Register of the Data Protection Officer

31 January, 2019
banner_Defence-Data-2016-17

Every day personal information, also known as personal data, is processed within the European Defence Agency (EDA). The Data Protection Officer (DPO) is required to keep a register of all the processing operations on personal data carried out by EDA. The register is, therefore, a database that contains information about each type of personal data handling carried out by EDA and is accessible online to any interested person. This is done via documents called notifications, wherein the following information is summarized:

  • Who is in charge of the handling;
  • What the data are handled for;
  • Which data;
  • What are the security measures put in place in order to ensure protection;
  • For how long the data will be kept;
  • What is the legal basis;
  • The rights of the data subjects.

 

The EDA’s current Data Protection Officer (DPO) is Ms Clarisse Ribeiro. Please do not hesitate to direct any questions or queries concerning data protection, including the register, to the DPO by email to dataprotection@eda.europa.eu.

 

For any technical issues please send an email to info@eda.europa.eu

Data Protection Notifications
 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-04

2. 

 Reference number

EDA-DPO-1

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Collection and processing of GSM details for CAP Directorate personnel, for contact in relation to work related issues while they are out of the office during working hours.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following data subjects: CAP Directorate personnel Data processed are the following: GSM numbers of private or work phones (depending on which is held by the staff member)

 9.

Time limit for keeping the data

Personal data is retained until the staff member leaves the EDA, until they delete the data themselves or until they instruct that the personal data should be deleted.

10. 

Recipients of the data

The data is available to all CAP Directorate personnel only. Personal data will not be shared with non-CAP personnel without permission from the staff member concerned.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Only CAP Directorate staff has access to the Excel list containing the GSM details.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-04

2. 

 Reference number

EDA-DPO-4

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Collection of private/service telephone numbers to allow contact with ISE Directorate colleagues in relation to work related issues while they are out of the office during working hours.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

The personal data of the following category of data subjects are processed: ISE Directorate Personnel The personal data processed are: private/service telephone numbers.

 9.

Time limit for keeping the data

Telephone numbers are retained for the period of assignment of staff member(s) or until they instruct that the details should be deleted.

10. 

Recipients of the data

Private/service telephone numbers are available to all ISE Directorate Staff.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data are only available to ISE Staff. Only ISE Directorate Assistants have access to the excel file.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-23

2. 

 Reference number

EDA-DPO-8-ESI-REACH, SoS and SoI Portals

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Providing a one-stop-shop for interested parties to access information on specific issues on legislation and practices of pMS (national Portal page), including national points of contact, through one single source (the EDA Portal). Information is provided by pMS who send this information to EDA and request to post it on the public Portals/national page, on their behalf. Personal data reflects contact information of national PoCs to facilitate direct contacts to MS experts in case of additional questions.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: Points of Contact (PoC) nominated/identified by relevant organisations/Ministries for the respective topics (that each portal refers to) Data processed are the following: - PoC name, organisation, telephone number and e-mail address.

 9.

Time limit for keeping the data

Personal data are stored for as long as it is valid and substituted when so requested by pMS. Due to the nature of the business, staff at Ministry of Defence level are rotated and so when a responsibility is given to a different person, EDA is requested by e-mail by the respective Ministry of Defence to make the changes and substitutions. Periodically, EDA on its own initiative sends requests to Ministries of Defence to validate that their data in the Portal (respective national page) are still current, and to provide new PoC data, if there has been a recent change of responsibilities for the PoC position. Past data/files not valid anymore are deleted from hard drives. The public Portal is updated with the new information, after replacing/deleting the previous one.

10. 

Recipients of the data

Data are posted under the contact info part of the national pages located on the Portals, which themselves are publicly available to anyone following the link from the EDA website.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

For internal hard drive data, access limited only to the persons entrusted with the processing of personal data protected though EDA’s internal IT system.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-07

2. 

 Reference number

EDA-DPO-11

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The Internal Auditor (IA) is responsible for the Internal Audit process within EDA. The IA advises the Agency on dealing with risks, by issuing independent opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management. The IA carries out audits and systems-based reviews, and operates in accordance with professional internal auditing standards. The IA enjoys accounting, according to the financial rules applied and the Charter for the EDA Internal Audit, unrestricted access to all functions, records, property and personnel. He obtains the necessary assistance of personnel of the Agency when performing audits as well as other specialized services from within or outside the Agency. The necessary assistance is provided via various services, such as Senior Management secretariat, IT Unit and HR Unit. In the course of the work, the IA processes personal data (mostly by consultation, retrieval and, in audit reports, potential disclosure of personal data).

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

Data subjects can include any individual or group of people whose data is collected and retained in the context of an internal Audit, including e.g.: -EDA staff on issues related to personnel files; -EDA auditees on issues related to procurement and management of projects; -Externals on issues related to procurement of projects and services provided. Depending on the nature and the scope of audits, the IA has full access to data, which is relevant for the audit exercise. Access to necessary information includes the possibility of crossing data collected by various sources through different databases provided that it serves the purpose of the specific audit. In the course of his duties the IA will process (i.e. handle) such personal information as described above. However, for the most part the information presented in the final Annual audit reports is anonymized.

 9.

Time limit for keeping the data

The IA of EDA retains personal data for a maximum period of two years following the conclusion of the audit.

10. 

Recipients of the data

The processing is used to produce the IA annual report which is delivered to Chief Executive and presented to Agency's Management Board (AMB), in accordance with the EDA Financial Rules. The IA submits to the Agency an annual internal audit report indicating the number and type of internal audits carried out, the recommendations made and the action taken on those recommendations. However, as noted above the IA Annual report is as a rule presented in an anonymized way. Each year the Chief Executive forwards a report to the Steering Board summarizing the number and type of internal audits carried out, the recommendations made and the action taken on those recommendations. This report contains no personal data.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

It is the sole responsibility of the IA to ensure that data and reports are stored in a security locker where only the IA has access.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-28

2. 

 Reference number

EDA-DPO-12-Access Control

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

This set of processing operations related to the functions of the AEOS Access Control System has the purpose of ensuring the physical protection and security of buildings and staff. They furthermore serve the following specific purposes: - to manage the access badges for EDA staff and external visitors, access control of all persons in possession of a permanent EDA badge; - to control access to individuals with vehicles; - to manage the SALTO locks' keys to individual offices; - to manage and control access to EDA meeting rooms.

8. 

Description of categories of persons whose data EDA processes and list of data categories

- EDA postholders : Temporary Agents, Contractual Agents and Seconded National Experts (SNE) as well as trainees, secondees other than SNEs, contractors, interims, Blue Book trainees; - Personnel of EDA temporary contractors; - All other external visitors : Delegates and officials from EDA participating Member States (pMS), even when in a possession of a permanent EDA badge, delegates from Third Countries, Staff from other EU institutions, other external visitors etc., Data processed includes: - Name (last and first) - Title - Gender - Telephone (mobile/fixed) - Email address - Personnel N° - Department No sensitive personal data in the meaning of Article 10 of Regulation 2018/1725 are processed.

 9.

Time limit for keeping the data

- For EDA postholders : up to 1 month after termination/end of contract. - For EDA temporary contractors’ personnel: up to 1 month after termination of service contract. - For delegates and officials from EDA pMS, from third countries, other EU institutions staff, etc.: up to 1 month after their last visit.

10. 

Recipients of the data

Staff of the Security and Infrastructure Unit/Corporate Services Directorate.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing. For the personal data that are processed by automated means, measures have been taken with the aim of: (a) Preventing any unauthorised person from gaining access to computer systems processing personal data, Salto locks, password; (b) Preventing any unauthorised reading, copying, alteration or removal of storage media, access limited to security unit; (c) Preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure of stored personal data; (d) Preventing unauthorised persons from using data-processing systems by means of data transmission facilities; (e) Ensuring that authorised users of a data-processing system can access no personal data other than those to which their access right refers; (f) Recording which personal data have been communicated, at what times and to whom; (g) Ensuring that it will subsequently be possible to check which personal data have been processed, at what times and by whom; (i) Ensuring that, during communication of personal data and during transport of storage media, the data cannot be read, copied or erased without authorisation; (j) Designing the organisational structure within EDA in such a way that it meets the special requirements of data protection.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-27

2. 

 Reference number

EDA-DPO-13-BCM

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The purpose of the personal data collected is to be able to mobilize and contact staff in case of crises/emergencies and to inform staff as soon as possible.

8. 

Description of categories of persons whose data EDA processes and list of data categories

EDA staff (temporary agents, contractual agents, seconded national experts), and other staff working in the agency (interns, interims, blue book trainees, etc.) EDA temporary contractors' personnel. The only data processed are the phone numbers. No sensitive data in the meaning of Article 10 of Regulation 2018/1725 are processed.

 9.

Time limit for keeping the data

Data will be retained for the period of 1 month after termination/end of contract.

10. 

Recipients of the data

Based on Security and Infrastructure Head of Unit advice and risk analysis, the CSD Director will be directly informed. He will report directly to Chief Executive. Once decision is taken, the system will be activated by IT.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

For the personal data that are processed by automated means, measures have been taken with the aim of: a) preventing any unauthorized person from gaining access to computer systems processing personal data, Salto locks, passwords; b) preventing any unauthorized reading, copying, alteration or removal of storage media, access limited to IT and HR Unit; c) preventing any unauthorized memory inputs as well as any unauthorized disclosure, alteration or erasure of stored personal data; d) preventing unauthorized persons from using data-processing systems by means of data transmission facilities.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-28

2. 

 Reference number

EDA-DPO-14 FSC

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

This operation serves the purpose of ensuring that access to EUCI (EU classified information) is granted only to industry or other external entities which can protect EUCI at the appropriate classification level (CONFIDENTIEL UE/ EU CONFIDENTIAL or SECRET UE/ EU SECRET) within their facilities and which have consequently been security cleared to the relevant level. All contractors who are required to handle or store information at this classification level within their facilities, either during the performance of the classified contract itself or during the pre-contractual stage, must hold a Facility Security Clearance (hereinafter "FCS") at the required level.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Facility Security Officers (hereinafter "FSO") of potential contractors needing access to EUCI, and of contractors and subcontractors, which have signed classified contracts with EDA. The data processed are: -name and surname, contact details (address, phone, fax, email) of the FCO of potential bidders and contractors. No sensitive data in the meaning of Article 10 of Regulation 2018/1725 are processed.

 9.

Time limit for keeping the data

With the exception of extract of judicial records which kept for maximum 2 years, personal data contained in procurement documents are kept for 5 years from year of discharge in accordance with the general Procurement notification form and with EDA procurement archiving policy.

10. 

Recipients of the data

Security Unit interacts internally and externally in the tendering and/or awarding phases of classified contracts for the receipt and confirmation of FSC documents and the recipients to whom data might be disclosed are the following (on a case by case basis according to the Security provisions of the contracts): - Internal recipients: Procurement & Contracting Unit - External recipients: EDA participating Member States’ National Security Authorities/ Designated Security Authorities

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing. Data are processed in specific administrative areas both in the Security and Contracting departments, the access to which is very limited and only made possible with prior authorization and need-to-know principle (salto electronic access control systems has been implemented for years in EDA). FSC information sheets and certificates are kept in locked safes if printed.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-28

2. 

 Reference number

EDA-DPO-15-PSC

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

This processing operation serves the purpose of ensuring that access to EUCI (EU classified information) is only granted to individuals who have been security cleared to the relevant level, and of course after: a) their need-to-know has been determined; b) they have been briefed on the security rules and procedures for protecting EUCI and has acknowledged their responsibilities with regard to protecting such information; and c) information is classified CONFIDENTIEL UE/EU CONFIDENTIAL or above.

8. 

Description of categories of persons whose data EDA processes and list of data categories

- Type and level of clearance; - Expiry date; - Basic identity data (ID/passport number, date and place of birth, etc). No sensitive data in the meaning of Article 10 of Regulation 2018/1725 are processed. - EDA Staff (Temporary Agents, Contractual Agents and Seconded National Experts (SNE)), and other Staff working in the Agency (interns, seconded other than SNE, contractors, etc). - EDA temporary contractors’ personnel, when needing access to classified areas or IT networks. - Delegates and officials from EDA participating Member States (pMS), delegates from Third Countries, Staff from other EU institutions, etc., participating in EDA classified meetings. - Other visitors needing access to EDA secured areas or classified information

 9.

Time limit for keeping the data

For EDA personnel, personal data will be kept up to 1 month after termination/end of contract. The personal data of delegates and officials from EDA pMS, from third countries, other EU institutions staff, etc. will be immediately destroyed after meeting or need finished or extinguished. For the original paper document: EDA is required to return to the national security authority or other competent national authority the original Personnel Security Clearance of its staff on termination of his/her employment contract in accordance with records being maintained respectively by each Member State and EDA.

10. 

