1. Goal of the data protection policy
2. Preamble
3. Scope and delimitation
4. Responsible body at DLR
5. Data protection officer at DLR
6. Operational managers for OPERATE
7. Subject of OPERATE and purpose
8. Which personal or related data is collected?
9. Legal basis of the processing activities
10. Technical structure including the interfaces
11. Purpose of the data collection and processing
12. Transferral of personal data to third parties
13. Deleting of data
14. Granting of consent
15. Declaration of consent
16. Data subjects’ rights
17. Automated decision making

1. Goal of the data protection policy

The goal of this data protection policy is to depict the legal data protection aspects in one summarising document for the Opportunities and Risk Assessment application “OPERATE”. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) and Data protection Act (DPA) 2018 but also to provide proof of compliance.

2. Preamble

As part of the German Aerospace Center (DLR), the DLR Project Management Agency (DLR-PT) is a national project management agency. Core activities of DLR-PT are:

• Support of political dialogues and establishment of common scientific priorities
• Implementation of multilateral R&D funding schemes
• Setup of international networks (i.e. researcher, stakeholder)
• Development of common science, technology and development strategies
• Conceptualisation and organisation of stakeholder and thematic workshops

DLR-PT key personnel is trained and certified to handle “Classified information - For official use only”. DLR-PT provides comprehensive measures to protect telephone and internet communication. The IT equipment and mobile phones are under strict DLR control with zero dataflow outside of Europe. Access to premises, buildings and office space is restricted and controlled. DLR-PT applies GDPR regulations and is regularly audited.

DLR-PT is committed to continuously improve the overall data protection management system. That includes training and sensitisation of the employees.

3. Scope and delimitation

This data protection concept regulates the data protection-compliant processing of information and the corresponding responsibilities at DLR-PT and the external service providers used for data processing.

All employees of the DLR-PT and the external service providers, who work with the data collected within the scope of OPERATE are obliged to comply with the legal obligations and in particular the processes described in this data protection concept.

4. Responsible body at DLR

DLR-PT is an institute of the German Aerospace Center DLR and thus falls under the GDPR regime of DLR. At DLR the controller within the meaning of the General Data Protection Regulation and the German Federal Data Protection Act as well as other data protection provisions, is:

German Aerospace Center
Deutsches Zentrum für Luft- und Raumfahrt e. V. (DLR)
Linder Hoehe
51147 Cologne
Tel.: +49 2203 601 0
Fax: +49 2203 67310
Email: contact-dlr@dlr.de
www.dlr.de

DLR's Executive Board is empowered to act as DLR's representative. The Executive Board can also authorize DLR employees to act on behalf of DLR. The head of DLR's legal department, Linder Hoehe, 51147 Cologne, can provide information about the extent of this authorization.

5. Data protection officer at DLR

The DLR data protection officer is:
Uwe Gorschütz
datenschutz@dlr.de

6. Operational managers for OPERATE

The OPERATE team at DLR-PT can be contacted via: safeguarding-science@dlr.de

7. Subject of OPERATE and purpose

The aim of OPERATE is to provide a methodical framework to include scientists and researchers in the assessment of opportunities and risks when cooperating with international partners. This procedure is based on an online tool to collect the opinion of invited Panellists. The outcome of this assessment shall serve as basis for informed decision making, sensitization, and reveal of possible risks and opportunities in the context of international STI cooperation.
It is expected that by anonymously accumulating the resulting data, a generic assumption on the risk-benefit consideration regarding the cooperation on a specific topic with a specific country can be made. This might help European research and innovation actors to devise their international cooperation strategies, be aware of considerations of weighing risks and opportunities and be able to develop suitable mitigation measures early on in the process of cooperating.

OPERATE has three levels of users:

• Instructor: DLR employees and employees of the IQIB, the service provider of the online tool developing and maintaining OPERATE
• Operator: key personnel at research centres or central agencies who plan, initiate and control the individual assessments
• Panellist: participants in the assessments (mainly researchers)

When applying OPERATE the following information will be collected:

• Operator:various personal data see chapter 8
• Panellists:various personal data see chapter 8
• Subject of assessment: Research topic, or project cooperation (free text)
• Subject of assessment: Categorization with the UNESCO nomenclature for fields of science and technology¹
• Subject of assessment: Description of the subject of assessment (voluntary)
• Subject of assessment: Country of assessment to which the procedure is applied
• Subject of assessment: Technology readiness-level (if applicable)
• Subject of assessment: Time horizon of assessment (if applicable)
• Assessment results (anonymously, numerical marker per user)

The reported data will be collected, processed and saved by DLR-PT.

¹ SKOS: UNESCO nomenclature for fields of science and technology

8. Which personal or related data is collected?

Following personal data will be collected of the Operator and Instructor:

• Mr., Ms., not specified
• Title
• First name
• Last Name
• E-mail
• Organisation type (categorization is provided)
• Organization (voluntary)
• Department (categorization is provided)
• Country of organisation (categorization is provided)

Following personal data will be collected of the Panellists:

• First name
• Last Name
• E-mail
• Department (categorization is provided)
• Organisation type (categorization is provided)
• Country of organisation (categorization is provided)
• Organization (voluntary)

9. Legal basis of the processing activities

We process your personal data on the legal basis of Art. 6 para. 1 lit. a) DSGVO.

