Privacy Policy

Access to personal data

Access to all personal data collected by TUDSaT e.V. is granted to the Board of Directors, association personnel appointed by the Board of Directors, IT Administrators and the data protection officer of the association. The data protection officer is elected annually and is the association's internal contact person for data processing. The current composition of the Board of Management and the current data protection officer are listed on the association's website (<https://tudsat.space>). Personal data needed for the functions of services applied by the user can be seen by other users of the same service. View services sheet in the "usage of personal data" chapter. This does not apply for services where users use the service independent of each other (communication / information platforms vs. direct contact to TUDSaT). The Executive Board can be contacted via the e-mail address ([vorstand@tudsat.space](mailto:vorstand@tudsat.space)) and the data protection officer via the e-mail address ( [datenschutz@tudsat.space](mailto:datenschutz@tudsat.space) ) Within the framework of the provisions of the German Federal Data Protection Act / Data Protection Basic Regulation, each person has the right to obtain information about the personal data stored about them by the association. In the event of incorrect data, each person has the right of correction. Contact: [datenschutz@tudsat.space](mailto:datenschutz@tudsat.space) via e-mail to do so.

Collection of personal data

TUDSaT e.V. collects and stores the necessary usage data of and for all the used services provided by TUDSaT e.V. and BVSR e.V. to ensure all functionalities, which includes personal data such as, but not limited to:

  • Name
  • Username
  • Email address
  • Mobile phone number

This privacy policy is used equally for the collection of personal data from TUDSaT personnel and the collection of personal data of external contacts, when they want to make use of TUDSaT services.

Other information about persons and organizations is only collected by the association if it is useful for the fulfillment of the association's purpose and the person or organization has given explicit consent for the collection and use of their informations.

Information that is non-personal and public by the intent of the owner (only concerning organisations) will be collected if deemed useful for the purpose of the association and unlikely to be opposed by the owner.

The deletion of these and other datapoints of persons or organisations will be done:

  • after 10 years of no interaction with the association
  • as soon as possible after instructing the association to delete via e-mail to: datenschutz@tudsat.space
  • as soon as possible after instructing the association to delete via letter to:
    TU Darmstadt Space Technology e.V.
    c/o: TU Darmstadt Space Technology e. V.
    64289 Darmstadt,
    Germany
  • when appointed association personnel notices that the reason for the collected datapoint is no longer in effect
  • when an automated IT system determines that the reason for the collected datapoint is no longer in effect

With the exception of "10 years of no interaction", all stated above reasons for data deletion will cause association personnel or an automated IT system to inform the person or organisation concerned, about which data was deleted via e-mail. In case the e-mail address is part of the data to be deleted the association assures that appointed personnel or automated IT systems deletes this data immediately after sending the notice.

In case no e-mail address was given to the association, no deletion notice will be sent.

In case a person or organisation wishes data such as pictures and videos (only data that has been provided by them) should remain for use by the association indefinitely, this wish must be stated via e-mail to: datenschutz@tudsat.space It is expected that alteration of the data for the purpose of anonymization might be necessary and that work required for this anonymization should be done by the persons / organisations concerned.

For the fulfillment of stated deletion obligations users of the BVSR/TUDSaT-Cloud, -Wiki and other services must mark the persons and organisations visible and audible in footage. They (the service user / uploadee) are also responsible for ensuring the consent of all recorded parties (consent for storage on used service).

Storage of personal data

The so called tudsat-cluster of TUDSaT e. V. consists of multiple servers operating from the "Hochschulrechenzentrum" (HRZ) at the TU Darmstadt in a data center. All data stored and offered by services of BVSR e. V. or TUDSaT e.V. are currently physically stored on the cluster. The location is as follows:

S2|20 Zentrum für IT-Sicherheit CYSEC
Pankratiusstraße 2,
64289 Darmstadt
Germany

The cluster itself is locked inside a co-shared rackspace with two other (currently unknown) hosting entities. The admins of TUDSaT e. V. do have direct access to the hardware and can administrate those. The employees of the HRZ and admins of the other hosting entities of the co-shared rackspace are also able to access the locked rack with a key. The data center itself is only accessible to hosting entities and employees of the HRZ as well as fire figthers and contractors employed by the HRZ via a transponder locksystem from SimonsVoss.

Administrators of the BVSR and TUDSaT have administrative rights, so called root permissions, to manage the nodes of the tudsat-cluster and the cluster itself as well as all the services running on them.

The cluster and the operating systems on the nodes are enclosed in a local subnet behind the Firewall of the HRZ and TUDSaT and are only reachable for administration via a wireguard VPN access providing sufficient security through cryptographical means. Services of the BVSR and TUDSaT are only reachable after passing through an isolated reverse proxy (traefik), which enforces modern encryption standards for https requiring at least TLS1.2 for all web connections (list of supported cypher suits).

All data that is stored on the tudsat-cluster is by default not encrypted by software.

Since access to personal data will, in most cases, not be done at the tudsat-cluster directly, it is to be expected that personal data will exist in cached form on personal devices. Depending on the software and hardware used, this can have varying standards of IT security.