Recipients of the data

The recipients of the data are: - Internal recipients: HR Unit - External recipients: EDA participating Member States’ National Security Authorities/ Designated Security Authorities.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

Only when needed for attendance to meetings, working groups, etc. In principle EDA does not transfer personal data to recipients other than EU institutions and bodies which are not subject to Regulation 2016/679 (GDPR). In some instances, personal data related to the status of staff member’s personal security clearance may be required by national administrations (MoD and security bodies) for the participation of EDA staff in defence related meetings. In such case, the staff member will request EDA security to transmit information on the status of that staff member’s PSC to the national administration (which may be recipients other than EU institutions and bodies which are not subject to GDPR). The information transferred will not include personal data per se but merely an information of whether the staff member has been cleared for security purposes and, if so, at which level of clearance. This request is necessary to ensure the accreditation of the staff member for reasons of important public interest (national security) and will only be transmitted at the request of the staff member. EDA issues certificates (see Annex III) to confirm the security clearance. They prepared on behalf of staff members upon their own individual request for participation in external meetings (mainly in the framework of Classified Contracts with EU MS or/and as EDA representatives in NATO events and working groups).

12. 

General description of security measures, where possible.

Electronic and original PSC certificates are stored in the EDA IT Server and/or in the Security containers of the Security Office. The controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-23

2. 

 Reference number

EDA-DPO-16

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The Staff and Social Committees of EDA support the wellbeing of staff and their families including spouses, children, dependents and, occasionally, third parties. The purpose of the processing of personal data can relate to attendance at events (such as Away Day or Christmas Party), allowing for building access, routine committee business and the good administration of all activities within the mandate of the two groups. The collection and storage of personal data, including media, is necessary for the organisation and performance of these activities.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: - Staff members - Spouses of Staff members - Children and dependents of Staff members - Third parties contacted in the normal business of the Committees Data processed could be any of the following, as appropriate, for the function/activity being planned and as voluntarily provided by the data subjects: - name - surname - age or birth date - nationality - sex - allergies - ID/passport number of spouses - car details (brand, model, colour, plate number) - other details provided voluntarily by the staff (in a free text box)

 9.

Time limit for keeping the data

Data will be retained for a maximum of 3 months following the event. Personal data is stored for the event only and new data is created yearly for each event.

10. 

Recipients of the data

- Staff Committee & Social Committee; - Security and Infrastructure Unit (for access to EDA premises); - Other entities defined by the Committees for legitimate and mandated reasons and as communicated to the data subjects; - For events organized with third parties outside EDA, data might have to be shared with the event organizer.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data are processed in accordance with the high security standards established by EDA. Data in SharePoint space of the Staff Committee are only availbale to Staff Committee. The Committees are made up of individuals who are both collectevely and individually responsible for the correct application of data protection rules. The data are exported to Excel when shared with the Security and Infrastructure Unit for security management for the access to EDA premises.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-12-13

2. 

 Reference number

EDA-DPO-17

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

EDA personal data, including salary data are, in principle, processed in ABAC. However, the financial management system AX 2012 and excel files that are necessary for financial operations and budgeting, including payments/reimbursements to third parties are still in use for the time being.

8. 

Description of categories of persons whose data EDA processes and list of data categories

- EDA staff; - contractors, experts, candidates, beneficiaries, other third parties reimbursed by EDA. Data processed are the following: -full name; -address/contact information; -date of birth; -salary level; -allowances; -missions; -bank information (bank account number, bank)

 9.

Time limit for keeping the data

Data necessary for audit purposes are kept 5 years from the date on which a discharge for a given year was granted. Data kept for statistical purposes are anonymized.

10. 

Recipients of the data

EDA staff members (Finance Unit, HR Unit, Director CSD, Chief Executive, Deputy Chief Executive) and auditors.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

EDA has implemented appropriate technical and organisational measures, such as restricting data to limited number of users, reminding staff handling the data to anonymise where/as soon as possible to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-04

2. 

 Reference number

EDA-DPO-19

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

These processing operations serve the specified, explicit and legitimate purpose to manage and make possible execution of Security & Infrastructure support services through different contractors (e.g. supply of items and services)

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

The personal data of the following category of data subject(s) are processed: EDA Security & Infrastructure Unit contractors' personnel (e.g. ISS, Cofely, Jeune jardiniers, Lyreco, Securitas, Ambius, AIB Vincotte, SasConsult, RadarRisk, Guest...) Personal data processed are the following: Name, nationality, data of birth, work telephone and email (all this information is provided by the contractors during the tender exercise in accordance with EDA contractual clauses and technical requirements, and some of them are mandatorily required to have permanent access to the EDA premises). Any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, are not collected, and therefore not processed.

 9.

Time limit for keeping the data

Personal data will be stored in infra archives for future reference, for retention period of 4 years, which correspond to the standard duration of a framework contract. After expiration of each contract, data will be stored for a period of 2 years.

10. 

Recipients of the data

EDA staff

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data are processed in accordance with the security standards established by EDA. Head of Unit and deputy are the sole officers having access to these data.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-14

2. 

 Reference number

EDA-DPO-20

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

Directorate General DIGIT, European Commission provides the online platforms used by EDA for its procurement, grants and contracting activities: -e-Submission platform for the electronic submission of tenders (in response to open calls); -Participant Portal upon which grants or calls for experts are handled. EDA makes use of the abovementioned platforms on the basis of a SLA signed with the Commission.

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Personal data relating to individuals is collected in view of assessing the tenderers' professional capacity (minimum capacity level relating to the team delivering the service). Upon reception of expression of interest, tender, application, proposals by EDA, personal data is collected and further processed for the purpose of the management and administration of the procurement and grant processes, contract award & management and ad-hoc activities.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Personal data of individuals submitted as part of the above activities. Personal data collected and further processed concern the applicant or tenderer and its staff and subcontractors (natural persons). Information can relate to the following data: - names, functions and contact details; - certificates of social security contributions and taxes paid; - extracts from judicial records; - financial information including identification data, bank account details (IBAN and BIC codes) - information for the evaluation of eligibility and selection criteria: technical skills, educational background, professional experience; -appraisal data on tenders/applications in evaluation reports, which may include observations on the individuals, consultations and/or experts proposed.

 9.

Time limit for keeping the data

- Extracts from judicial records in electronic format are kept for a period of two years after the signature of the respective contract; - Tenders, applications and proposals not selected in the context of procurement/grant activities are kept for five years after the budget discharge; - Procurement contracts, including personal data contained therein, are kept for five years after the budget discharge. Personal data contained in EDA "ad hoc" contracts (concluded for the purposes of projects or programmes in accordance with Article 19 and 20), including personal data contained therein, are kept for an unlimited period under the exception referred to in Article 25(a) of Regulation 2018/1725. Data subjects may request the deletion of their personal data in specific contract. This request will be addressed in accordance with point 19. For historical data purposes and in order to enable EDA to capitalize on past activities and lessons learned, technical specifications are kept indefinitely. Contracts awarded as result of procurement activities are equally kept, along with result of such contracts (the studies in general). Contracts are composed of annexes (mainly annex I - technical specifications and Annex II - the tender). The tender may contain some personal data but such data are scarce as solely the technical tender/proposal is kept. - Ad hoc defence contracts are kept for an unlimited period (under exemption of Article 25 (a) of Regulation 2018/1725). Data subjects may request the deletion of their personal data in a specific contract.

10. 

Recipients of the data

For the above-mentioned purpose of processing, access to personal data is granted on a need-to-know basis. Recipients of personal data shall process it exclusively for the purposes for which they were transmitted. The following recipients of personal data have been identified: - The Responsible Authorising Officer; - The Director/Head of Unit with managerial responsibilities in the procedure at stake; - Members of the opening and evaluation committees. Such committees are composed of EDA staff, but might occasionally require the participation of external experts from EDA participating Member States (pMS) or other relevant EU institutions or (international) organisations. The transmission of personal data to such external experts shall be assessed on a case-by-case basis as per the requirements of Article 9 (external experts from EU origin) and the provisions under Chapter V (external experts from outside the EU) of Regulation 2018/1725; - Accounting Officer, Finance Unit staff and other staff involved in the purchase life cycle; - EDA Legal Advisor; - Monitoring auditing and inspecting authorities, such as the Internal Auditor, the College of Auditors, the EU Ombudsman and the EDPS; - In case of dispute, the European Court of Justice or the meditation, conciliation or arbitration entity appointed by the parties. Basic information on the outcome of the procedure (e.g. financial year, contractor name, address, contract name, value) is also made available to EDA pMS and published as appropriate in the Official Journal of the European Union and on EDA website.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

Members of the opening and evaluation committees are composed of EDA staff, but might occasionally require the participation of external experts from EDA participating Member States (pMS) or other relevant EU institutions or (international) organisations. The transmission of personal data to such external experts shall be assessed on a case-by-case basis as per the provisions under Chapter V (external experts from outside the EU) of Regulation 2018/1725.

12. 

General description of security measures, where possible.

If applicable, the collected personal data and all related information are stored on the designated premises and servers in line with the security provisions laid down in the Council Decision 2013/488/EU of 23rd September 2013 on the security rules for protecting EU classified information. Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing. For the personal data that are processed by automated means, measures have been taken with the aim of: (a) preventing any unauthorized person from gaining access to computer systems processing personal data, Salto locks, passwords; (b) preventing any unauthorized reading, copying, alteration or removal of storage media, access limited to procurement files; (c) preventing any unauthorized memory inputs as well as any unauthorized disclosure, alteration or erasure of stored personal data; (d) preventing unauthorized persons from using data-processing systems by means of data transmission facilities; (e) ensuring that authorized users of a data-processing system can access no personal data other than those to which their access right refers; (f) recording which personal data have been communicated, at what times and whom; (g) ensuring that it will subsequently be possible to check which personal data have been processed, at what times and by whom. (i) ensuring that, during communication of personal data and during transport of storage media, that data cannot be read, copied or erased without authorization; (j) designing the organizational structure within EDA in such a way that it meets the special requirements of data protection.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here. You can also view the EC privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-03

2. 

 Reference number

EDA-DPO-21

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Official central point for preparation and publication of data on intranet and extranet for Member States Points of Contact for access only by the Agency and Member States having access to ECP workspace “EDA National PoCs”.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

Data are processed from the following individuals or group of people: Points of Contact for Capabilities Directors, National Armaments Directors, R&T Directors, Central Points of Contact, Deputy Central Points of Contact, Brussels Points of Contact from EU Member States. Data processed are the following: Full name and title, address, name of organisation and division, position held, contact numbers (telephone, mobile, fax and e-mail).

 9.

Time limit for keeping the data

Current lists of PoCs available during tenure as EDA Point of Contact only, i.e. as decided by subject’s Member State, and subsequently deleted. Previous versions of the PoCs table are kept on EDANet with link to SPU Sharepoint (who has sole modification rights) as a point of reference. Points of Contact (PoCs) are the key professional contacts between the EDA pMS and the Agency, as a result the personal data included in the list is solely based on the professional occupation of the data subject as PoC (i.e. professional address, professional title, etc). The retention of personal data for historical purposes is justified by the need to ensure the ‘institutional memory’ of the Agency which includes information on the representation of pMS at a given point in time. This is useful, for example, to cross check information, facilitate contact with pMS, among other things. Since the historical value of the PoC list depends precisely on the presence of data which allows the data subjects to be identified, the data cannot be anonymised. However, an equivalent level of protection to that of encryption is ensured by a restricted access to the prior lists. Indeed, the appropriate safeguards have been put in place to ensure that the data kept on the basis of historical value are not processed for any other purposes or used in support of individual measures or decisions regarding a particular individual. In particular, only the current list of PoCs is accessible to all EDA staff. Previous lists of PoCs are only accessible to SPU (which has sole modification rights).

10. 

Recipients of the data

Agency staff members and members of ECP workspace “EDA National PoCs” only.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Information is limited to Agency staff only and members of ECP with access rights to EDA National PoCs workspace. Previous versions of the PoCs table only accessible by SPU.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-28

2. 

 Reference number

EDA-DPO-22

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

To assess the ability, efficiency and conduct in the service of EDA staff members during their employment at EDA: Temporary agents (TAs), Contract agents (CAs) and Seconded National Experts (SNEs).

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: All EDA Staff, except the Chief Executive and Deputy Chief Executive i.e. Temporary Agents and Contract Agents engaged for a period of one year or more who have completed their probation period and who have been in active employment for a continuous period of at least one month as established staff member during the reporting period. SNEs who have been seconded to the Agency for a continuous period of at least four months during the reporting period. Data processed are the following: The following personal data are recorded in the various parts of the form: Staff Member data (pre-filled by HR): Surname and first name Administrative Status (TA, CA) Grade Directorate/Unit Job Title Start of Contract Assessment period Reporting Officer Countersigning Officer Self-assessment To be completed by the staff member taking into account his/her efficiency, ability and conduct against the objectives and the overall contribution. Staff Member's signature and date Annual appraisal report by the Reporting Officer The assessment is to be completed taking into account the efficiency, ability and conduct of the staff member against the specific objectives and her/his overall contribution. If the overall performance is considered as unsatisfactory, the dedicated box should be ticked as per Article2(3) of the CE DECESION N 15/19 of 11/12/2015 on the performance appraisal. This will entail a specific follow up of the performance of the staff member. Date of the appraisal dialogue. Reporting Officer's signature and date Countersigning Officer's comments, date and his/her signature Comments of the Staff Member. The Staff Member should tick the appropriate box: - I accept the report without comments; - I accept the report with comments; - I do not accept the report for the following reasons (which will lead to an appeal to the Appeal Assessor) Date and his/her signature Reserved for Corporate Services - Human Resources date and signature. Objectives and training and development needs agreed between the staff member and reporting officer. A job description is also attached to the workflow. In case of appeal and after a dialogue with the staff member, the appeal assessor confirms the report or amends it, giving reasons. The report becomes final by decision of the appeal assessor. The staff member is notified, by email or other written means, that the decision rendering the report final has been adopted and that the report may be consulted in the electronic system. The staff member shall also have access to the appeal assessor's decision.