10. Technical structure including the interfaces

Data will be collected for the application of OPERATE within the OPERATE software. Access to the user administration is limited to the instructor’s role.

11. Purpose of the data collection and processing

Personal data will only be collected and used for OPERATE applications. It will not be processed or shared.

Data of Instructors and Operators will be stored as a background information following the registration and approval procedure. Instructors and Operators will have a permanent access (in the form of an account) to OPERATE and are enabled to initiate assessments.

Data of Panellists is stored only temporary. If an assessment is initiated by an Operator, it is necessary to process the data of Panellists for communication purposes. After setting up an assessment, the Instructor/Operator adds the data of the Panellists to the OPERATE application and OPERATE access information is sent in the form of an encrypted participant link to the Panellists. This is done entirely via the user interface, without calling up external e-mail programmes to send out the dial-in link. Among other things, this procedure serves security purposes; the system remains self-contained.

Only the respective Instructor/Operator of an individual assessment has access to the personal data of the Panellists during the assessment process.

12. Transferral of personal data to third parties

Personal data will only be collected and used for OPERATE applications. It will not be processed or shared with third parties.

13. Deleting of data

The personal data of Panellist is only stored in the context of a specific single assessment and will be deleted automatically once this assessment is finalized. For statistical reasons we will anonymously store data regarding gender, type of organisation, nationality.

All personal data of Operators and Instructors will be deleted if Operators or Instructors do not longer work with OPERATE, on requests or when OPERATE is no longer in use.

14. Granting of consent

OPERATE is an application, which will mainly be applied by few experienced persons (Instructor and Operator) at e.g. research centres or as national central contact points.

The Operators are frequent users of OPERATE who are granted access to OPERATE only upon request and approval by OPERATE Instructors. When requesting to become an Operator, consent to this data protection policy is obtained in writing.

The Panellist will be invited by the Operators to participate in individual specific assessments. With the invitation-mail Panellists are informed that their personal data will be collected and stored for the specific assessment and deleted after the assessment is completed. By accepting the invitation and logging-into the OPERATE application, consent to this data protection policies are obtained in writing.

15. Declaration of consent

By using OPERATE, users consent to the transmission of anonymized data for evaluation and scientific use by DLR Project Management Agency.

The objection to the use of anonymized data is possible by sending an e-mail to safeguarding-science@dlr.de and will result in the deletion of the affected account. Further participation in OPERATE assessments is then no longer possible.

16. Data subjects’ rights

You have the following rights vis-à-vis DLR with regard to the personal data concerning you. In order to exercise these rights, please contact the office indicated in section 1. Under the conditions and safeguards set out in Article 89 (1) GDPR, there may be exceptions to data subjects' rights in the case of research projects in accordance with Article 89 (2), (3) GDPR.

• Right of access - Art. 15 GDPR
  
  The right of access grants the data subject comprehensive insight into the data concerning him or her and into other important criteria, such as the purposes of the processing or the period for which the data shall be stored. The derogations of this right laid down in Sect. 34 BDSG are applicable.
   
• Right of rectification - Art. 16 GDPR
  
  The right to rectification implies the possibility for the data subject to have inaccurate personal data concerning him or her rectified.
   
• Right to erasure - Art. 17 GDPR
  
  The right to erasure entails the possibility for the data subjects to have data erased at the controller. This is, however, only possible if the data concerning him or her are no longer necessary, if they have been unlawfully processed, or a corresponding consent has been withdrawn. The derogations laid down in Sect. 35 BDSG are applicable.
   
• Right to restriction of processing - Art. 18 GDPR
  
  The right to restriction of processing includes the possibility for the data subject to prevent for the time being any further processing of personal data concerning him or her. A restriction mainly occurs at the stage of examining other exercises of rights by the data subject.
   
• Right to data portability - Art. 20 GDPR
  
  The right to data portability implies the right for the data subject to receive from the controller the personal data concerning him or her in a commonly used, machine-readable format in order to have them, if necessary, transferred to another controller. In accordance with Art. 20 para. 3 sentence 2 of the GDPR, that right is not available if the data processing serves the purpose of performing public tasks.
   
• Right to object - Art. 21 GDPR
  
  The right to object includes the possibility for data subjects to object, in a particular situation, to the further processing of their personal data as far as this processing is justified by the performance of public tasks or of public and private interests. The derogations laid down in Sect. 36 BDSG are applicable.
   
• Withdrawal of consent
  
  Data subjects have the option to withdrawal their data protection consent at any time with effect for the future.
   
• Complaint to a supervisory authority - Art. 77 GDPR
  
  Every data subject has the right to lodge a complaint with a supervisory authority. As a rule, the supervisory authority of your usual place of residence or workplace or the registered office of the person responsible is available for this purpose.
   

17. Automated decision making

Automated decision-making does not take place.