In case of a breach in data security, the data protection officer will inform the parties concerned and hessian authorities immediately. View the chapter titled "Notice on the revocation of consent to processing or publication concerning personal data" for more information on the procedure for such security incidents.

In case of technical questions concerning the storage of personal data contact our IT-Office via e-mail to: admin@tudsat.space

Within the scope of the provisions of the German Federal Data Protection Act and related laws the right to information about the personal data stored about the concerned person can be used by contacting the data protection officer via e-mail: datenschutz@tudsat.space

When a user leaves the association their personal data will be deleted as soon as possible, unless explicit consent is given by the user (in case their information is still of use for the purpose of the association) before leaving the association.

In the event of withdrawal or expiration of permission to use personal data, the personal data concerned will be deleted, unless it has to be stored in accordance with legal requirements. Personal data relating to the association's treasury management will be stored in accordance with the provisions of the tax regulations for up to ten calendar years, starting from the withdrawal of the usage permit. After this period, the data will be deleted.

For media material stored on BVSR/TUDSaT services a general deletion time of ten years after its upload exists, if the uploadee marks the media for such automation, which they are obliged to do by agreeing to this privacy policy. The uploadee must not mark media for automated deletion when all concerned parties gave their explicit permission for indefinite storage.

Transmission of personal data

Personal data may be disclosed to internal and external natural persons or even organizations with the appropriate consent. The transmission of personal data takes place in a data-technical, encrypted procedure.

In the context of transfers of personal data, the right exists to know to whom which data has been passed on (to make use of this right contact this e-mail: datenschutz@tudsat.space). A data transmission outside of the explicitly granted consent to other third parties does not take place.

For this reason the IT-Office will log all usage of personal data via server-logfiles in order to archive who has made use of personal data stored for the association at any given time. These server-logfiles will be kept for 6 months after their generation. In case of a data breach, these server-logfiles will be used for forensic investigation, thus being kept longer in accordance with concerned authorities.

Use of personal data for the purpose of advertising or any other commercial intent does not occur, unless the user gave explicit consent.

Usage of personal data

By consenting to this Privacy Policy you agree that the TUDSaT e.V. can process your personal data according to the methods stated in this Policy, with BVSR e.V. and TUDSaT e.V. as the controllers of IT-Systems. All collection and use of personal data must be presented explicitly, in order for you to be able to agree. This is why we have listed our services and the purpose that they cover. For each purpose, the data used / needed is indicated and the processing procedure is explained. You will be able to decide by yourself whether or not you want to use all, a selection of or none of our services after agreeing to this Policy. If you wish to disagree with this policy at any point in time contact this e-mail: datenschutz@tudsat.space and express that you want to disagree (this will result in the immediate deletion of your personal data from all our records and will also end your ability to use our services). In case you have not agreed to a TUDSaT Privacy Policy before, we should not have any of your personal data, unless you have interacted with the association before the making of this privacy policy. This case will not exempt you from your right to disagree and have your data deleted.

If the controllers or any other legitimised TUDSaT-internal-entity intends to process personal data for a purpose other than listed or for other reasons than the data was collected for, they must reach out to the concerned party (owner of concerned personal data), inform them about the reasons which explain why this process would benefit them, what exactly each new use-case of their data is and wait until explicit consent or disagreement is given, before proceeding (disagreement by the party concerned or the lack of contact information will end such process). It is important to remember that implicit agreement does not exist when listing use-cases for personal data or in the legal handling of such data in general. Law and our Privacy Policy is intended to keep all agreements to the use of personal data explicit. If you suspect any TUDSaT agreement, including this Privacy Policy to be too unspecific or implicit, then please contact this e-mail: datenschutz@tudsat.space in order to request correction.