 9.

Time limit for keeping the data

The final probationary period report is kept in the electronic workflow and personal file for a period of 5 years, except in case of pending legal action in case the jobholder is not confirmed on the post.

10. 

Recipients of the data

The reporting officer, the countersigning officer, the deputy chief executive, the chief executive, the corporate services director, the head of human resources, the authorized human resources unit staff, administrations of staff that are seconded to EDA (i.e. participating Member States upon request), the appeal assessor.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, others) Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-15

2. 

 Reference number

EDA-DPO-23

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

To assess the ability, efficiency and conduct in the service during the probationary period of the staff members: temporary and contract agents (TAs and CAs) with a view to confirm or not confirm the contract or to extend the duration of the probationary period.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals: All EDA staff (i.e. TAs and CAs whose contracts are concluded for a duration of one year or more). Data processed are the following: The following data are recorded in the various parts of the form: 1. Staff Member data (ore-filled by HR): - name and surname; - administrative status (TA or CA); - Grade; - Directorate/Unit; - Job Title; - Start of contract; - Probation period; - Reporting Officer; - Countersigning Officer. 2. Self assessment To be completed by the staff member taking into account his/her efficiency, ability and conduct against the objectives and the overall contribution. Staff Member's signature and date. 3. Probation report by the Reporting Officer The assessment is to be completed taking into account the efficiency, ability and conduct of the staff member against the specific objectives and her/his overall contribution. Recommendation: - confirmation of the staff member in his/her functions, or - extension of the probation period for a maximum of 6 months (in exceptional cases), or - Dismissal Reporting Officer's signature and date 4. Countersigning Officer's comments, date and his/her signature 5. Comments of the staff member, date and his/her signature 6. Decision of the AACC: - confirmation of the staff member in his/her functions, or - extension of the probation period for a maximum of 6 months (in exceptional cases), or - dismissal Date and his/her signature 7. Reserved for Corporate Services - Human Resources date and signature. The objectives agreed beforehand between the staff member and the reporting officer for the next period are also attached to the workflow while the last page of the probation report contains the objectives agreed for the following period. A job description is also attached to the workflow.

 9.

Time limit for keeping the data

The final probationary period report is kept in the electronic workflow and personal file for a period of 5 years, except in case of pending legal action in case the jobholder is not confirmed on the post.

10. 

Recipients of the data

- The Reporting Officer of the probationer; - The Countersigning Officer; - The Deputy Chief Executive; - The Chief Executive; - The Corporate Service Director; - The Head of Human Resources; - The authorised Human Resources staff Furthermore, the transfer to, the Disciplinary Board, the EDA Internal Auditor, the Legal Advisor, the College of Auditors, OLAF, the Civil Service Tribunal, the EDPS and the European Ombudsman can be considered necessary in certain cases for the performance of the respective supervisory, advisory or judicial task. Finally, transfers of administrations and evaluation data contained in the personal files to responsible services on other EU institutions, bodies or agencies can be considered necessary in case of the transfer of a specific staff member. In case of mobility of the staff member or reporting officer, the probation report can be communicated to the new reporting officer to allow an efficient follow-up of the staff member's performance, objectives and learning needs.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regards to the state of the art and the cost of their implementation the controller have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, etc.). Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-09-30

2. 

 Reference number

EDA-PCN-24

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Data is processed to meet the rights and duties of EDA staff pursuant to the Staff Regulations and SNE Rules in the context of the termination of their employment at EDA.

8. 

Description of categories of persons whose data EDA processes and list of data categories

EDA staff terminating employment: including Temporary Agents (TA), Contract Agents (CA) and Seconded National Experts (SNE). Application of the data subject before his/her departure – a person ending his/her employment with EDA; Temporary Agent, Contract Agent and SNE and who shall provide a completed, signed and documented Departure Checklist. The relevant Departure Checklist shall provide the following information and any related further information: o Information on the leaving staff member/data subject’s : • Identification data regarding the leaving staff member/data subject, notably : name, personnel number, type of contract, date end of contract, reason for leaving EDA: end of contract or resignation; o Information requested by EDA HR unit from the leaving staff member/data subject’s to be returned to the HR unit : - Handover checklist; - severance/pension forms; - unemployment forms; - signed Confidentiality, Agreement/staff exit declaration; - signed application form for authorisation to engage in an occupational activity after leaving the EDA; - special ID card; - business cards; - leave balance; - new contact details after departure; - removal request form (back to place of recruitment/origin); - resettlement allowance form; - travel expenses on termination of service form. o Information requested by EDA Corporate Services Directorate: • Finance Unit: retuned credit card and pending missions; • IT Unit: returned material (Sec ID, USB, GSM, Laptop); • Security Unit: returned EDA security badge; • Infrastructure Unit: returned signed asset management form.

 9.

Time limit for keeping the data

The retention policy with regard to the EDA Personal file applies: as part of the EDA Personal file, documents are kept for 5 years after the termination of employment at EDA, subject to settlement of pending rights such as pension payments, unemployment.

10. 

Recipients of the data

The Chief Executive, the Deputy Chief Executive, the Corporate Services Director, the Head of Human Resources Unit; - The Human Resources Unit: as referred to in the end-of-employment Checklist; - Heads of Unit referred to in the end-of-employment Checklist: IT unit, Finance unit, Infrastructure and Security unit. - The Head of Unit of the exiting staff member and the Director under whom the Unit resorts; - The EDA Internal Auditor; - Institutions or bodies having a legitimate purpose of audit, of the exercise of supervisory tasks or in charge of judicial proceedings: the College of Auditors, the EU Ombudsman, OLAF, the EU Courts and any competent National Court.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

NO

12. 

General description of security measures, where possible.

Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, others). Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-27

2. 

 Reference number

EDA-DPO-25 Recruitment

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Processing of personal data in view of possible employment with EDA following an appropriate selection procedure for various staff categories, namely: - Temporary agents (TAs); - Contract agents (CAs); - Seconded National Experts (SNEs); - Trainees. To select and recruit different categories of statutory staff (temporary staff and contract staff), non-statutory staff (seconded national experts) and trainees (participating in the Blue-Book Trainee (BBT) Scheme of the European Commission or in the EDA Traineeship Programme for recent graduates); to manage applications at the various stages of these selections; to manage and check the use of reserve lists when applicable.

8. 

Description of categories of persons whose data EDA processes and list of data categories

All candidates submitting an application for a position of a TA, CA or SNE at EDA following a vacancy notice. All vacancy notices are announced on the EDA website. All candidates for a traineeship at EDA as well as individuals sending a spontaneous application at EDA. Personal data allowing the candidate to be identified, i.e. surname, first name, date of birth, gender; Information provided by the candidate to allow the practical organisation of preselection and other tests, i.e. address information: street, postcode, town, country, telephone, fax, e-mail; Information provided by the candidate to verify whether he/she fulfils the eligibility and selection criteria laid down in the vacancy notice, i.e. nationality, languages, education, employment record, military/civil service record, other relevant for the job skills such as knowledge of computer software; Information about the length of the legal notice period required, objection against inquiry with present employer, periods spent abroad, references, motivation, declaration of honour as well as where the applicant found out about the vacancy; If applicable, results of the pre-selection or written/oral tests (temporary staff, contract staff and seconded national experts); Information regarding security clearance and police record; Financial information (BAF- bank details form) – for those invited for an interview having the right to be reimbursed); Medical data in the context of the pre-employment medical visit of those candidates who received a job offer and accepted it (not applicable to SNEs and trainees). Information about disability might be requested in order to facilitate the access of the candidate(s) to the EDA premises.

 9.

Time limit for keeping the data

Recruitment documents related to selected candidates for temporary staff and contract staff positions are kept in the agent's personal file, in accordance with art. 33 and art. 104 of the EDA Staff Regulations for a period of 5 years after the jobholder has terminated employment at the agency. The same filing practice and retention is applied for recruited SNEs and trainees. Documents related to non-selected applicants for temporary staff, contract staff and seconded national experts positions: - Personal data contained in supporting documents will be deleted after 6 years following the closure of the selection for candidates invited for interview, or after 3 years for candidates not invited for interview. - Personal data of non-selected applicants for trainee positions will be deleted after 3 years following the closure of the selection. - For candidates who created an application but finally did not submit it, the personal data is deleted as soon as the selection is completed. Documents related to non-recruited applicants for temporary staff, contract staff and seconded national experts positions placed on a reserve list: - The retention period shall be for a maximum period of 6 years following the closure of the selection. Specification with regard to the processing of security clearance and/or police record: The formal job offer to candidates which have successfully passed the interview includes a request to provide a recent excerpt of the police record, which is conditional for confirmation of the recruitment. This document is thus asked only from the candidate(s) to be recruited. This document is only consulted by the HR Officer in charge of the respective recruitment and then always returned to the candidate concerned. An acknowledgment of receipt is placed in the personal file of the candidate who becomes a staff member. Security clearance(s) are handled in accordance with notificatclassn DPO-15-PSC, namely up to 1 month after termination/end of the contract. Spontaneous applications are deleted after having informed the applicant(s) that the application cannot be kept in accordance with Regulation 2018/1725. Anonymised data could be kept longer for statistical purposes.

10. 

Recipients of the data

- Human Resources Unit (staff in charge of recruitment); - Members of the selection panel for temporary staff, contract staff and seconded national experts positions; - Members of the requesting unit for trainees; - EDA Finance Unit ( for the purpose of reimbursement of travel costs related to interviews); - Director of the Corporate Services Directorates (CSD); - Deputy Chief Executive; - Authority Authorized to conclude contracts of employment (Chief Executive). Also, if appropriate, access will be given to: - the Internal Audit Service; - the European Ombudsman; - the Civil Service Tribunal; - OLAF; - ECA; - EDA Internal Auditor; - EDA Legal Advisor; - the European Data Protection Supervisor. Should the applicant’s name be put on a reserve list (temporary staff, contract staff and seconded national experts) and should a similar vacancy arise in another Directorate, the Director to which the vacancy belongs can have access to the CV and results of the evaluation of the applicant. With regard to pre-employment medical check-ups: The Medical Service of the Council (not applicable for SNEs and trainees).

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Submission of applications to vacancies are done electronically via the appropriate IT tool. The applicant has to register an account accessible via an username and a password. EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-12-03

2. 

 Reference number

EDA-DPO-27-leave management

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The personal data are processed for the management of all entitlements for annual leave, special leave, sick leave and in general all the related working conditions of Temporary Agents (TAs), Contract Agents (CAs), Seconded National Experts (SNE) and Trainees at EDA.

8. 

Description of categories of persons whose data EDA processes and list of data categories

There are 2 main categories of data subjects, namely: - EDA staff members and SNEs and trainees (SNEs and trainees for a restricted number of leave entitlements); - In connection to special categories of leave, relatives of EDA staff, including spouse, children and relatives in ascending line. Personal data processed: - main employment and career data at EDA: start date of EDA employment, category/statues, termination/end of contract with EDA, place of origin, age; - documents containing personal data such as justification documents for various categories of specific leave, information on carry-over of not taken annual leave from the previous year; -information on the EDA staff member's family situation, including the relationship to family members. - sensitive data in the meaning of Article 10 of Regulation 2018/1725, namely health related data, including medical certificates, confirmation on treatment/medical appointments, medical data and health diagnosis information of the EDA staff members and of their relatives, including spouse, children, relatives in ascending line. The processing of medical personal data has been notified to the EDPS. Information on political appointment and participation in elections of the EDA staff member.

 9.

Time limit for keeping the data

Annual/Special and Sick leave requests are stored electronically in the leave management workflow on the EDA server. Medical certificates with no indication of the medical diagnosis are stored in a locked cupboard with restricted access to the HR Unit. Such data are kept for a period of 3 years. Additionally, the leave management tool is used to run several reports including statistics on sick and special leave and leave requests per directorates.

10. 

Recipients of the data

-The Line Manager of the data subject and his/her Head of Unit; -his/her Director; - the Chief Executive; -the Deputy Chief Executive; -the Corporate Services Director; -the HR Unit; -the Council Medical Service; -the European Council Invalidity Committee; -the EDA IT Unit (for support on the electronic management system); -the EDA Internal Auditor; -the College of Auditors; -the European Ombudsman; -the European Data Protection Supervisor; -the Court of Justice of the European Union.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Leave requests are stored in an electronic database. The data are kept in the Leave Management System with password protected. Medical certificates with no indication of medical diagnosis are stored in a locked cupboard with limited access to the HR Unit.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-09-30

2. 

 Reference number

EDA-DPO-29

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

European Council Medical Service

7. 

Purpose of the processing

The processing of health data serves various organisation management purposes at EDA, including: - Management of pre-employment check-ups to future EDA staff members and annual medical check-ups for TA and CA. - Management of certain leave entitlements for TA, CA, SNEs, Trainees and Interim. - Determining working conditions for TA & CA - Annual Health promotion and sickness prevention programs for TA and CA

8. 

