Mobile Sensor Road-Side-Unit (RSU)

The German Aerospace Center e.V. (hereinafter referred to as "DLR") takes the protection of your personal data, which you provide to us in your capacity as a data subject (m/f/d) of the "mobile Sensor-RSU" project, very seriously.

We would like to inform you about which personal data we process as part of the "mobile Sensor-RSU" project, for how long and for what purposes we do this and provide you with further information required by data protection law.

In accordance with the GDPR and the BDSG, we use the terms defined therein. The definitions can be viewed on the Internet, for the GDPR at https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=OJ:L:2016:119:TOC and for the BDSG at http://www.gesetze-im-internet.de/bdsg_2018/__2.html.

1. Name and address of the person responsible

The controller within the meaning of the GDPR is:
German Aerospace Center (DLR)
Institute of Transportation Systems
Lilienthalplatz 7,
38108 Braunschweig
Internet: https://www.dlr.de/en

2. Name and address of the data protection officer

German Aerospace Center (DLR)
The DLR Data Protection Officer
Linder Höhe
51147 Köln
E-Mail: datenschutz[at]dlr.de

3. Purpose of the data processing

The purpose of data processing is scientific research into road safety, accident prevention, vehicle automation and teleoperation.

4. Legal basis for data processing

The legal basis for the processing is Art. 6 (1) (f) GDPR.
Important note: Subject to the exceptions to the rights under Articles 15, 16, 18 and 21, the legal basis is Art. 89 (2) GDPR (scientific research). See point 8.

5. Data categories

1. Raw data, from camera images and/or videos as well as from other sensors that can record personal details of bystanders (e.g. newer LiDAR sensors). The content of the data is road traffic. This data very likely contains personal content and is referred to below as "personal data".
2. Anonymised data, extracted from the raw data. Personal content is made unrecognisable by automatic processing. This data very probably does not contain any personal content. There is a residual risk of incomplete anonymisation.
3. Manually checked anonymised data, extracted from the raw data or from the anonymised data. This is where the manual data review and de-identification of personal content takes place. This data demonstrably contains no personal content.

Procedure

Personal content is not part of the research purpose, but is unavoidable when recording public road traffic. Under no circumstances is personal content extracted from the data.

The following data processing is planned:

1. Direct further processing of the data to record the traffic environment: No personal content is extracted during further processing of the raw data (data category 1). The raw data is not saved.
2. Data or video data transfer from the mobile sensor RSU to others: Before this step, the raw data is automatically anonymised using software. Anonymised data is transferred (data category 2).
3. Storage of data and downstream data processing for research purposes: Here, the recorded data (data category 1) is stored outside the mobile sensor RSU in a secure environment after recording. Preferably, only data of data category 2 should be used. The data is therefore anonymised. In the long term, only data of data category 2 is stored.
4. Publication of scientific research results: The presentation and publication of selected examples of images, videos and other data in the media is only carried out with data of data category 3 due to the potentially high visibility. For this purpose, the data is checked manually to ensure that no personal content is recognisable.

6. Recipient/third party

Data processing in the research organisation

In the context of research projects, it may be necessary for us to transfer your personal data (see 5. Data categories) to the DLR institute responsible for analysing the respective experiment.

External organisations involved in research

In order to achieve the planned research results, it may be necessary for us to transfer your personal data (see 5. Data categories) to other organisations outside DLR that are involved in the research. These organisations are regularly bound to secrecy and confidentiality when handling your personal data. If, in the context of this outsourcing of research to external bodies outside DLR, order processing is involved, a contract corresponding to the requirements of Art. 28 GDPR is concluded and thus an appropriate level of data protection is guaranteed.

External service providers

Our external service providers who carry out data processing on our behalf are contractually obliged within the meaning of Art. 28 GDPR or a cooperation agreement to treat personal data in accordance with the applicable regulations. Insofar as the external service providers process your personal data (see 5. Data categories), we have taken legal, technical and organisational measures and carried out regular checks to ensure that they comply with the provisions of the data protection laws.

7. Storage

The personal data (see 5. Data categories) are stored on an internal, secure DLR server, which is managed by a central, certified DLR provider.

8. Deletion

The personal data (see 5. Data categories) of the data subject will be deleted immediately as soon as the purpose of the processing no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject.

9. Your rights in relation to your personal data