Data protection at the SJU and Privacy statement
The SESAR JU is committed to user privacy. It only processes your personal data for limited purposes clearly, described in each specific privacy statement, and does not divulge them for marketing purposes.
All personal information is processed in line with Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data EU data (the “Regulation”), as well as SESAR JU’s IT security and confidentiality rules .
Through this website, SJU does not transfer any data to third parties, however it relies on third party organisations for the provision of certain services, the privacy policies of each of them are provided below:
- Matomo/Piwik, for analytics data
- Digital Ocean, hosting of the web site with data centers in Frankfurt
- 20STM for online content management
- Flexmail, for the registration and management of subscriptions to its newsletter
All for them provide through their privacy policies for accountability towards the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”). Neither of them use personal data for any statistical or behavioral advertising.
Personal data is any information relating to an identified or identifiable person (Article 3(1) of the Regulation). The data subject is the person whose personal data are processed. 'Processing' of personal data means any operation or set of operations that is performed upon personal data, whether or not by automated means, such as collection, recording, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, deletion or destruction.
Examples of cases in which the SESAR JU processes personal data. A system of records of these processings is maintained at the SESAR JU, and a link to each specific privacy statement or section in this website is provided below:
- Selection and recruitment procedures;
- Audit to SJU members/beneficiaries
- Internal meetings
- Internal survey(s) functionality - Specific privacy survey
- COVID-19 Pandemic – Booking system Voluntary Return to Office
- Webinars and online events organised by the SESAR JU;
- Webinars and online events via Zoom
- List of recipients for SESAR JU E-news
- Virtual challenge
- Procurement procedures and contract management, independent experts under Horizon 2020 and grant management under Horizon 2020
- Selection of the SJU Members for secondment of their staff and implementation of secondment agreement
- Access to the SJU premises
- Access to the Wi-Fi Guest network
- Appointment of new representatives to the Administrative Board
- Skype for business
The SESAR JU is the data controller and the relevant department is responsible for processing personal data. Only dedicated SESAR JU staff will have access to your personal data.
The data controller is responsible for ensuring that technical and organisational measures are undertaken so as to protect the personal data with an appropriate level of security. The data controller remains legally responsible if someone who works for him or her breaches the data protection rules.
Data subjects are informed of the identity of the data controller responsible for the processing of their personal data at the time of the collection or recording of the data by the SESAR JU, unless exceptions to the right of information apply, through specific privacy statements (notices).
Everyone has the right of information (Articles 15 and 16 of the Regulation), to know that their personal data are being processed and for which specific and limited purpose. In the context of the SESAR JU’s processing operations, this right is often fulfilled by the provision of a specific privacy statement (notice) to the data subject. The right of information is subject to certain exceptions, such as in those cases where the data subject has already disposed of the above-mentioned information, or where the provision of the information would involve a disproportionate effort, or where a restriction of the right of information constitutes a necessary measure to safeguard one of the legitimate interests mentioned in Article 25 of the Regulation.
The right to access (Article 17 of the Regulation) is the right to obtain confirmation from the data controller as to whether his/her personal data is processed and how it is processed. The data subject has the right to request a copy of his/her personal data processed.
Essential elements to exercise the right of access:
- Data subjects have the right of rectification without delay, of inaccurate or incomplete data concerning him or her (Article 18 of the Regulation), essential to maintain high level of data quality.
- The Right to erasure or “right to be forgotten” (Article 19 of the Regulation), allows data subjects to obtain from the controller the erasure of their personal data without undue delay when the processing is no longer necessary or is unlawful, the consent is withdrawn or the erasure is necessary to comply with a legal obligation. Certain exceptions such as the right of freedom of expression and information, public interest in the area of public health, scientific or historical research purposes or statistical purposes, and exercise or defence of legal claims.
- Through the right of restriction (Article 20 of the Regulation), data subjects may request, under certain situations, the Controller to block the processing of data at a given moment and for a specific period of time. Blocked personal data can only be processed, with the exception of their storage, with the data subject's consent or for the purposes of legal claims or the protection of the rights of a third party.
- The right to data portability (Article 22 of the Regulation), allows data subjects to receive a copy of his/her personal data (which was provided to the data controller by him or her) in a machine-readable format. The data subject may also ask the data controller to directly transfer such data to another Controller.
Data subjects have the right to object (Article 23 of Regulation) at any time to the processing of data relating to him or her, except in certain cases, such as where the processing is based on a legal obligation or, when the controller can demonstrate an overriding legitimate interest or, for the purposes of legal claims.
The right to refuse (Article 24 of the Regulation) allows data subjects not to be subject to a decision based solely on automated decision, including profiling (if such decision has legal effect on him or her (except for certain situations, such as entering into a contract).
SESAR JU’s DPO can be contacted at SJU.email@example.com. The SESAR JU DPO:
- Provides advice and makes recommendations on rights and obligations of data controllers and data subjects.