Description of categories of persons whose data EDA processes and list of data categories

- TA, CA and SNEs, Trainee and Interim Staff - In connection to certain types of leave documented: relatives of EDA, including spouse and relatives in ascending line; - Candidates offered a TA or CA position at EDA, when undergoing a pre-recruitment medical check-up First name, last name, date of birth, place and country of birth, nationality, gender, address, tel; email, civil and family status (for pre-employment medical check-ups). Medical certificates from staff members that could contain health data Special leave documents including medical reports

 9.

Time limit for keeping the data

The "apt for duty note" for the pre-employment check-up as long as the "Personal file" exists Confirmation that staff members underwent the annual medical check-up: 5 years Confirmation of the invalidity for the duration of the invalidity until the pensionable age The "apt for duty" or "not apt for duty" note of non-recruited persons: 2 years Medical certificates are kept for a period of 5 years.

10. 

Recipients of the data

Medical Council of the Council and EDA HR Unit

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

NO

12. 

General description of security measures, where possible.

Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, others). Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here. link >

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-17

2. 

 Reference number

EDA-DPO-30

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Personal data processing carried out by EDA in the context of the informal and formal procedure to prevent psychological or sexual harassment in accordance with the provisions of EDA Staff Regulations. The purpose of the data processing, the implementation modalities and the role of parties involved in the procedure(s) are described in a policy document available to all staff on EDA Portal (Decision N 18/14 of 16 May 2018), namely to prevent, investigate and take any necessary measures concerning psychological or sexual harassment.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: In the informal procedure: -each and every person working at EDA, regardless of grade or contract of employment (this includes the trainees and all those working under a contract under national law) in the situation of he/she being identified or defined as an alleged victim of harassment by a member of staff of EDA; -any person aware of a situation of harassment insofar as he/she is involved in the informal procedure; -the alleged harasser is also considered as a data subject insofar as she/he is involved in the informal procedure; In the formal procedure: -staff identified or defined as an alleged victim of harassment by a member of staff of EDA (only staff covered by the EDA Staff Regulations have access to the formal procedure); - the alleged harasser (only staff covered by the EDA Staff Regulations have access to the formal procedure); - any person aware of a situation of harassment insofar as he/she is involved in the procedure. Personal data processed in the context of the anti-harassment procedure may comprise: -objective ("hard") data collected necessary to properly administer the case; - subjective ("soft") data collected by the External Prevention Advisor, based on statements and reflecting facts and perceptions of the alleged victim, of any person aware of a situation of harassment and of the alleged harasser (provided the victim provided the Advisor with a prior consent to contacting the latter). As far as relevant and necessary for the specific purpose of the case, data processed may comprise data qualified as sensitive in Article 10 of Regulation 2018/1725 (i.e. data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, biometric or genetic data, health or data concerning the data subject’s sexual orientation). The collection of soft data does not follow systematic rules as to the type of data processed and it is not possible to determine a priori the type of data collected. In accordance with Article 4 of Regulation 2018/1725, data collected should anyway be adequate, relevant and not excessive in relation to the case handled. This analysis must be conducted on a case-by-case basis.

 9.

Time limit for keeping the data

The External Prevention Advisor and the Investigation Team shall not keep personal data on a case for a period longer than three months following its closure. Personal data should be either destroyed or returned to the data subject who provided them. The Human Resources Unit holds the historical memory of anti-harassment procedures for maximum five years from the opening of the procedure. Five years is the period considered necessary for the Human Resources Unit to evaluate the harassment prevention policy, to reply to any legal questions and to identify multiple or recurrent cases. Files may be retained for a further five years period in case an administrative or legal action is pending (e.g. with the European Ombudsman or the Court of the European Union).

10. 

Recipients of the data

The hierarchal superior of the alleged victim, the Head of HR unit, the External Prevention Advisor/Mediator, the Corporate Service Director, the Chief Executive, the Deputy Chief Executive, the Investigation team, the Internal Auditor, the College of Auditors, OLAF, the Court of Justice of the EU, the European Ombudsman and any national court.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-04

2. 

 Reference number

EDA-DPO-31

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

SendinBlue, a simplified joint stock company registered with the Paris commercial registry under No 498019298 and whose registered office is located at 47, rue de la Chaussee d'Antin, 75009 Paris, provides email and/or SMS marketing and/or transactional solutions via its website www.sendinblue.com website and is used by EDA for the sending of the e-mail newsletter. Under EDA General Terms and Conditions all contractors are obiged to ensure data protection compliance when processing personal data.

7. 

Purpose of the processing

The purpose of the processing is to group information on data subjects in order to convey information on EDA activities, in particular by sending e-news and postal sending of hard-copy EDA magazines. The explicit and legitimate purpose of this action is to keep stakeholders informed on the activities of the EDA, serving the principle of public information and transparency.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

Data are processed from the following individuals or group of people: -National Administrations' civil servants; -European Institutions' civil servarnts; -Industry professionals; -Academic & Think-thank professionals; -Sectoral associations' professionals; -Army/Navy/Air Force -Press -Any individual interested in receiving news from EDA indicated by completing the e-news sign-up form. Data processed are the following: For e-news: -First name and surname; -E-mail address Additional information needed for the paper magazine: -Postal address The following additional information may be processed for further costumer relations management: -additional personal information (organisation, department, job title); -additional contact information (phone, fax, website) -roles (representing country, representing organisation)

 9.

Time limit for keeping the data

Data will be kept in the database for the purposes outlined above until the data subject expresses his/her wish to be deleted from the database: -An annual email reminder is sent to all data subjects informing them that are included in EDA's database and providing the Privacy Statement. -Every e-newsletter sent via the EDA communication database contains an usubscribe option; the data of the data subject requesting to usubscribe is subsequently deleted from the database. -Emails that are returned to the sender will be deleted from the database.

10. 

Recipients of the data

The internal recipients of the data are the Media and Communication Unit, the EDA assistants and IT Unit. The Media and Communication Unit commissions an external contractor (through a framework contract for communications services) for the postal sending operations of the EDA magazine in print, in case the subscriber has expressed the wish to receive such publication.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

The data are stored on the host servers on which SendinBlue processes and stores its databases, located exclusively within the European Union. SendinBlue does not transfer data outside of the European Union under the supervision and responsibility of the EDA IT unit. Only MCU & IT staff & assistants have access to the EDA database. EDA's contractors are bound by a specific contractual clause under EDA general Terms and Conditions and under the respective contract for any processing operations of personal data on behalf of EDA, abiding to strict technical and organisational security measures in adherence to Regulation 2018/1725. SendinBlue has taken all necessary precautions to safeguard personal data and, in particular, to prevent it from being misrepresented, damaged or accessed by an unauthorised third party. These measures include the following: -Multi-level firewall; -Anti-virus with a proven reputation for detecting attempted intrusions -Encrypted data transmission.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-26

2. 

 Reference number

EDA-DPO-37-Int Act Directory

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The purpose of Internal IT applications like the Active Directory is to provide each legitimate user with valid credentials to EDA network and its resources and manage the access rights thereto. The Active Directory (AD) is a core database, which Microsoft Servers use to store information about the users of the system. It enables the network communication between devices and the functioning of most EDA software applications and EDA work assets.

8. 

Description of categories of persons whose data EDA processes and list of data categories

All EDA staff who need to have access to EDA IT resources in order to perform their contractual duties within EDA premises and via remote access. Electronic data on official business coordinates: first name, last name, email, telephone number, title, unit, company and office number. In addition, their credentials to access EDA resources. No sensitive personal data in the meaning of Article 10 of Regulation 2018/1725 are processed.

 9.

Time limit for keeping the data

Data is removed as soon as the staff member’s contract is terminated and erased no later than 30 days after the employee’s departure from the agency.

10. 

Recipients of the data

Active Directory data is accessible to all EDA staff. Active Directory is used as internal identification mechanism for several EDA applications.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regards to the state of the art and the cost of their implementation, the controller have implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-23

2. 

 Reference number

EDA-DPO-39

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

European Research Council Executive Agency (ERCEA) ERCEA processes data on behalf of the controller as far as storage/hosting, back-up, and recovery of data in servers paid by the ERCEA and administered by DIGIT on behalf of ERCEA is concerned (Article 1(d) of Memorandum of Understanding).

7. 

Purpose of the processing

The purpose of the processing of personal data is the partial reimbursement of costs of public transportation used by staff for commuting to and from work. Windflower is an IT application that allows interested staff members to enrol and request reimbursements of costs of public transportation used for commuting to and from work. Windflower helps the authorised staff to handle the files and create the relevant payments orders.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Statutory staff (temporary and contract agents) of EDA. The data collected concern the name, surname, address (both personal and professional), phone number, date of birth, personnel number, possibility of picture (when not hidden during the scanning) The processor has access to the following data: - Name and surname; - User ID and user name; - Picture (if visible on submitted documents); - Personnel number; - Contract type; - Contract start date and contract end date; - Unit; - Office; - Phone; - E-mail; - Private address.

 9.

Time limit for keeping the data

The data stored in Windflower are kept for a maximum period of 5 years from the date in which the agent leaves the institution, as the relevant paper file. If a staff member quits the public transportation contribution scheme or the Agency, electronic data is kept for 2 years but the rule of 5 years retention is maintained for the paper file.

10. 

Recipients of the data

In the EDA, access to Windflower is limited to: - EDA staff members entering their request for reimbursement (only access to their own file), - Authorized HR staff in charge of validating all requests, - Finance Unit team in charge of payments, - IT Unit team in charge of the maintenance of Windflower. In the ERCEA, the responsibility of management of the data as listed in Annex I of the Memorandum of Understanding is upon the IT team in charge of Windflower. In addition, some personal data may be disclosed, in compliance with the relevant current legislation and established case law, and on an ad hoc basis, and if justified, to: the Civil Service Tribunal at its request; the Ombudsman, at its request; the European Data Protection Supervisor, at its request; the audit and control bodies such as OLAF, Court of Auditors, EACI internal Audit, the Internal Audit Service.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

The ECAS authentication system is used for accessing Windflower. The data collected are only accessible to authorized agents. Restricted access to windflower application and database are granted and monitored by the Local System Administrator upon instruction and authorization of the responsible hierarchy. The paper files are kept in locked cupboards (archive). When circulating paper files, confidentiality markers are used.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-12-18

2. 

 Reference number

EDA-DPO-41-mobile phone

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

EDA has a contract with Proximus for the provision of the SIM cards, mobile phones, voice and data transfer services. Proximus client service: 080055800 (from abroad: +32 475 156030). Staff shall call the Proximus helpdesk directly in order to block SIM card in case of loss or theft.

7. 

Purpose of the processing

The purpose of the processing is the verification of invoices in order to ensure that the use of the mobile phone by each staff member does not exceed the "flat rate", in other words, the verification of detailed invoices in case of high invoiced amounts. The need to process data is considered necessary for the management and functioning of EDA. As the policy states service mobile phones are a professional tool and provided to certain members of staff in the context of performance of professional activities.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

EDA staff (temporary staff, contract staff, special adviser) and Seconded National Experts (SNEs) who have received a service mobile phone or service SIM card in accordance with EDA Decision 16/16 and who have signed the "Statement of Use" under Annex II of that Decision. The itemized invoices include the following data: -basic staff information including name, EDA mobile number and monthly cost; - form of communication (text or call, but not the content of communication); - numbers called; - the destination, the time, the duration of each call; - the location from where the call was placed.

 9.

Time limit for keeping the data

The general billing information shall be stored for 5 years after the discharge as required by the provisions of the Financial Regulation and its Rules of application for audit and discharge purposes. The itemized invoices are deleted immediately after the verification and in any case no later than 6 months after the processing, except where needed for financial or disciplinary follow-up.

10. 

Recipients of the data

IT and Finance staff involved in payment and verification of invoices.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

As a general rule, EDA IT sends regular messages relating to Security, in particular in relation to the handling of personal data on IT systems in EDA. This, along with regular training on data protection matters (namely, induction to newcomers and general information session for all staff), ensures an adequate level of information of EDA staff to the measures necessary to ensure the security of processing. In addition, EDA units are subject to the internal audits performed by the Agency Internal Auditor. The areas subject to internal audit are determined in accordance with EDA rules and procedures as set out by the EDA Financial Rules, namely the ley areas agreed on an annual basis with senior management. EDA staff is bound by the EDA Staff Regulations which provide for a duty of confidentiality. This along with the other key staff obligations in relation to performance ensures an overall understanding of the requirements when handling personal data. In this particular processing operation, the controller has implemented appropriate technical and organisational measures to ensure an appropriate level of security. The security risk assessment is currently performed on an ad hoc basis by the controller with the support of the DPO and follows the provisions of Regulation 2018/1725 to this regard.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-29

2. 

 Reference number

EDA-DPO-43-Whistleblowing

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The purpose of this processing operation is to enable the reporting of illegal activity, fraud, corruption or other serious professional misconduct in EDA, to establish reporting channels for whistleblowers, to manage and follow-up reports, and to set out the rights and duties of the whistleblower. It also aims to ensure that the Agency protects the whistleblower's legitimate interests and privacy as well as the personal information of the person(s) named by the whistleblower, witnesses and other third parties appearing in the whistleblowing report.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: - Staff members (temporary staff, contract staff, SNEs); - Persons involved in the whistleblowing procedure, incl. the whistleblower, persons named by the whistleblower, witnesses, other third parties appearing the whistleblowing report. Data processed are the following: - All personal data contained in the report submitted by the whistleblower and any subsequent documents handled in the concrete case; - These documents may contain names, contact details and other identifiers of the persons involved. Data received but not needed for examining the allegations will be erased from the report.

