The German Aerospace Center (Deutsches Zentrum für Luft- und Raumfahrt e. V., hereinafter referred to as "DLR") takes the protection of personal data very seriously. We want you to know when we store data, which types of data are stored and how it is used. As an incorporated entity under German civil law, we are subject to the provisions of the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG). We have taken technical and organisational measures to ensure our compliance and the compliance of external service providers with the data protection regulation.
This website uses SSL – that is, TLS encryption – in order to protect the transfer of personal data and other confidential information (for example, orders or enquiries sent to the controller). A connection is encrypted if you see the character sequence 'https://' and the padlock icon in your browser's address bar.
1. The IMPC Service
The "Ionosphere Monitoring and Prediction Center" (IMPC) developed and operated by DLR provides a near real-time information and data service on the current state of the ionosphere, related forecasts and warnings.
Since the IMPC products and data are subject to a license agreement, personal data are needed to manage the license compliance.
The IMPC Service is generally aimed at persons aged 16 years or older.
2. Name and address of the controller
Controller within the meaning of the GPDR is the
Deutsches Zentrum für Luft- und Raumfahrt e. V. (DLR)
3. Name and address of the data protection officer
Contact details of DLR's Data Protection Officer:
Deutsches Zentrum für Luft- und Raumfahrt e. V.
Phone: +49 2203 601 4015
4. Definition of terms
1. Personal data
Personal data refers to any information relating to an identified or identifiable natural person (hereinafter: ‘data subject’). An identifiable natural person is one who can be identified – directly or indirectly – in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Data subject
A data subject is any identified or identifiable natural person whose personal data is processed by the controller.
Processing is any operation or set of operations performed on personal data or on sets of personal data – whether or not by automated means – such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.
4. Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
7. Controller or data processing controller
Controller or data processing controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
10. Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
5. General information on data processing
a) Description and scope of data processing
For the purposes of the license agreement we collect, store and process the following personal data from you:
Personal data to be provided during user registration (mandatory data):
Furthermore, the following information is stored in the internal database as part of your user profile. This information cannot be changed by the user:
b) Legal basis for data processing
The legal basis for the processing of your personal data, which must be entered during registration as well of the processing of the time stamp data, is Article 6 (1) b) of the General Data Protection Regulation (hereinafter also GDPR) of the European Union.
c) Purpose of data processing and duration of storage
DLR needs the obligatory registration data for the administration of the license agreement concluded with you, for example in order to be able to legally sanction violations of contract, such as unauthorized disclosure to third parties, or to be able to manage possible terminations.
Your above-mentioned obligatory personal data will be stored on DLR's servers from the date of your online registration as a user. DLR requires the mandatory data to be provided during registration in order to manage the license agreement. If you violate the license agreement, DLR needs the mandatory registration data for the duration of the contract in order to be able to enforce its rights against you.
The corresponding license agreements run for an unlimited period. If you or DLR terminate the contract, the corresponding data record with the obligatory personal data will be deleted.
In addition, the system automatically sends you a reminder e-mail once a year. These reminder e-mails ask you to check the data stored about you and to correct it if necessary. These reminder e-mails ensure that the data set is up to date and that the contractual relationship, rights and obligations arising from the license agreement are brought to mind.
If you no longer need the license, such an e-mail can also be a reminder of the possibility of terminating the license agreement and thus limit the system to the necessary in the interest of all parties.
DLR may also use your e-mail address to contact you in case of security or other important issues.
Please note that the purpose of storing your e-mail address is to be able to contact you by e-mail until termination of your account. Therefore, the use of one-time e-mail accounts is not allowed.
Please contact us in case of changes in your e-mail address.
DLR needs the time stamp data for purposes of technical reason of the IT system, that is to say for the steering of the workflows in the system and for purposes of IT security, e.g. enforcement of the password guide line in respect to the term for password renewal, in respect to control of usage of old passwords, blocking of the account in case of serval false registration attempts, etc.
This is also the legitimate interest for DLR in the sense of Art. 6 (1) f) GDPR for processing of time stamp data. When the account is deleted the time stamp data will be deleted as well. This will be the case when the license agreement is terminated.
6. Provision of the website and generation of log files
Every time you visit our website, our system automatically collects data and information from the computer system of the calling computer.
The following data is collected:
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GPDR.
c) Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this the IP address of the user must remain stored for the duration of the session.
The data is stored in log files to ensure the functionality of the website. In addition, the data serves to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.
The IMPC Service collects a series of general data and information each time a person or an automated system accesses the Internet pages. This general data and information is stored in the log files of the servers. We may record (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our website (so-called referrer), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of access to the website, (6) an Internet protocol address (IP address), and (7) other similar data and information which serve to avert danger in the event of attacks on our information technology systems.