- Cooperates with the EDPS (responding to his requests about investigations, complaint handling, inspections conducted by the EDPS, etc.)
- Draws the SESAR JU’s attention to any failure to comply with the applicable data, and in certain situations, he or she may investigate matters and incidents either upon a request of a data subject or on his or her own initiative.
If you feel that SESAR JU is using your data in a wrong manner, you can notify the data controller for the processing in question and ask to take action as per the misusing of your personal data, you may also contact the DPO for information of any issues related to the processing of your data.
If you consider that the processing of your personal data is infringing the Regulation, you may exercise your right to lodge a complaint with the European Data Protection Supervisor (the EDPS).
The EDPS is an independent supervisory authority responsible for monitoring and ensuring the application of data protection rules by European Union institutions and bodies, including the SESAR JU. The EDPS is empowered to hear and investigate complaints and to conduct inquiries, including on his or her own initiative. If a breach of data protection rules is found to have occurred, the EDPS may exercise the powers assigned to him under Article 58 of the Regulation.
To make this website working more efficiently and to understand how it is used, SESAR Joint Undertaking (SJU) sometimes places data files called cookies on your device. Most big websites do this too. Website visitors can decide to not be tracked by these cookies and can delete them at any time.
What are cookies
Cookies are small text files that are placed on your personal computer or on your mobile device when you visit a website. It enables the website to remember your actions over a period of time. For more information on different types of cookie, see definition on European Commission site
SESAR JU uses 3 types of first-party cookies to:
- store visitor preferences
- make our websites operational (There are some cookies that we have to include in order for the web site to function. For this reason, they do not require your consent)
- gather analytics data (about user behaviour)
Here you can find a table describing all cookies used in this site:
|Name||Service||Purpose||Cookie type & duration|
Stores your cookie preferences (so you won’t be asked again)
|Necessary cookie, no consent needed. 100 days validity|
Corporate web analytics service, based on Matomo open source software
|Recognises website visitors (anonymously – no personal information is collected on the user).||First-party persistent cookie, 100 days.
|_pk_ses#||Corporate web analytics service, based on Matomo open source software||Identifies the pages viewed by the same user during the same visit. (anonymously – no personal information is collected on the user).||First-party persistent cookie, 30 minutes
|SSESS||Session ID||To uniquely identify a user associated to the session||First-party session cookie deleted after you quit your browser.
Necessary cookie, no consent needed
When a page loads, the initial and default value of cookie_agreed is 'false'. A cookie banner is presented inviting Data subject to either agree or refuse to use Matomo analytics cookies
Data subject's choice is then stored accordingly and the banner disappears, leaving only a 'Privacy' tab on every page that allows Data subject's to view and change their decision at any time.
pk_id and pk_ses cookies collect information about how visitors use our site. Matomo cookies enable the SESAR JU to track information about visitors that we use to prepare aggregated, anonymous statistics reports of visitor activity.
Matomo is configured to store first-party and persistent cookies that expire after 100 days. This means in practice:
- “First-party cookies” cookies are set by the website you’re visiting. Only that website can read them. Matomo enables the protection of end-user personal data thanks to features such as IP address de-identification and a mechanism for users to opt-out so that their browsing is not processed for analytics purposes.
- “Persistent cookies” are saved on your computer and are not deleted automatically when you close your browser, unlike a session cookie, which is deleted when you close your browser. A random ID is generated by Matomo, which allows SESAR JU to identify when a user returns to the site. All persistent cookies have an expiration date (100 days), after which they are automatically removed from the user's device.
More in details: Matomo cookies enable the SESAR JU to track the following information about visitors:
- IP address (masked)
- Location: country, region, city, approximate latitude and longitude (Geolocation)
- Date and time of the request (visit to the site)
- Title of the page being viewed (Page Title)
- URL of the page being viewed (Page URL)
- URL of the page that was viewed prior to the current page (Referrer URL)
- Screen resolution of user's device
- Time in local visitor's time-zone
- Files that were clicked and downloaded (Download)
- Links to an outside domain that were clicked (Outlink)
- Pages generation time (the time it takes for webpages to be generated by the webserver and then downloaded by the visitor: Page speed)
- Main language of the browser being used (Accept-Language header)
- Browser version, browser plugins (PDF, Flash, Java, …) operating system version, device identifier (User-Agent header)
- Language of the visited page
- Site Search
Cookies and related information will not be shared with any other organisation for marketing, market research or commercial purposes. The SESAR JU retains full control of the data collected through first-party cookies by storing the data in servers fully controlled by the SESAR JU.
Session ID Cookie
The purpose of the SessionID cookie is to uniquely identify a user associated to the session. The cookie-related information is not used to identify you personally. This cookie will be deleted once you quit your browser.
By default, the browsing experience of website visitors is not tracked by Matomo tool. Cookies will only be installed once you expressly consent on it.