 9.

Time limit for keeping the data

For files that are closed without follow-up, data will be retained for a maximum of 2 months after completion of investigation of the facts alleged in the whistleblower’s report. For files that lead to a follow-up (internal investigations, disciplinary procedure) data will be retained for period of time stipulated by these follow-up procedures. A final report, containing anonymised data only, may be kept for an unlimited time. EDA may retain anonymous data for statistical purposes. EDA pays particular attention to preserve anonymity of personal data for these purposes, especially to all the measures necessary to avoid indirect identification.

10. 

Recipients of the data

The recipients are determined on a case-by-case basis. Personal information is transferred only if necessary for the legitimate performance of tasks covered by the competence of the recipient. The recipient of the whistleblowing information, namely the superior, shall transmit it to the Legal Advisor for confidential processing. The identity of the whistleblower and of person(s) named by the whistleblower or other third parties shall be kept confidential. Recipients may be: • Head of Unit concerned • Legal Advisor • Human Resources Unit • Investigators • Members of the Disciplinary Board • Senior Management • OLAF in accordance to Article 4.1 of the Decision 16/04 of 22 February 2016. EDA will ensure, through a case-by-case review, that the transfer of personal data is not automatic but will only take place when and as necessary for the legitimate performance of the tasks under the recipient’s competence Involvement of staff in the whistleblowing procedure must be strictly limited on a need-to-know basis and only when necessary for the legitimate performance of tasks covered by the competence of the recipient.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data storage by means of paper filing in locked cupboards of authorized recipient(s). Electronic documents are stored in shared drive with access to authorized person(s) only (password protected). Exchange of emails are strictly limited to authorised recipients on a need to know basis and treated through confidential emails that contain only strictly relevant data. If sensitive information has to be exchanged with the external partners mentioned among the list of recipients, IT shall provide, upon request, certificates (Public/private keys) externally recognised to encrypt and/or sign that information. The personal data are used solely for the purpose for which it was provided, namely the whistleblowing procedure and any subsequent procedures directly triggered by it, such as internal investigations and disciplinary procedures.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-08

2. 

 Reference number

EDA-DPO-44

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

The processor of the data on behalf of the controller is the company B2MATCH GmbH (Vally-Weigl-Gasse 5/4/56, 1100 Vienna, Austria), hosting the web platform collecting and storing the data.

7. 

Purpose of the processing

The data will be collected in a web platform in preparation of Information Days and Brokerage events linked to the Preparatory Action on Defence Research activities. In particular the collection of personal and organisation data will allow: -participation to register and to indicate the topics of interest; -the validation/approval of the registrations; -to keep track of the list of participants for the purposes of the events; -to facilitate the establishment of bilateral contacts and networking opportunities; -to distribute any information related to the events. Registered and approved participants are allowed to use the personal data available in the web platform only for the purposes of the Preparatory Action Events. B2MATCH will process personal data only in order to fulfil the need of the organisation of the Preparatory Action on Defence Research events. The user shall only transmit personal data to B2MATCH in relation to his/her user account. Beyond that, the client shall not transmit to B2MATCH any other personal data.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the individuals that voluntarily will register to attend the events such as: -Industry representatives from larger companies, SMEs or clusters; - Defence Industry Associations; - National or European Research institutes and universities. Personal data processed are the following: -Gender; -First and last name; -Email, mobile phone; -Job position; -Academic title; -Language(s) spoken; -Nationality.

 9.

Time limit for keeping the data

Data will be retained for the duration of the Preparatory Action on Defence Research for the purposes outlined above under point 4 and will be used in this period in similar events related to the Preparatory Action. Data is deleted at the latest within 6 months after Preparatory Action on Defence Research activities are finished. B2MATCH is entitled to perform anonymized analysis on transmitted data for statistical purposes.

10. 

Recipients of the data

Personal data entered when signing up will be accessible to all the individuals participating to the event, whose registration in the web platform has been validated by EDA. EDA staff and staff of the processor with access to data.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

Norway, which is part of the Preparatory Action, is subject to national law, which guarantees an adequate level of protection.

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. Within the EDA network the data access is limited to the Preparatory Action Staff , IT-Administrators and Security Staff.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-26

2. 

 Reference number

EDA-DPO-45

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

External contractors (e.g. the booking agency or hotel which is hosting the concrete event) may be used to perform certain tasks for the controller. Under EDA General Terms and Conditions all contractors are obliged to ensure data protection compliance when processing of personal data.

7. 

Purpose of the processing

The data are collected to obtain all personal data of participants necessary for the preparation, delivery and follow-up of the Consultation Forum for Sustainable Energy in the Defence and Security Sector conferences, creating participant lists and name badges, anonymised statistics, and hotel registrations. Additionally, the data are stored to set up a database that helps to build the network of energy and environment focal points and experts in the defence sector in the framework of the European Defence Energy Network (EDEN) activities. These details are used to engage the individuals in future relevant events.

8. 

Description of categories of persons whose data EDA processes and list of data categories

- Staff from any staff of EDA’s 27 participating Member countries - If there are no objections received from MS: NO, CH, RS, DK, and NATO and NATO ENSEC COE. Industry and academic partners also attend on an ad hoc basis. Data processed are the following: - Last name, First name, Email-address, Telephone number; - Nationality; - Government delegation - Invited guest speaker - Third Choice - Academia representative; - Country, Job Title/Department.

 9.

Time limit for keeping the data

The contact details of participants will be part of a list of contact details shared internally amongst EDA staff for the purpose of contacting the participants in the future in the context of subsequent EDA activities related to the Conference. The data are stored to set up a database and engage the individuals in future relevant events. Data subjects who do not agree with this are invited to contact the controller using the contact information above and explicitly specifying their request at the following mailbox: eden@eda.europa.eu Data other than contact details will be retained for a maximum period of 6 months after the last conference of the series or after the database is no longer necessary for networking in the Consultation Forum for Sustainable Energy in the Defence and Security Sector as defined under the purposes for this processing operation. Anonymised statistics may be kept beyond the retention period. This is to inform EDA data on participant numbers and analyse the relative success of each of the events.

10. 

Recipients of the data

The internal recipients of the data are the Media and Communication Unit, IT Unit and other Units involved in a specific project or conference. The personal data will not be communicated to third parties unless necessary for the purpose of processing. EDA's contractors are bound by a specific contractual clause under EDA general Terms and Conditions for any processing operations of personal data on behalf of EDA (e.g. the agency or hotel which is hosting the event).

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. Within the EDA network the data access is limited to the ESI Directorate staff and IT-Administrators. EDA external contractors are obliged by the respective contract to adopt appropriate technical and organisational security measures having regard to the risks inherent in the processing and to the nature of the personal data concerned.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-07

2. 

 Reference number

EDA-DPO-46

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

European Commission

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The purpose of the processing operations is the registration, selection and management of external experts on the Participant Portal in the context of the Preparatory Action of Defense Research (PADR). If an expert is selected, he/she gets a contract for activities that involves the evaluation of proposals submitted under annual calls for proposals, monitoring of the implementation of actions, ethics reviews, checks and audit. Moreover, EDA will manage the reimbursement of expenses (travel expenses, etc.) the payment of allowances and fees, where applicable, and the subsequent management of the Experts and their contracts. The processing operation is necessary in order to proceed with the evaluation of project proposals requesting financial support from PADR, to participate as observers in the evaluation and/or to ensure monitoring of the implementation of actions, ethics reviews, checks and audit. External experts may also be contacted by the Controller or their contractors for voluntary surveys.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

The data subjects are natural persons interested in being contracted or appointed by the Controllers, who respond to calls for expression of interest and register as experts through the Participant Portal. Data processed are the following: The personal data collected and further processed via the Expert Area of the Participant Portal are identification data, contact data, and professional data: - Identification data: title, first name, family name (current and former), gender, date of birth, nationality & candidature reference; -Contact details: phone(s), fax and email address, physical address (street, town, post code, country); -Education: language level, titles of qualifications, subject or field, name of institution, country, and year awarded; -Area of expertise: specialization, research interest, related keywords; -Career: Host Institution/organization, current and previous employments (organization name, department sector, job title, employment dates, town or city, country, organization type and size), total number of years of experience related to the field of expertise required, current employment status, experience in the industrial sector (if applicable), information concerning assistance to the European Commission in its research programmes (area of work and dates are mentioned in a free text field). Description of other experience in evaluation, peer review, monitoring, programming, including the name of the organization, year and role, being in possession of a security clearance; -Publications: title, date of the publication, authorship, name of publisher/journal, keywords. The data can be entered manually or be retrieved via a Digital Object Identifier (DOI) entered into the system. -Achievements: date, country and nature of achievement, reference for patents; -Other categories of data: Funding programme for which the expert wishes to be considered, free field where the expert can provide additional information or links of interest (e.g. to CV). -Researcher ID1 (optional). The controllers do not need to collect, and process special categories of data as defined in Article 10 of Regulation 2018/1725 except in the following specific circumstances: a) It is needed to acquire extracts of judicial records for the detection of fraud related to the contract or procedures relating to sanctions according to the Financial Regulation and its Rules of Application. b) The data subjects are free to provide voluntary health-related data due to their special needs in order to be refunded of possible additional costs relating to the subsequent accommodation and travel specificities. Any controllers' staff member in charge of the processing of health-related data would be subject to the specific obligation of secrecy equivalent to that of a health professional and might be requested to sign a specific professional secrecy declaration, and might be requested to sign a specific professional secrecy declaration, if necessary. Irrelevant or excessive data are not retained by the Controllers.

 9.

Time limit for keeping the data

- For experts not yet selected by a Controller, their personal data are kept for the duration of the related programme's activities for which they have registered. - For experts selected by EDA, personal data are kept for 5 years after the end of the particular programme on which they provided their services. Should the need arise to acquire extracts of judicial records for the detection of fraud related to the contract or procedure relating to sanctions according to the Financial Regulation and its rules of application, those extracts shall not be kept longer than two years after the accomplishment of the particular procedure. Supporting documents relating to budget implementation are kept for at least five years from the date on which the European Parliament grants discharge for the budgetary year to which the documents relate. The personal data contained in this type of supporting documents shall be deleted where possible when those data are not necessary for budgetary discharge, control and audit purposes. Personal data contained in supporting documents are deleted where possible when these data are no longer necessary for budgetary discharge control and audit purposes. Experts are asked to indicate if they wish that their data be retained in the database of experts beyond this date in order to be considered for assignments for the forthcoming programme. If they do not wish to be considered for future assignments, their data are deleted after the end of the programme. -For unsuccessful and withdrawn experts, personal data may be retained only for up to 5 years after the end of the particular procedure to allow for all possible appeals. Anonymous or encrypted data can be retained for a longer period for statistical, historical or scientific purposes. Statistics on experts' nationality, gender, field of expertise for example may be generated during the implementation of the programmes and also after their end, in a form that safeguards the data subject's anonymity. In addition, as referred to above, statistics on experts with contracts (name, first name, candidature number, number of days worked) may be generated during the implementation of the programmes, to comply with the rules on rotation of the experts. These statistics will be retained for the duration of the PADR.

10. 

Recipients of the data

The category of recipients are: - EU institutions and bodies; - Member States; - Third parties in the European Economic Area (EEA) and in countries for which the Commission has adopted and adequacy decision; - The public. For more details, please refer to the "List of recipients", published in the Privacy Statement of the Participant Portal. Disclosure to some categories of recipients require the prior consent of the data subject.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

In line with Regulation 2018/1725, personal data might be transferred to recipients in third countries or international organisations, provided that the requirements of Articles 46 to 51 are met.

12. 

General description of security measures, where possible.

All data in electronic format (emails, documents, uploaded batches of data, etc.) are stored either on the servers of the European Commission or of its contractors, the operation of which abide by the European Commission's security decision of 16 August 2006 (C(2006)3602) concerning the security of information system used by the European Commission. Access rights and controls are secured via the European Commission Authentication Service (ECAS) granted to persons authorized to get access to specific documents (call management, grant management, etc.) All stakeholders involved in the evaluation and granting process are reminded to use the personal data received only for the purpose for which they were transmitted and to disregard all irrelevant and excessive data received with the proposals. The personal data is stored in databases and servers that reside on the Controller's premises, the operations of which abide by Council's security regulations as set out in the Council Decision 2013/488/EU. Finally, contractors are bound by a specific contractual clause for any processing operations of personal data on behalf of the Commission and EDA, and by the confidentiality obligations.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

http://ec.europa.eu/research/participants/data/support/legal_notice/h2020-ssps-grants_en.pdf http://ec.europa.eu/research/participants/data/support/legal_notice/h2020-ssps-experts_en.pdf http://ec.europa.eu/budget/library/explained/management/protecting/privacy_statement_edes_en.pdf Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-03

2. 