When using this general data and information, DLR does not draw any conclusions about the person concerned. Rather, this information is required to (1) correctly deliver the contents of our website, (2) ensure the integrity of the contents of our website, (3) ensure the long-term functionality of our information technology systems and the technology of our website, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyberattack. These anonymously collected data and information are therefore evaluated by DLR both statistically and with the aim of increasing data protection and data security in our research center in order ultimately to ensure an optimum level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a person concerned.
Our legitimate interest in data processing according to Art. 6 para. 1 lit. f GPDR also lies in these purposes.
d) Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
If the data is stored in log files, this is the case after fourteen days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or garbled, so that an assignment of the calling client is no longer possible.
e) Possibility of objection and elimination
The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.
Our website uses technically necessary temporary session cookies. Cookies are text files which are stored on a computer system via an Internet browser.
So-called session cookies are used for the management of the user session during the visit on IMPC. The use of session cookies is required for the secure transmission of user input from the web form to the DLR server. The session cookies become invalid at the end of the user session. The technically necessary session cookies are only used for the above-mentioned purpose and not, for example, to analyze user behavior (user tracking).
A prior consent for activating cookies used on IMPC is not required as only technically necessary temporary cookies are used.
The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f GDPR.
The purpose of using technically necessary cookies is to ensure the secure transfer of user permissions from the web forms to DLR servers and databases. The user data collected by technically necessary cookies are not used to create user profiles.
e) Duration of storage, possibility of objection and elimination
The person concerned can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common internet browsers. If the person concerned deactivates the setting of cookies in the Internet browser used, not all functions of our Internet site are fully usable.
8. Registration form
During the user account self-registration process the personal information described in section “Personal data to be provided during user registration” above is collected in an account registration web form.
The legal basis for the temporary storage of the registration data is Art. 6 para. 1 lit. b GPDR.
The temporary storage of the registration data by the system is necessary to create the user account. We can use this data for helpdesk purposes, e.g. in case of user requests due to self-registration problems.
All statements of the section “Provision of the website and creation of log files” above apply. Data stored in log files are deleted after fourteen days at the latest.
9. Contact form and email contact
Our website includes a contact form that can be used to contact us by electronic means. Where a data subject uses this option, the data entered in the input screen will be transferred to us and stored. This applies to the following data:
The following data is stored additionally when sending a message:
Your consent for data processing will be obtained, and you will be referred to this Privacy Notice during the sending process.
Alternatively, it is possible to contact us using the email address provided. The personal data of the user transferred with the email will be stored in this case.
The data is not transferred to third parties in this context. The data is used exclusively for processing the correspondence.
The legal basis for processing of the data in the event that consent has been received from the user is set out in Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR).
The legal basis for processing of the data sent to us by email is set out in Art. 6, para. 1 lit. f of the GDPR. Where email contact is established with the intention of entering into a contract, additional legal bases for the processing are set out in Art. 6, para. 1 lit. b of the GDPR.
We use the personal data you provide in the contact form exclusively to process your enquiry. In the case of contact by email, this represents our necessary, legitimate interest in data processing.
Any other personal data that is processed when you send us the contact form is used to prevent abuse of the contact form and to protect the security of our Information Technology systems.
The data is deleted as soon as it is no longer needed for the purpose for which it was collected. For personal data entered in the input screen of the contact form and personal data sent to us by email, this is the case when correspondence with the user has come to an end. A conversation has come to an end when the circumstances indicate that the relevant matter has been dealt with definitively. All conversations older than 3 months are deleted once in a month.
Any additional personal data collected during the sending process will be deleted after a maximum of 14 days.
e) Right to objection and removal
The user is entitled to revoke their consent to the processing of personal data at any time. The user may object to the processing of personal data at any time by contacting firstname.lastname@example.org. Correspondence will be discontinued in these cases.
All personal data stored in connection with contacting us will be deleted in this case.
On our website you have the possibility to subscribe to a free newsletter. When registering for the newsletter, the data from the input mask will be transmitted to us.
The main data are requested in the form:
In addition, the following data is collected during registration and stored in the database:
In connection with the data processing for the dispatch of newsletters, the data will not be passed on to third parties. The data will be used exclusively for sending the newsletter.
The newsletter is sent out based on the user's registration on the website: The legal basis for the processing of data after registration for the newsletter by the user is Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR), if the user has given his consent.
The collection of the user's e-mail address is used to send the newsletter.
The data will be deleted as soon as they are no longer necessary for the purpose of their collection. The user's e-mail address and first and last name will therefore be stored as long as the subscription to the newsletter is active.
The subscription to the newsletter can be cancelled by the user concerned at any time. Each newsletter includes a suitable link or the user sends an email to IMPC UHD (email@example.com).
11. Access to the data by third parties
To create and manage the necessary IT systems and the servers, DLR contracts with two external IT service providers, who are granted access to the users' personal data stored in the system as part of their work for DLR, in particular as part of system administration.