  • BVSR Wiki
  • Purpose of processing: Knowledge database of the BVSR. Data is used to prevent unauthorized access and maintain required functionality.
    Affected personal data: IP, Time(s) of usage, Browser, Resources requested, Name, Username, Published content, Pictures and videos
    Affected persons and recipients: All users of the BVSR Wiki
    Responsible authority: Association Board
  • BVSR Cloud
  • Purpose of processing: File storage and archive of the BVSR. Data is used to prevent unauthorized access and maintain required functionality.
    Affected personal data: IP, Time(s) of usage, Browser, Resources requested, Name, Username, Email, Published content, Pictures and videos
    Affected persons and recipients: All users of the BVSR Cloud
    Responsible authority: Association Board
  • BVSR Chat
  • Purpose of processing: Internal communication platform within the BVSR e.V. to establish communication with a member (person) and preventing unauthorized access.Affected personal data: IP, Time(s) of usage, Browser, Resources requested, Name, Username, Email, Published content, Pictures and videos, Online status, Mobile phone number (optional)Affected persons and recipients: All users of the BVSR ChatResponsible authority: Association Board
  • BVSR Antrag
  • Purpose of processing: Tool for voting on revision to texts and submitting changes. Data is used to prevent unauthorized access and maintain required functionality.
    Affected personal data: IP, Time(s) of usage, Browser, Resources requested, Name, Username, Email, Published content
    Affected persons and recipients: All users of the BVSR Antrag
    Responsible authority: Association Board
  • BVSR SSO
  • Purpose of processing: Ensuring functionality of the Single-Sign-On service and preventing unauthorized access in the BVSR services
    Affected personal data: IP, Time(s) of usage, Browser, Resources requested, Name, Username, Email, Membership of member associations
    Affected persons and recipients: All users of BVSR Services that require login
    Responsible authority: Association Board
  • BVSR Website
  • Purpose of processing: Presentation of the BVSR to the outside
    Affected personal data: IP, Time(s) of usage, Browser, Resources requested
    Affected persons and recipients: Every visitor
    Responsible authority: Association Board
  • BVSR Links
  • Purpose of processing: Collection of links to all services
    Affected personal data: IP, Time(s) of usage, Browser, Resources requested
    Affected persons and recipients: Every visitor
    Responsible authority: Association Board
  • BVSR Pad
  • Purpose of processing: Pad to write down protocols or other notes and preventing unauthorized access
    Affected personal data: IP, Time(s) of usage, Browser, Resources requested, Name, Username, Email, Published content
    Affected persons and recipients: All users of the BVSR Pad
    Responsible authority: Association Board
  • BVSR Pastebin
  • Purpose of processing: Anonymous pastebin service to share end-to-end encrypted text snippets
    Affected personal data: IP, Time(s) of usage, Browser, Resources requested
    Affected persons and recipients: All users of the BVSR Pastebin
    Responsible authority: Association Board
  • TUDSaT Cluster
  • Purpose of processing: Auditing changes to IT-Systems and preventing unauthorized access
    Affected personal data: IP, Username, Time & date of access, Actions taken
    Affected persons and recipients: BVSR admins
    Responsible authority: Association Board
  • TUDSaT Website
  • Purpose of processing: Presentation of the TUDSaT association to the public; hosted on Vercel with content managed via Prismic, data collected for monitoring interactions and ensuring functionality.
    Affected personal data: IP address, browser data, interaction data, device information
    Affected persons and recipients: Every visitor
    Responsible authority: Association Board
  • e-Mails
  • Purpose of processing: Direct method of communication
    Affected personal data: Email, Name
    Affected persons and recipients: All e-Mail contacts
    Responsible authority: Association or branch Board (example: Networking committee)
  • phone calls
  • Purpose of processing: Direct method of communication
    Affected personal data: Mobile and other phone numbers, Name
    Affected persons and recipients: All phone-call contacts
    Responsible authority: Association or branch Board (example: Networking committee)
  • postal Mailings
  • Purpose of processing: Direct method of communication, delivery and acceptance of hardware
    Affected personal data: Address or PO Box, Name
    Affected persons and recipients: All postal contacts
    Responsible authority: Association or branch Board (example: Networking committee)
  • Fax
  • Purpose of processing: Legacy method of communication
    Affected personal data: Fax number, Name
    Affected persons and recipients: All fax contacts
    Responsible authority: Association or branch Board (example: Networking committee)

Notice on the revocation of consent to processing or publication concerning personal data

Revocation of consent to the publication or general processing of personal data as defined in the GDPR may be submitted at any time to the Association Board or to the data protection officer.

The publication of personal data of any kind will only occur with explicit consent of the persons concerned. This chapter serves as a reminder that such consent can be revoked at any time.

The individual user may object to publication at any time by contacting the Association Board or the data protection officer. In the event of an objection, no further publications will be made with regard to the objecting user. Personal data of the objecting user will be removed from the services of the association, the publications concerned (by method of deletion of such publications) and a notice of compliance will be sent to the user concerned, as stated in previous chapters.

In case the revocation is meant to address only specific publications or specific use / processing of personal data and not all services / the Privacy Policy as a whole, such intent can be stated by the party concerned in the first correspondence regarding the subject. The data protection officer with advice from the association board and appointed TUDSaT personnel will decide whether or not a complete deletion of personal data is necessary case by case.

To make use of revocation contact this e-mail (data protection officer): datenschutz@tudsat.space

In case of unlawful conduct or security incidents with any party concerned regarding personal data, the data protection officer will inform the persons / organisations / our users affected immediately, notify hessian data protection authorities as required by law and make efforts to force deletion regarding known unlawful use. In case of fault lying within the responsibilities of the tudsat-cluster owners this notification will occur through the TUDa-CERT (the responsible entity for IT-security regarding the tudsat-cluster). The association board and appointed TUDSaT personnel will also become active participants of mitigation in this case, such that appropriate reactions can be taken as fast as possible.

Protection of Policies

In case an aspect or multiple aspects of this privacy policy turn out to be legally void or outdated, all other aspects remain in force.

The user agrees to inform the association in case such legally voiding aspects are found by them.

The association must find agreements with the concerned user and update the privacy policy.

E-Mail: datenschutz@tudsat.space

Reference to the right to complain to a supervisory authority

The State Commissioner for Data Protection and Freedom of Information of Hesse is available as the supervisory authority for the submission of complaints by data subjects regarding data protection. The complaint can be submitted via e-mail to the following address:

poststelle@datenschutz.hessen.de