 Reference number

EDA-DPO-47

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Support the EDA CapTech and R&T WGs Activities: A capability Technology group ("CapTech") or an R&T WG is an EDA working group dedicated to a particular technology area. The core task of such groups is to gather advice from the Member States' experts in order to identify technology gaps and common areas of interest for cooperation. Non-governmental experts are also part of the discussion group, contributing with ideas and the most up-to-date technology trends. The purpose of the processing operation is to provide information to the CapTech Members (industrial and pMS representatives), to support a smooth functioning of the associated EDA working bodies and promote awareness of related activities to maximize synergies and avoid duplication of efforts. Personal data is processed in order to share working documents, distribute information of relevance to the different working bodies, to establish an effective working network of experts and to allow invitation and registration for meeting and/or forums.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

Personal Data from the following individuals or group of people are processed: - CapTech National Coordinators (CNCs) - CapTech Governmental Experts (CGEs) - CapTech Non-Governmental Experts (CnGEs) - Members of management groups nominated by CNCs to follow CapTech related Studies - Ad-hoc groups of experts for specific technological areas and/or topics (e.g. attending to conferences, workshops, seminars organized by CapTechs, or other DGs, ESA expert groups meetings) Data processed are the following: Name, Surname, e-mail address, Organization name and type, Role in the organization, Country of work, Nationality, phone number, access rights to EDA tools No sensitive data is involved in this processing.

 9.

Time limit for keeping the data

Data will be kept as long as needed to serve the purpose for which they have been gathered or until the data subject indicates that he/she wants the data to be removed. If not needed anymore, the data will be deleted within 12 months.

10. 

Recipients of the data

EDA staff : the internal recipients of the data are the ESI and CAT Unit, the IT and Security Units and other operational Units involved in a specific project. Meeting Participants and members of the CapTech/R&T WG to which the meeting is related. The information will not be communicated to third parties unless necessary for the purpose outlined above.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. Personal data within the EDA network is restricted so that only EDA staff can access, as relevant. EDA external contractors are obliged by the respective contract to adopt appropriate technical and organisational security measures having regard to the risks inherent in the processing and to the nature of the personal data concerned.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-12-10

2. 

 Reference number

EDA-DPO-48 CRM

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The CRM system is designed to compile information on customers across different channels - points of contact between the agency and business partners - and to create a single CRM database which includes all relevant data for customer relations.

8. 

Description of categories of persons whose data EDA processes and list of data categories

- Multiple categories of PoCs from MS (ex: Central, Defence Policy Directors, Deputy Central, EU institutions); - Other external stakeholders that are in contact with EDA (conferences, meetings, e-newsletters, etc.) Data processed are the following: - Personal information (full name, organization, department, job title) - Contact information (email, phone, fax) - Address information (street, office, postal code, city country) - Roles (representing country, representing organization)

 9.

Time limit for keeping the data

- Data will be kept in the CRM system until the data subject expresses his/her wish to be deleted - An annual e-mail reminder is sent to all Data Subjects informing them that are included in EDA’s database and providing the Privacy Statement - Every e-newsletter sent via the EDA communication database contains an unsubscribe link - E-mails that are returned to sender will be deleted from the CRM database

10. 

Recipients of the data

- IT Administrators - EDA Directorate Assistants CRM database is integrated with other IT systems, therefore data is digitally sent to following recipients: - AppSecStore (subject to a separate Notification) - EDA Communication Database (subject to a separate Notification)

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regards to the state of the art and the cost of their implementation, the controller have implemented appropriate technical and organisational measures (checkpoints, firewalls, antiviruses) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-12-04

2. 

 Reference number

EDA-DPO-49 AppSecStore

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The purpose of this processing operation is providing external users with access to EDA platforms. The Application Security Store is a database for storing identities, authentication data and authorizations to access EDA applications. It is used to process access requests received by EDA in order to use EDA applications. Accounts from AppSecStore are synchronized with CRM@EDA (Customer Relation Management) and the external Active Directory. Any modification applied in AppSecStore is applied to the Active Directory. The external Active Directory enables the network communication between devices and the functioning of most external EDA software applications (e.g. CODABA, ECP, DTEB, DPOL and others) and provides each legitimate user with valid credentials to the EDA network.

8. 

Description of categories of persons whose data EDA processes and list of data categories

External EDA partners and experts in defence environment, coming from government or industrial segment, interested in accessing EDA collaboration platforms. Data processed are the following: - Personal information (first name, surname, nationality) - Contact information (position, employer, telephone, home address, correspondence address).

 9.

Time limit for keeping the data

- Personal data is kept as long as necessary for granting access to the respective platforms; - The access rights of inactive users (that have not visited EDA applications for more than 6 months) will be temporarily withdrawn (suspended); an email will be sent to notify the user and will contain instructions on how to reactivate their account; - All inactive accounts for a period of 1 year will be removed from MyEDA and deleted; - An organisation administrator can remove any member of the organisation using MyEDA portal at any time.

10. 

Recipients of the data

- EDA Project Officers - EDA IT Unit Application Moderators - CRM Administrators - Accredited users with access to the same platform may see the contact details of other users.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-03

2. 

 Reference number

EDA-DPO-50-EXT ACT DIR

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

Active Directory (AD) is a core database, which Microsoft Server Windows uses to store information about the users of the system as well as Microsoft environment. It enables the network communication between devices and the functioning of most External EDA Software applications and EDA work assets. More importantly AD is used to provide each legitimate user with valid credentials to EDA network and its resources and manage their access rights. Active Directory EDA-EXT is synchronised with AppSecStore only in one direction (AppSecStore - AD EDA-EXT), so any modification applied in AppSecStore by any process or administrator is applied to AD EDA-EXT.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

All EDA External stakeholders who need to have access to any EDA collaboration platform. Electronic data on official business coordinates: first name, last name, email, telephone number, title, unit, company and office number. In addition, their credentials to access EDA resources.

 9.

Time limit for keeping the data

- An inactive user (that has not visited EDA applications for more than 6 months): their access rights will be temporarily withdrawn (suspended). An email will be sent to notify the user and will contain instructions to contact EDA administrators or any of the moderators of the application that they had access to, in order to reactivate their account. - All inactive accounts for a period of 1 year will be removed from MYEDA. - An organisation administrator can remove at any time any member of the organisation using MYEDA portal.

10. 

Recipients of the data

EDA IT System Administrators

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regards to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unathorised disclosure of access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-03

2. 

 Reference number

EDA-DPO-51

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

External participants' personal data to regular events organized in EDA's premises are stored and retained for organizational, security and safety reasons. Reports with participants are regular extracted from the applications. A history of the participations at meeting organized by EDA is maintained.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

Data are processed from the following individuals or group of people: - External visitors - Any person who needs to enter EDA premises without a permanent badge Data processed are the following: - Personal information (full name, birthday, nationality, country of residence, document ID) - Organization (representing country or organisation, function, role, responsibility) - Contact information (email, phone, mobile, fax) - Security (security clearance level, date of clearance required) - Others (car license, car brand/model, car colour) - History of attended meetings (day, room, meeting title)

 9.

Time limit for keeping the data

Data are automatically erased from the visitor application after a period of 6 months following the last visit. Reports with participants can be extracted from the applications. A history of the participations at meeting organized by EDA is maintained by IT.

10. 

Recipients of the data

- HR/ Security; - EDA Assistants; - EDA staff responsible for meetings organisation.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Having regards to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Computers are personal, protected by a password. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-12-03

2. 

 Reference number

EDA-DPO-52-EDA Meetings and Conferences

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

External contractors (e.g. the booking agency or hotel which is hosting the concrete event) maybe used to perform certain tasks for the controller. Under EDA General Terms and Conditions all contractors are obliged to ensure data protection compliance when processing personal data.

7. 

Purpose of the processing

The purpose of the processing of personal data is the management/organization of meetings and conferences, including management of lists of contracts, invitations participants, distribution of minutes/reports, follow-up actions. Personal data are collected and retained in order to facilitate the organization, conduct and follow-up of these events and to provide participants with information, to record the presence of persons at a meeting and to communicate conclusions and reports. EDA organises meetings (e.g. workshops, working groups, conferences, etc.) with externals on a daily basis. Meetings take place in-house and in external locations and may involve both EDA staff and/or external stakeholders from various backgrounds.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: - external stakeholders participating in meetings / working groups/ workshops held by EDA on EDA premises or elsewhere; - EDA staff participating in such meetings. Data processed are necessary for the organization or management of follow-up to a meeting and can include the following: - Identification and contact details such as name, position, entity, nationality, telephone number and e-mail address and other identifiers as necessary - Photographs, audio or video recording or livestreaming in the context of a meeting (opt-outs possible) No sensitive data in the meaning of Article 10, Regulation 2018/1725 are processed.

 9.

Time limit for keeping the data

Personal data is kept as long as necessary for the organisation and management as well as for follow-up actions to the meetings with regard to the purposes of the respective processing of personal data. It will be deleted 1 year after the respective meeting, if not needed for network building, setting up databases and follow-up interaction, under specific notified processing operations. The contact details of participants will be part of a list of contact details shared internally amongst EDA staff for the purpose of contacting the participants in the future in the context of subsequent EDA activities related to the Conference. Data subjects that do not agree with this are invited to contact the controller using the contact information above and explicitly specifying their request. Data other than contact details will be retained for a maximum period of 1 year after the last conference of the series or after the database is no longer necessary for networking as defined under the purposes for the relevant processing operation. Data may be stored for longer periods in anonymised forms for historical, statistical or scientific reasons.

10. 

Recipients of the data

The access to all personal data as well as all information collected in the context of this meeting, and the organisation thereof, is granted to a defined number of users, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Union legislation. These users typically are: - Organiser of the meeting; - EDA staff assigned to the project; - Other participants of the meeting; - External contractors (if relevant).

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. EDA external contractors are obliged by the respective contract to adopt appropriate technical and organisational security measures having regard to the risks inherent in the processing and to the nature of the personal data concerned.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-23

2. 

 Reference number

EDA-DPO-54-Access to documents

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

It is recognised that public access to documents is an essential component of the policy of transparency implemented by the European institutions, bodies and agencies. The personal data of the applicants are used only to manage their requests for access to documents under Regulation 1049/2001.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the applicants, meaning any citizen of the Union and any natural person residing in the Union. Data processed are the following: name, surname, e-mail address, postal address. No sensitive data in the meaning of Article 10, Regulation 2018/1725 are processed.

 9.

Time limit for keeping the data

Data will be retained only for the time needed to perform the task for which they were collected or processed, which in any case should not be longer than 2 years.

10. 

Recipients of the data

The data will be disclosed to: - Media and Communications Unit staff; - Directors of Directorates, staff members dealing with the preparation of response, Legal Advisor, Deputy Chief Executive, Chief Executive.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. Within the EDA network the data access is limited to MCU staff and IT Administrators.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-29

2. 

 Reference number

EDA-DPO-55-GOVSATCOM

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The main objective of GSC Demo project is to meet the GOVSATCOM demands of cM,s and European CSDP actors trough a pooled capability (bandwidth/power and/or services) that has been provided by cM,s capabilities. In this regard, the Project facilitates provision of excess capability to a pool that would be available for use by other interested contributing Member States, and therefore mitigate their shortfalls. A project Arrangement Management Group (PAMG) will be set up comprising representatives from the cMs as the decision making body, in oder to govern and manage the GSC Demo Project. Subsequently, EDA will set up GSC Demo Project Office (GDPO) responsible for the effective coordination and daily activities of the GSC Demo Project. To that end, the communication between the parties (PAMG, GDPO and MS) needs to be enabled and their personal data collected by EDA, shared among other parties to the project and potentially with governmental bodies and governmental controlled Service Providers.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are collected from the following individuals or group of people: - representative of cMs to the project; - representatives of other countries which have signed Administrative Arrangements with EDA and contribute to the Project; - representatives of cM's Service Providers and End Users; - representatives of participating Member States to EDA, State, Union's institutions or bodies, Organisation or other entity that are not cMs but are invited by the PAMG to observe the activities under the Project Arrangement. Data processed are the following: - Name and Surname; - Function and (if representing a private company/Service provider) employer; - E-mail address. - Address - Telephone number

 9.

Time limit for keeping the data

Personal data are stored as long as they are valid and substituted when so requested by contributing Member representatives. Due to the nature of the business, EDA will periodically request cMs representatives to confirm that their personal data are still valid and to provide new PoC data representatives if changed. Personal data will be kept as long as needed to serve the purpose for which they have been collected or until the data subject indicates that he/she wants the data to be removed. In any case, the personal data collected, and the database will be deleted at the closure of the Project.

10. 

Recipients of the data

Internal recipients: EDA CAP Directorate/Information Superiority Unit staff member; IT and Security Units staff members; other EDA Operational Units staff members that may be involved in the project. External recipients: Representatives of cMs; Representatives of participating Member States that may join the project.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. Personal data within EDA network are restricted so that only EDA staff can access. Data are stored on the EDA IT infrastructure in a dedicated folder/database, with unlimited access to Controller, Programme Manager and Head of Unit. A replica of this database will be mirrored to a folder on the EDA Collaboration Platform which is EDA web-based collaboration system, only accessible to those cMs participating in the project.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-04

2. 