If you choose to opt-in (and thus being tracked by the Matomo tool to produce anonymised statistics), you can always change you mind and opt-out by selecting the 'Privacy settings' tab that appears at the bottom of all our web pages.
Please note: If you delete cookies in your browser, the opt-in/opt-out banner will re-appear next time you access our web site. Further, the Matomo cookie has a validy of 100 days, hence, after 100 days the opt-in/opt-out banner will appear.
Other cookies - Third party cookies
Cookies are not set by our display of social media buttons in our website pages or from the use of embedded components from those services. Each social media channel has their own policy on the way they process your personal data when you access their sites. If you have any concerns or questions about their use of your personal data, you should read their privacy policies carefully before using them.
YouTube: Some videos available on the SESAR JU website are embedded from SESAR JU’s official YouTube channel. YouTube’s privacy-enhanced mode is enabled: this means that YouTube will not set cookies for a user who views a web page that contains a privacy-enhanced YouTube embed video player, but does not click on the video to begin playback. Moreover, the application of the privacy-enhanced mode implies that YouTube will not store personally-identifiable cookie information for playbacks of embedded videos. More info available on YouTube’s embedding videos information page.
Twitter: Clicking on the Twitter icon on our website will re-direct you to the Twitter site, which has its own cookie and privacy policies over which we have no control.
LinkedIn: by clicking on the LinkedIn button on our website, you will be re-directed to the LinkedIn site, which has its own cookie and privacy policies over which we have no control;
Flickr: by clicking on the Flickr button on our website, you will be re-directed to the Flickr site, which has its own cookie and privacy policies over which we have no control;
These third-party services are outside of the control of SESAR JU. If you have any concerns or questions about their use of your personal data, you should read their privacy policies carefully before using them.
How to control cookies from your browser
Most browsers automatically accept cookies. You can prevent cookies from being stored on your computer or device by changing your browser settings instructions for most frequently used browsers are given below:
Do not track preferences
Do not track is a function that allows visitors to opt out from being tracked by websites for any purpose including the use of analytics services, advertising networks and social platforms. Do not track options are available in a number of browsers including:
- If you enable do not track in your web browser, Matomo will respect your choice and you will see the following text appearing on the legal notice page : "You are not being tracked since your browser is reporting that you do not want to. This is a setting of your browser so you won't be able to opt-in until you disable the 'Do Not Track' feature".;
- If you have enabled the do not track function, you will not be tracked. This is in addition to you opting-out of the aggregation and analysis of data for our website statistics;
- If you have not enabled the do not track option but you choose to opt-out from Matomo, your data will not be used by Matomo;
Social Media Monitoring
We analyse social media activity related to our tasks and monitor the use of our own social media channels in order to understand how we are discussed and perceived in social media and take into account the needs of the general public in our communications.
Which personal data do we process?
- identification data (name, username, user identification and geographical area)
- personal characteristics (age, gender and family status)
- consumer habits
- hobbies and interests
- professional and educational background
- photos and videos
- any other information published on a website that is analysed or on a third-party platform.
- Individual quotes may be captured (as examples and used to describe the general attitude towards the SJU in social media).
Under what legal basis do we process your data?
This processing activity is based on article 5(a) Regulation 2018/1725 and is necessary for the management and functioning of the SJU. More specifically, it falls within the SJU mandate as illustrated in the Social Media policy of 22 October 2018 adopted by the Executive Director.
Who is the controller and other actors involved in the processing?
Controller: The SESAR JU is the controller and the responsible unit for the processing activity is the External Relations Communication & Global Outreach team.
How is SESAR JU processing the personal data?
The external provider collects and analyses data from public posts by social media users on different social media channels, and tracks different online sources including fora, blogs and online news websites (Web server, Twitter, Youtube, Mobile App, LinkedIn). The external provider only processes information that is publicly available.
While the processor may collect data of some of the categories listed above, the SJU only analyses some of these data, mostly aggregate in the form of a daily and annual report provided by the processor. Individual quotes may be captured as examples and used to describe the general attitude towards the SJU in social media, however, these quotes will be limited to those of individuals who publish posts about the SJU in their professional capacity or those of influencers.
What are your rights and how can you exercise them?
You may find detailed information on your rights and how you can exercise them in the section “Your rights as data subject” above.
How long is the data retained?
Reports containing personal data will be stored for a maximum of five years and will then be destroyed/deleted. Upon the instructions of the SESAR JU, the external provider will delete the results of searches after a period of six months. Automatic backups will also be deleted from the provider’s servers after six months.
Complaints, concerns and recourse
Should you have any complaint or concern you may contact:
- the Data Protection Officer of the SESAR JU at firstname.lastname@example.org, and
- the External Relations Communication & Global Outreach team: email@example.com
- In addition, as a data subject, you have a right to recourse to the European Data Protection Supervisor (EDPS) at any time by e-mail to firstname.lastname@example.org
More information can be obtained in the SJU register of data processing operations and in the privacy notice available in the link below: