data or copies or replications of these personal data.
The right of deletion does not exist insofar as the processing is necessary
(1) on the exercise of the right to freedom of expression and information;
(2) to comply with a legal obligation to which the processing relates under Union or national law to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest relating to public health pursuant to Art. 9 para. 2 letters h and i and Art. 9 para. 3 GDPR;
(4) for archival, scientific or historical research purposes in the public interest or for statistical purposes pursuant to Art. 89 para. 1 of the GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously prejudice the attainment of the objectives of such processing, or
(5) to assert, exercise or defend legal claims.
Right to be informed
If you have exercised the right of rectification, deletion or limitation of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of such rectification, deletion or limitation of processing, unless this proves impossible or involves a disproportionate effort.
They have the right to be informed of these recipients by the controller.
Right to data portability
You have the right to receive the personal data concerning you (that you have provided to the controller) in a structured, common and machine-readable format. You also have the right to have this data communicated to another controller without interference from the controller to whom the personal data has been communicated, provided that
(1) the processing is based on a consent pursuant to Art. 6 para. 1 letter a GDPR or Art. 9 para. 2 letter a GDPR or on a contract pursuant to Art. 6 para. 1 letter b GDPR and
(2) the processing is carried out by means of automated procedures.
In exercising this right, you also have the right to require that the personal data concerning you be transferred directly from one controller to another controller, as far as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability shall not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
RIGHT OF OBJECTION
YOU HAVE THE RIGHT TO OBJECT, AT ANY TIME, ON LEGITIMATE GROUNDS RELATING TO YOUR SPECIFIC SITUATION, TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU WHICH IS CARRIED OUT PURSUANT TO ART. 6 PARA. 1 LETTER. E OR F GDPR, INCLUDING PROFILING BASED ON THESE PROVISIONS.
THE CONTROLLER SHALL NO LONGER PROCESS THE PERSONAL DATA CONCERNING HIM/HER UNLESS HE/SHE CAN DEMONSTRATE COMPELLING LEGITIMATE REASONS FOR PROCESSING WHICH OVERRIDE HIS/HER INTERESTS, RIGHTS AND FREEDOMS, OR FOR THE PURPOSE OF ASSERTING, EXERCISING OR DEFENDING LEGAL CLAIMS.
WHERE PERSONAL DATA CONCERNING YOU ARE PROCESSED FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING, INCLUDING PROFILING, INSOFAR AS IT IS LINKED TO SUCH DIRECT MARKETING.
IF YOU OBJECT TO PROCESSING FOR DIRECT MARKETING PURPOSES, THE PERSONAL DATA CONCERNING YOU WILL NO LONGER BE PROCESSED FOR THESE PURPOSES.
NOTWITHSTANDING DIRECTIVE 2002/58/EC, YOU HAVE THE POSSIBILITY OF EXERCISING YOUR RIGHT OF OBJECTION IN RELATION TO THE USE OF INFORMATION SOCIETY SERVICES BY MEANS OF AUTOMATED PROCEDURES INVOLVING TECHNICAL SPECIFICATIONS.
YOU, AS THE DATA SUBJECT, HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR SPECIFIC SITUATION, TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU WHICH IS CARRIED OUT FOR THE PURPOSES OF SCIENTIFIC OR HISTORICAL RESEARCH OR FOR STATISTICAL PURPOSES REFERRED TO IN ARTICLE 89(1), EXCEPT WHERE SUCH PROCESSING IS NECESSARY FOR THE PERFORMANCE OF A TASK CARRIED OUT IN THE PUBLIC INTEREST.
IF YOU WISH TO EXERCISE YOUR RIGHT OF REVOCATION OR OBJECTION, AN E-MAIL TO DATENSCHUTZ[at]DLR.DE WILL SUFFICE.
Right to revoke consents granted under Art. 7 para. 3 GDPR
You have the right to revoke your consent to the processing of data at any time with effect for the future. In the event of revocation, we will immediately delete the data concerned, unless further processing cannot be based on a legal basis for processing without consent. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
Automated decision in individual cases including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effect on you or significantly affects you in a similar manner.
This shall not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller
(2) is authorised by Union law or the law of the Member States to which the controller is subject, and that law provides for appropriate measures to safeguard your rights and freedoms and your legitimate interests; or
(3) takes place with your express consent.
However, these decisions may not be based on special categories of personal data in accordance with Art. 9 para. 1 of the GDPR, unless Art. 9 para. 2 letters a or g of the GDPR applies and appropriate measures have been taken to protect rights and freedoms and your legitimate interests.
With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard the rights and freedoms and your legitimate interests, which shall include at least the right to obtain the intervention of the controller, to express his point of view and to challenge the decision.
Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place where the alleged infringement occurred, if you consider that the processing of personal data relating to you is in breach of the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.