 Reference number

EDA-DPO-56

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The compilation of overall lists of Experts/PoCs' contact details has been designated to be used by EDA when a need for contact with the Experts/PoCs appears, as well as for the purpose of dissemination of the lists of Experts/PoCs' contact details among themselves to facilitate possible contact and exchange of information between the Expert/PoCs.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

Data are processed from the following individuals or group of people (1 group for each list): 1) EDA Defence Acquisition Expert Network (DAEN) members; 2) EDA SoS Working Group Experts (SoS Experts) and PoCs (SoS PoCs); 3) EDA REACH Experts Network members, and EDA REACH Task Force members; 4) EDA ESIF PoCs and deputies (i.e. ESIF Dep PoCs, ESIF RfP PoCs, ESF PoCs, ESF4KSC PoCs); 5) EDA Defence Industry Expert Network (DIEN); 6) EDA Defence Supply Chain Network (DSCN); 7) SME PoCs; 8) EDA SME Modelling & Simulation Platform For above lists par 1) to 5) and 7), the data subjects (members of the groups mentioned) are governmental representatives only, either from the MoDs or from other national Ministries, depending on the subject and in Member States' organisational structure and related competencies at national level. For list 6) and 8), the data subjects (members of the groups mentioned) are industry or other (e.g. Research and Technology Organisations) representatives. Data processed are the following: Full name and title, address, employer, division, position held, contact details (telephone, mobile, fax and email).

 9.

Time limit for keeping the data

Current contact information of Experts/PoCs available during their tenure. Subsequently, contact information of the person that no longer represents the Member State, or industry entity in the respective group are deleted and replaced by new Expert/PoC nominated, i.e. as decided by subject's Member State or industry entity. If not needed anymore, the data will be deleted within 3 months. No previous versions of the Experts/PoCs lists are kept.

10. 

Recipients of the data

Agency staff members and members (Experts/PoCs) of corresponding groups, as follows (1 list for each group): 1) EDA Defence Acquisition Expert Network (DAEN) members; 2) EDA SoS Working Group Experts (SoS Experts) and PoCs (SoS PoCs); 3) EDA REACH Experts Network members, and EDA REACH Task Force members; 4) EDA ESIF PoCs and deputies (i.e. ESIF Dep PoCs, ESIF RfP PoCs, ESF PoCs, ESF4KSC PoCs); 5) EDA Defence Industry Expert Network (DIEN); 6) EDA Defence Supply Chain Network (DSCN); 7) SME PoCs; 8) EDA SME Modelling & Simulation Platform For above lists par 1) to 5) and 7), the members of the groups mentioned are governmental representatives only, either from MoDs or from other national Ministries, depending on the subject and in Member States' organisational structure and related competencies at national level. For lists par 6) and 8), the members of the groups mentioned are industry or other (e.g. Research and Technology Organisations) representatives.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. Within the EDA network the data access is limited to RTI staff and IT administrators.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-08

2. 

 Reference number

EDA-DPO-58

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

The processor of personal data on behalf of the controller are the companies (a) IdLoom Europe (Tervuren avenue 216, 1150 Brussels, Belgium), hosting the web platform collecting and storing the data, and (b) Nodily Europe (Arsenal site, 4 Rue des Peres Blancs, 1040 Brussels, Belgium), managing the application supporting the activity of matchmaking in view of the brokerage event.

7. 

Purpose of the processing

The data will be collected in a web platform in preparation of InfoDays and Brokerage events linked to the Preparatory Action on Defence Research activities. In particular, the collection of personal data will allow: - participants to register and to indicate topics of interest; - the validation/approval of the registration; - to keep track of the list of participants for the purposes of the events; - to facilitate the establishment of bilateral contacts and networking opportunities; - to distribute any information related to the events. Registered and approved participants are allowed to use the personal data available in the web platform only for the purposes of the Preparatory Action events. IdLoom will process personal data only in order to register the participants to the event and to provide them with a confirmation email to their participation. Furthermore, IdLoom will transfer data to Nodily through a secured HTTPS Protocol. Nodily will support the participants in the setup of bilateral meetings. The data subject shall only transmit personal data to IdLoom in relation to his/her user account. Beyond that, the data subject shall not transmit to IdLoom any other personal data.

8. 

Description of categories of persons whose data [EUI] processes and list of data categories

Data are processed from individuals that voluntarily will register to attend the PADR events, such as: -Industry representatives from defence-related companies, SMEs or clusters; -Defence industry occasions; -National or European research institutes and universities. Personal Data processed are the following: -Title; -First name; -Last name; -Email; -Job position; -Mobile phone; -Academic title; -Language(s) spoken; -Nationality.

 9.

Time limit for keeping the data

Data will be retained for the duration of the Preparatory Action on Defence Research for the purposes outlined above under point 4 and will be used in this period in similar events related to the Preparatory Action. Data stored in EDA serves/computers is deleted at the latest within 6 months after Preparatory Action on Defence Research activities are finished. Once the event or account is deleted, IdLoom stores the data for no more than 2 weeks since this deletion. After this period data is permanently deleted. Nodily keeps data for statistical purposes - data subject may also access historical data on past events and activities, such as meetings, private messages, contacts, etc.). If the Nodily account is closed by the data subject, all personally identifiable information about the data subject will be removed from Nodily servers. Once the event or account is deleted, IdLoom stores the data for nor more than 2 weeks since this deletion. After this period is permanently deleted. Nodily keeps data for statistical purposes, users may also access historical data on past events and activities, such as meetings, private messages, contacts, etc.). If the Nodily account is closed by the user, all personally identifiable information about the user will be removed from Nodily servers.

10. 

Recipients of the data

Personal data entered when signing up will be accessible to all the individuals participating to the event, whose registration in the web platform has been validated by EDA. EDA staff and staff of the processor with access to the data.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

Norway, which is part of the Preparatory Action, is subject to national law that guarantee an adequate level of protection.

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. Within the EDA network the data access is limited to the Preparatory Action Staff, IT-Administrators and Security Staff.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-22

2. 

 Reference number

EDA-DPO-59

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The PESCO Common Workspace (CWS) is a web-based tool designed to support participating Member States in sharing information on PESCO Projects and Project Proposals. The Application is restricted to governmental users representing PESCO participating Member States and to governmental authorities representing the PESCO Secretariat. Personal data are processed in order to allow participation and to provide information to the PESCO CWS user community.

8. 

Description of categories of persons whose data EDA processes and list of data categories

The users are managed through Security Groups in AppSecStore: PESCO CWS Country Administrator PESCO CWS Local Administrator PESCO CWS Publisher PESCO CWS Reader PESCO ECP Austria PESCO ECP Belgium PESCO ECP Bulgaria PESCO ECP Croatia PESCO ECP Cyprus PESCO ECP Czech Republic PESCO ECP Estonia PESCO ECP Finland PESCO ECP France PESCO ECP Germany PESCO ECP Greece PESCO ECP Hungary PESCO ECP Ireland PESCO ECP Italy PESCO ECP Latvia PESCO ECP Lithuania PESCO ECP Luxembourg PESCO ECP Netherlands PESCO ECP Poland PESCO ECP Portugal PESCO ECP Romania PESCO ECP Slovakia PESCO ECP Slovenia PESCO ECP Spain PESCO ECP Sweden The total number of users is currently 300 and subject to daily change. We process the following data on every person who opens an user account: Name, E-Mail, Phone, Mobile, Address (Street, Postalcode, City), Employer. The data processed are not sensitive personal data in the sense of Article 10 of Regulation 2018/1725.

 9.

Time limit for keeping the data

Data will be retained for the duration of the specific PESCO project and will be deleted one month after the end of the project. Data might be stored for longer periods if users retain their EDA Account in AppSecStore.

10. 

Recipients of the data

EDA Administrators of the PESCO CWS (role is managed by the PO CDP & CODABA) have access to all PESCO CPWS user data. All PESCO national PoCs have access to all personal data of other users of their country. All Users of the PESCO CWS have access to contact details (E-Mail Address and Telephone number) of all PESCO national PoCs. All Participants or Observers of a PESCO Project have access to the contact details (E-Mail Address, and if provided Tel.) of the PoCs to this project of the participating or observing Member States. All PESCO CWS users may contact any other PESCO CWS users. By sending a message through the PESCO CWS, the user discloses his/her e-mail address to the other user and may be contacted by this other user through e-mail.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

The measures implemented in the framework of AppSecStore and ECP are applicable also in this case, namely firewalls, checkpoints, antivirus, in order to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-22

2. 

 Reference number

EDA-DPO-60

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The Framework Nations Concept Digital Workspace (FNC DWS) is a web-based tool designed to support participating Member States in sharing information on FNC Clusters and Larger Formations. The application is restricted to governmental users representing FNC participating Member States and to governmental authorities that are participants and/or observers to FNC. Personal data are processed in order to allow participation and to provide information to the FNC DWS user community.

8. 

Description of categories of persons whose data EDA processes and list of data categories

The users are managed through Security Groups in AppSecStore: FNC Country Administrator FNC Local Administrator FNC Publisher FNC Reader And the ECP Workspaces to the following FNC Clusters and Larger Formations: FNC Cluster Command and Control / Support - Logistics FNC Command and Control / Support - CBRN FNC Command and Control / Support - CIMIC FNC Cluster Command and Control / Support - Mission Networks FNC Command and Control / Support - Medical Support FNC Cluster Effects - Air C2 - Subcluster Joint Forces Air Component (JFAC) FNC Cluster Effects - Air C2 - Subcluster Tactical Air Command and Control Training Centre (TACCTC) FNC Cluster Effects - Anti Submarine Warfare (ASW) FNC Cluster Effects - Deployable Airbase Activation Modules (DAAM) FNC Cluster Effects - Joint Fire Support (JFS) FNC Cluster Protection - AMD - Subcluster Upper Layer (UL) FNC Cluster Protection - AMD - Subcluster Lower Layer (LL) FNC Cluster Protection - AMD - Subcluster Short Range Air Defence (SHORAD) FNC Cluster Operations Support - JISR - Subcluster MPA FNC Cluster Operations Support - JISR - Subcluster RPAS FNC Cluster Operations Support - JISR - Subcluster Coalition Shared Data (CSD) FNC Cluster Operations Support - GeoMETOC Support FNC Cluster Command and Control / Support - Multinational Helicopter Unit FNC Cluster Command and Control / Support - Multinational Air Transport Unit FNC Cluster Command and Control / Support - Multinational Basic Helicopter Training FNC Cluster Effects - Multinational Air Manoeuvre Training Center FNC Cluster Effects - Naval Mine Warfare FNC Cluster Effects - Military Engineering FNC Cluster Command and Control / Support - Multinational Military Police FNC Cluster Command and Control / Support - Enhanced Host Nation Support (eHNS) FNC Larger Formations - Land Divisions FNC Larger Formations - Multinational Air Group (MAG) FNC Larger Formations - Baltic Maritime Component Command (BMCC) FNC Larger Formations - Multinational Medical Coordination Centre (MMCC) FNC Larger Formations - Joint Logistics Support Group Headquarter (JLSG HQ) The total number of users is currently 100 and subject to daily change. We process the following data on every person who opens an user account: Name, E-Mail, Phone, Mobile, Address (Street, Postalcode, City), Employer. The data processed are not sensitive personal data in the sense of Article 10 of Regulation 2018/1725.

 9.

Time limit for keeping the data

Data will be retained for the period of the conduct of the specific FNC clusters and larger formations and will be deleted one month after the end of the cluster/larger formation activity. Data might be stored for longer periods if users retain their EDA Account in AppSecStore.

10. 

Recipients of the data

EDA Administrators of the FNC DWS (role is managed by the PO CDP & CODABA) have access to all FNC DWS user data. All FNC DWS national PoCs have access to all personal data of other users of their country. All Users of the FNC DWS have access to contact details (E-Mail Address and Telephone number) of all FNC DWS national PoCs. All Participants or Observers of FNC DWS have access to the contact details (E-Mail Address, and if provided Tel.) of the PoCs to this project of the participating or observing Member States. All FNC DWS users may contact any other FNC DWS users. By sending a message through the FNC DWS, the user discloses his/her e-mail address to the other user and may be contacted by this other user through e-mail.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

The measures implemented in the framework of AppSecStore and ECP are applicable also in this case, namely firewalls, checkpoints, antivirus, in order to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-11-22

2. 

 Reference number

EDA-DPO-61

  Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The Capability Development Plan (CDP) - Tool is a web-based tool designed to support participating Member States in sharing information on EU Capability Development. The Application is restricted to governmental users representing EDA participating Member States and to governmental authorities representing the EU (EC, EUMS, EUMC). Personal data are processed in order to allow participation and to provide information to the CDP-Tool user community.

8. 

Description of categories of persons whose data EDA processes and list of data categories

The users are managed through Security Group CDP Reader in AppSecStore. We process the following data on every person who opens an user account: Name, E-Mail, Phone, Mobile, Address (Street, Postalcode, City), Employer. The data processed are not sensitive personal data in the sense of Article 10 of Regulation 2018/1725.

 9.

Time limit for keeping the data

Data will be retained for the duration of validity of the CDP 2018 and will be deleted once the CDP will be revised (expected not earlier than 2020). Data might be stored for longer periods if users retain their EDA Account in AppSecStore.

10. 

Recipients of the data

EDA Administrators of the CDP-Tool (role is managed by the PO CDP) have access to all CDP user data. All CDP national PoCs have access to all personal data of other users of their country. All Users of the CDP-tool have access to contact details (E-Mail Address and Telephone number) of all CDP national PoCs.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

The measures implemented in the framework of AppSecStore and ECP are applicable also in this case, namely firewalls, checkpoints, antivirus, in order to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2018-12-11

2. 