The two IT service providers are the following:
DLR has concluded contract data processing agreements with these two companies, which oblige these companies to comply with the requirements of data protection law and ensure DLR's right to monitor compliance with these requirements. Your personal data will neither be transmitted to other third parties nor to third countries.
12. Rights of the data subject
Your rights under the General Data Protection Regulation (GDPR) of the European Union:
1. In accordance with Article 15 of the GPDR, you have the right to obtain from the controller confirmation of whether personal data concerning you is processed by us.
Where such processing takes place, you have the right to obtain the following information from the controller:
The controller will provide a copy of the personal data that is subject to processing. Where you request additional copies, the controller is entitled to charge an appropriate fee based on administrative costs. If you place the application by electronic means, the information will be made available in a standard electronic format, except where otherwise specified by you. The right to receive a copy in accordance with paragraph 3 of this section must not adversely affect the rights and freedoms of other persons.
2. According to Art. 16 of the GPDR, you have the right to request the correction of incorrect data stored about your person at any time. Taking into account the purposes of data processing incomplete data stored about you must be completed by DLR at your request. The fulfilment of this right is also ensured by reminder e-mails sent automatically once a year.
3. Right to deletion according to Art. 17 GPDR:
Obligation to delete
You have the right to request the controller to delete personal data concerning you without undue delay, and the controller will be obliged to delete personal data immediately where one of the following grounds applies:
Information to third parties
Where the controller has made the personal data concerning you public and is obliged pursuant to Art. 17, paragraph 1 of the GDPR to delete the personal data, the controller, taking account of available technology and the cost of implementation, is required to take reasonable steps, including technical measures, to inform controllers who are processing the personal data that you have requested to be deleted by such controllers, as well as any links to, copies or replications of such personal data.
The right to deletion does not apply to the extent that processing is necessary:
Since DLR requires the personal data to be provided when you register in order to be able to legally pursue breaches of contract, it has the right under Art. 17 Para. 3 e) of the GPDR to refuse the deletion or blocking of the personal data stored on your person during the term of the license agreement concluded with you as a user after you have registered as a user. After the end of the contract, i.e. after termination of the contract, you have the right to have your personal data deleted. The same is also applicable to the time stamp data which DLR is processing on the legal basis of Art. 6 (1) f) GDPR for the purposes of technical reason of the IT system, that is to say for the steering of the workflows in the system and for purposes of IT security. As soon as the licence agreement is terminated the time stamp data will be deleted.
4. According to Art. 18 of the GPDR, you have the right to limit processing:
You have the right to request from the controller restriction of processing of personal data concerning you under the following conditions:
Where processing of the personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where you have obtained restriction of processing under the conditions set out above, you will be informed by the controller before the restriction of processing is lifted.
5. Right to notification under Article 19 of the GPDR: Where you have exercised the right to correction, deletion or restriction of processing with the data controller, the data controller shall be obliged to notify all recipients to whom the personal data concerning you was disclosed of this correction or deletion of data or of the restriction of processing, except where compliance proves to be impossible or is associated with a disproportionate effort.
In addition, you are entitled to require that the data controller inform you about these recipients
6. In accordance with Art. 20 of the GPDR, you have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transfer that data to another controller without hindrance from the controller to which the personal data have been provided, where:
In exercising your right to data portability, you have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of other persons.
The right to data portability does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to withdraw consent granted pursuant to Art. 7 para. 3 GPDR: You have the right to withdraw consent to the processing of data once granted at any time with effect for the future. In the event of withdrawal we will delete the data concerned without delay, unless further processing can be based on a legal basis for processing without consent. The withdrawal of consent shall not affect the legality of the processing carried out on the basis of the consent until withdrawal;
8. RIGHT OF OBJECTION FROM ART. 21 GPDR:
You have the right to object, at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is based on parts (e) or (f) of Art. 6, paragraph 1 of the GDPR; this includes profiling based on those provisions.
The controller shall no longer process the personal data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data concerning you is processed for direct marketing purposes, you have the right to object, at any time, to the processing of personal data concerning you for the purpose of such marketing. This applies also to profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding directive 2002/58/EC, you may exercise your right to object by automated means that use technical specifications.
Where personal data is processed for scientific or historical research purposes or for statistical purposes pursuant to Art. 89, paragraph 1 of the GDPR, you have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you, except where the processing is necessary for the performance of a task carried out for reasons of public interest.
Should you wish to exercise your right to withdraw consent or to object, please send an email to firstname.lastname@example.org.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects for you or similarly significantly affects you.
This does not apply if the decision:
However, these decisions must not be based on special categories of personal data referred to in Art 9, paragraph 1 of the GDPR, unless parts (a) or (g) of Art. 9, paragraph 2 of the GDPR applies and suitable measures to safeguard your rights, freedoms and legitimate interests are in place.
In the cases referred to in parts (1) and (3), the data controller is required to implement suitable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.
10. Right to lodge a complaint under Art. 77 GPDR: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your normal residence, you place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
Last modified: 12/04/2021