Data protection research bike BoBBi

The German Aerospace Centre e.V. (hereinafter referred to as "DLR") takes the protection of your personal data, which you provide to us in your capacity as a person affected by the "BoBBi" research bicycle, very seriously.

We would like to inform you about which personal data we process as part of the "BoBBi" research bicycle, for how long and for what purposes we do this and provide you with further information required by data protection law.

In accordance with the GDPR and the BDSG, we use the terms defined therein. The definitions can be viewed on the Internet, for the GDPR at https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=OJ:L:2016:119:TOC or for the BDSG under http://www.gesetze-im-internet.de/bdsg_2018/__2.html .

1. Name and address of the person responsible

The controller within the meaning of the GDPR is
German Aerospace Centre (DLR)
Institute of Transportation Systems
Lilienthalplatz 7 / Rutherfordstraße 2,
38108 Braunschweig / 12489 Berlin
Website: https://www.dlr.de

2. Name and address of the data protection officer

German Aerospace Centre (DLR)
The DLR Data Protection Officer
Linder Höhe
51147 Köln
E-Mail: datenschutz[at]dlr.de

3. Purpose of the data processing

The purpose of data processing is scientific research to increase road safety and accident prevention.

4. Legal basis for data processing

The legal basis for the processing is Art. 6 Abs. 1 S. 1 lit. f DSGVO.

5. Data categories

Procedure

Brief description/type of processing/processing process

There are three different cameras that are used on BoBBi. These are a front and a rear camera, with which the traffic situation in front of and behind the bicycle is temporarily recorded. The background is to investigate the behaviour of cyclists in interaction with the surrounding traffic and to derive behavioural patterns (e.g. creation of a critical situation through distraction), which may be of importance in the development of a bicycle assistance system. A 360° camera would have to be mounted above the bike, which is impractical, so two cameras were mounted here to look forwards and backwards. The handlebar camera captures the cyclist's face in order to determine their line of vision and thus determine distraction.

Data variant 1: Video recordings of the traffic environment and the cyclist

The cameras temporarily capture personal and relatable image data of the traffic environment and the cyclist's face. This personal and relatable image data is stored locally on the bike's memory and copied to an access-restricted target server at DLR at the end of the campaign, then immediately deleted from the bike's memory. The image data is anonymised so that the faces of the road users and number plates of the vehicles in the traffic environment are not recognisable. The anonymised image data is processed into objects (cars, bicycles, lorries, etc.) using object recognition methods, from which no more personal data can be derived. The images of the cyclist's face are retained.

Data variant 2: Attributed cycling trajectories with information on the traffic environment

The GPS position data and time stamps are used to generate trajectory data (trajectories) of the cyclist, which also contain the attributes of brake application, steering and lean angle, pedal pressure and cadence as well as the cyclist's face. The temporal and spatial distances to the front, rear and side are determined using the position data of the bicycle itself and the data collected on the basis of the bicycle's own sensors. Safety-relevant metrics are derived. These include variables such as time-to-collision and post-encroachment time. This data is deleted as soon as the purpose of the processing no longer applies.

Data variant 3: System calibration, maintenance, repair and quality assurance:

To ensure the error-free operation of the sensors used on the research bike, they must be calibrated sporadically and the hardware must be serviced regularly. For this purpose, brief personal video data may be temporarily stored and then irrevocably deleted.

6. Recipient/third party

Data processing in the research organisation

In the context of research projects, it may be necessary for us to transmit your personal data (see 5. Data categories) to the DLR institute involved in the respective test evaluation.

External organisations involved in research

In order to achieve the planned research results, it may be necessary for us to transfer your personal data (see 5. Data categories) to other organisations outside DLR that are involved in the research. These organisations are regularly obliged to treat your personal data with confidentiality and secrecy. If, in the context of this outsourcing of research to external bodies outside DLR, there is an order processing, a contract in accordance with the requirements of Art. 28 GDPR is concluded and thus an appropriate level of data protection is guaranteed.

External service providers

Our external service providers who carry out data processing on our behalf are contractually obliged within the meaning of Art. 28 DSGVO or a cooperation agreement to treat personal data in accordance with the applicable regulations. Insofar as the external service providers process your personal data (see 5. Data categories), we have taken legal, technical and organisational measures and carried out regular checks to ensure that they comply with the provisions of the data protection laws.

7. Storage

The personal data (see 5. Data categories) are stored on an internal, secure DLR server, which is managed by a central, certified DLR provider.

8. Cancellation

The personal data (see 5. Data categories) of the data subject will be deleted immediately as soon as the purpose of the processing no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject.

9. Your rights in relation to your personal data

If your personal data (see 5. Data categories) is processed, you are a data subject within the meaning of the DSGVO and you are entitled to the following rights vis-à-vis the controller in accordance with the provisions set out below. Important note: due to Art. 89 Abs. 2 DSGVO (scientific research), exceptions to the following rights may be made in individual cases:
(1) In accordance with Art. 15 DSGVO, you can request information about the personal data processed by us. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your personal data has been or will be disclosed, the planned storage period and the existence of the rights explained in this section 4 and 6.
(2)  In accordance with Art. 16 DSGVO, you can request the immediate correction of incorrect or incomplete personal data stored by us.
(3)  Gemäß Art. 17 DSGVO, you can request the deletion of your personal data stored by us, unless the processing is necessary for reasons specified by law, in particular to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or for the assertion, exercise or even potential defence of legal claims.
(4)  In accordance with Art. 18 DSGVO, you can request the restriction of the processing of your personal data if you dispute its accuracy, if the processing is unlawful but you refuse to delete it and we no longer need the personal data, but you need it for the assertion, exercise or defence of legal claims or if you have objected to the processing in accordance with Art. 21 DSGVO.
(5)  In accordance with Art. 20 DSGVO, you may receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or request that it be transferred to another controller.
(6)  In accordance with Art. 7 Abs. 3 DSGVO, you can revoke your data protection consent at any time. As a result, we may no longer continue the data processing that was based on this consent in the future.
(7)  In accordance with Art. 21 DSGVO Right of objection
If personal data is processed on the basis of legitimate interests in accordance with Art. 6 Abs. 1 Buchstabe f) of the DSGVO, you have the right to object to the processing of your personal data in accordance with Art. 21 of the DSGVO, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation, unless the processing is necessary for the performance of a task carried out in the public interest, Art. 21 Abs. 6 of the DSGVO
(8)  In accordance with Art. 77 DSGVO, you can lodge a complaint with a supervisory authority. As a rule, the supervisory authority of your usual place of residence or workplace or the registered office of the controller is available for this purpose.