 Reference number

EDA-DPO-62

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

To ensure communication between all parties involved in the project there is a need for EDA to collect personal data so it can be shared among all parties as described below. The main objective of the EU SatCom Market project is to efficiently and cost effectively provide Contributing Members with an option to commercially source Satellite Communications (SatCom) as well as wider Communication and Information Systems (CIS) services through the European Defence Agency (EDA). A Joint Procurement Arrangement Management Group (JPAMG) is set up comprising representatives from the Contributing Members and EDA which supports decision making for the project. In addition, and to manage the project, contracted services providers and supporting EU bodies also form part of the needed support to manage the project and interested member states and EU Bodies who have not joined yet to support a further expansion of the project.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are collected from the following individuals: contributing members points of contacts and their deputies, representatives of other member states or EU bodies points of contacts who have showed and interest to join the project, contracted services providers points of contact, EDA project management, Data processed are the following for each individual: Rank; Name and Surname; email address; phone number; Function (nationality and employer).

 9.

Time limit for keeping the data

Personal data will be kept as long as needed to serve the purpose for which they have been collected or until the data subject indicates that he/she wants the data to be removed. In any case, the personal data collected, and the database will be deleted at the closure of the Project.

10. 

Recipients of the data

Internal recipients: EDA ISE Directorate/Operations, Exercise and Training Unit staff members; IT and Security Units staff members; other EDA Operational Units staff members that may be involved in the project. External recipients: contributing members; contracted services providers, supporting EU bodies and representatives of participating Member States that may join the project.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA. Personal data within EDA network are restricted so that only EDA staff can access. Data are stored on the EDA IT infrastructure in a dedicated folder/database, with unlimited access to Controller, Programme Manager and Head of Unit. A replica of this database will be mirrored to a folder on the EDA Collaboration Platform which is EDA web-based collaboration system, only accessible to participating members, contracted service providers and members states/EU bodies who have shown an interest to join.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-21

2. 

 Reference number

EDA-DPO-64

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

To rapidly reach EDA staff members, SNEs, trainees and interim staff – referred to as “EDA personnel” (including outside working hours) in case of an emergency or crisis. The telephone cascade is an essential communication system to effectively implement the Agency’s Business Continuity Plan (published on EDA Portal)

8. 

Description of categories of persons whose data EDA processes and list of data categories

The data processed under this operation include mobile telephone numbers of EDA personnel. No sensitive data in the meaning of Article 10, Regulation 2018/1725 are processed.

 9.

Time limit for keeping the data

Personal data is retained until the EDA personnel member leaves the Agency, or until requests that the personal data should be deleted.

10. 

Recipients of the data

The access to all personal data as well as all information collected in the context of the telephone cascade procedure is granted to a defined number of users. These users typically are: - CSD Director; - HR unit - Security and Infrastructure unit; - Person performing a role in the Agency’s Business Continuity Plan (e.g. Crisis Management Team - "CMT"). Mobile numbers will not be transferred or transmitted to other users outside of the Agency.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

No.

12. 

General description of security measures, where possible.

Data will be processed in accordance with the high security standards established by EDA as regards the security of IT tools. Mobile telephone numbers are registered in the HR database which is IT-based and accessible only to authorised staff.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here. link >

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-28

2. 

 Reference number

EDA-DPO-65

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The processing of personal data is necessary in order to establish whether a staff member failed to comply with his or her obligations under the EDA Staff Regulations and, where appropriate, impose a disciplinary penalty in accordance with them.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: The staff member being investigated (present and former staff engaged under contract by the EDA as defined under Article 1.1 of the Staff Regulations), witnesses, third parties (persons merely quoted in the file) and alleged victims (of psychological or sexual harassment for instance). Data processed are the following: Title, first name, surname, date of birth and function; The behaviour, action or inaction of the person subject to an administrative inquiry and/or a disciplinary procedure; The personal data related to the outcome of the procedure for the person concerned, e.g. penalties, financial liability; As the case may be, the penalty imposed on the person concerned; Information regarding third parties (witnesses, informants); Sensitive data in the meaning of Article 10; In some cases, the processing of personal data, such as health data or data regarding the civil status of the persons involved in the inquiry, might also be necessary.

 9.

Time limit for keeping the data

Pre-inquiry file: maximum retention period of two years after the adoption of the decision that no inquiry will be launched. This maximum retention period could be necessary for audit purposes, access requests from affected individuals and complaints to the Ombudsman. Inquiry file: When the Agency launches an inquiry including the collection of evidence and interviews of individuals, there could be three possibilities: i) the inquiry is closed without follow-up, ii) a caution is issued or iii) the AACC adopts a formal decision that a disciplinary proceeding should be launched. For cases i) and ii), a maximum of five-year-period from closure of the investigation is a necessary retention period, taking into account audit purposes and legal recourses from the affected individuals. For case iii), the Agency transfers the inquiry file to the disciplinary file, as the disciplinary proceeding is launched on the basis of the evidence collected during the administrative inquiry. Disciplinary file: taking into consideration the nature of the sanction, possible legal recourses as well as audit purposes, the maximum retention period after the adoption of the final Decision is 10 years. No personal data is kept for historical, statistical or scientific purposes. Only aggregated data (e.g. list of open and completed cases) will be used for statistic purpose.

10. 

Recipients of the data

EDA Chief Executive, Senior Management, Director Corporate Services, Head of Human resources, appointed Investigators, Legal Advisor/DPO; Disciplinary board, in the event where a disciplinary procedure is opened; Authorised staff of the Human Resources Department, for filing and including the final disciplinary decision in the personal file. OLAF in accordance with Decision 16/04 of 22 February 2016. EDA will ensure, through a case-by-case review, that the transfer of personal data is not automatic but will only take place when and as necessary for the legitimate performance of the tasks under the recipient’s competence. Involvement of staff must be strictly limited on a need to know-basis and only when necessary for the legitimate performance of tasks covered by the competence of the recipient. Any recipient of the data shall be reminded of their obligation not to use the data received for other purposes than the one for which they were transmitted.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A

12. 

General description of security measures, where possible.

Personal and disciplinary files are stored in secure cupboards within the Human Resources Unit accessible only to authorised persons. Access to personal and disciplinary files of the staff member concerned is limited to the data subject and to EDA personnel specifically authorised to have access to personal files, i.e. the authorised HR staff, the internal auditor, the members of the College of Auditors and the AACC. The data subject does not have direct access. The personal file and/or disciplinary file is taken out of the secure cupboard by the authorised staff member and handed to the data subject for consultation on the spot. Electronic files will be stored in the shared drive with access restricted to authorised HR persons and the legal adviser. Exchange of emails shall be strictly limited to authorised recipients on a need to know basis and treated through confidential emails that contain only strictly relevant data. If sensitive information has to be exchanged with the external partners mentioned among the list of recipients, IT shall provide, upon request, certificates (Public/private keys) externally recognised to encrypt and/or sign that information.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-01-30

2. 

 Reference number

EDA-DPO-66

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N.A.

6. 

Name and contact details of processor (where applicable)

N.A.

7. 

Purpose of the processing

The Collaborative Database (CODABA) is primarily a web based system / operated database for defence inventory, requirements, plans and programmes. It is a non-binding platform for participating Member States’ capability development which allows for improved harmonisation in capability planning of participating Member States. Personal data is processed in order to allow participation and to provide information to the CODABA user community. User registration for an EDA Account according to the form provided at https://registration.eda.europa.eu. The user is required to enter personal data and information on the organisation the user is belonging to.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Users of CODABA Users managed through the security groups starting with CODABA in AppSecStore. Data processed are the following: Name, e-mail, phone, mobile, address (street, postal code, city), employer.

 9.

Time limit for keeping the data

Time for the validity of the user's access to CODABA. The data will be deleted 1 day after the access rights to CODABA are removed. Data might be stored for a longer period if users retain their EDA Account.

10. 

Recipients of the data

EDA Administrators and EDA Administrative Assistants of CODABA (roles are managed by the PO CDP & CODABA) have access to all CODABA User data. All CODABA Users have access to names and organisations of users who are national PoCs or PoCs to one or more CODABA records.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

Data could be transferred to CH, NO and RS on the basis of the existing administrative arrangements. Additionally data could be transferred to OCCAR on the basis of the respective administrative arrangement.

12. 

General description of security measures, where possible.

The measures implemented in the framework of AppSecStore and EDA SharePoint are applicable also in this case, namely firewalls, checkpoints, antivirus, in order to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be preserved. Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all other unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-05-07

2. 

 Reference number

EDA-DPO-67

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

It is an internal EDA advertising service for renting, buying, selling and looking for property, goods and services or community activities. The staff's contact data are needed to be able to get in touch about an item advertised.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data subjects are EDA staff, including in some cases respective spouses/partners and/or third parties who can include their contact details, such as phone number, e-mail addresses, their home addresses, etc. Besides EDA staff, these can also be contact details of their spouses/ partners or third parties, such as a landlord of an apartment to rent.

 9.

Time limit for keeping the data

The data should be deleted as soon as ad expires because the goods have been bought, service rendered, etc. and on any account not retained more than a year after publication.

10. 

Recipients of the data

EDA staff

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

No

12. 

General description of security measures, where possible.

The measures implemented in the framework of EDA Office365 (including SharePoint Online) are applicable also in this case, namely firewalls, checkpoints, antivirus, to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be preserved. Such measures have been taken in particular to prevent any unauthorized disclosure or access and to prevent all other unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-06-28

2. 

 Reference number

EDA-DPO-68

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

To contact journalists

8. 

Description of categories of persons whose data EDA processes and list of data categories

Data of journalists processed are the following: first name, last name, phone number, email, name of the organisation – media, country/city of work, Twitter handle.

 9.

Time limit for keeping the data

6 years

10. 

Recipients of the data

Media & Communication Unit staff members and, only when necessary, IT staff members.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

No

12. 

General description of security measures, where possible.

Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, others). Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-06-27

2. 

 Reference number

EDA-DPO-69

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

The EDA has contracted the company Hudson Belgium Nv to carry out the 360° feedback exercise. Hudson Belgium Nv Marcel Thirylaan 75, 1200 Sint-Lambrechts-Woluwe, Belgium registered under company number 0459165435

7. 

Purpose of the processing

The 360° feedback exercise is a professional developmental tool. The purpose of the processing is to allow managers participating in the exercise/programme to obtain feedback on their management and leadership skills from a number of respondents through an online survey with a view to increase their awareness about their strengths and about the areas that could be further developed. The results are compiled in one single report which is the basis for a series of confidential discussions between the participating manager, his/her manager and a human resources expert from Hudson and acts as a starting point for further professional development. The data will not be used in any form of evaluation (appraisal) process of any of the persons involved. The legal bases of the procedure are EDA Staff Regulations (Article 30§1), EDA learning and development framework and EDA Internal Control Standards.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Subjects participating in the 360° Feedback Programme are considered as data subjects: • The participating manager (Director, Deputy Directors and Heads of Unit); • The hierarchical superior(s) of the participating manager; • Peers of the participating manager; • Subordinates of the participating manager • internal stakeholders. Data processed are the following: • Identification and contact details: name and email address • Personal characteristics: gender (for participating managers only) • Professional data: category of respondent (participating managers, managers, peers, team members, internal stakeholders)

 9.

Time limit for keeping the data

Personal data collected for this processing operation is retained only as long as necessary for the organisation of the exercise (name, gender (for participants managers only), category of respondent (peer, etc) and e-mail address) and as long as participants pursue follow-up actions in relation to the 360° Feedback Programme or until the next time the manager participates in the 360° Feedback Programme with a maximum of three years. EDA may retain anonymous data for statistical purposes. EDA pays particular attention to preserve anonymity of personal data for these purposes, especially to all the measures necessary to avoid indirect identification. Data obtained as part of the on-line survey are stored in electronic form on servers in the European Union maintained by Hudson Belgium Nv. The processor will delete the data it holds for the purposes of this processing operation as soon as the exercise is terminated (end of contract with controller).

10. 

Recipients of the data

The Controller (HR Unit - staff in charge of L&D activities) will have access to the data referred to under point 4. In addition, the processor (Hudson Belgium Nv) will also have access to replies to the questions as set out in the questionnaire sent to participants and respondents. Lastly, data subject (Participating manager) will have access to the full report with the anonymous aggregated results per competency cluster, per competency and per respondent group, including a graph with the overall score per competency; all answers to the open questions, reproduced verbatim; an overview of three competencies which would most benefit from further development. NB: The full report and detailed findings are discussed between the external consultant and the participant alone during the debriefing session. The report is not shared with the manager of the participating manager. The report belongs exclusively to the participant and only the participant can decide to share it with others. The participant’s manager will be involved in the initial part of the 2-hour Personal Development Plan session in order to involve the manager as a support in the further development process (to provide feedback on behaviours, to discuss development actions, to offer development opportunities, etc.) and to embed learning in the work place.

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

No

12. 

General description of security measures, where possible.

General description of security measures, where possible: Having regards to the state of the art and the cost of their implementation the controller have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, etc.). Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing. In view of the risks related to the processing of personal data, Hudson Belgium has built in security mechanisms as documented in the ‘Hudson Belgium R&D tools SAAS Technical Information’ document.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

 
Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

  1. mandatory records under Article 31 of the new rules (recommendation: publicly available)
  2. compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.

Nr.

Item

 Explanation

 

Header - versioning and reference numbers (recommendation: publicly available)

 

1.

 Last update of this record

2019-07-23

2. 

 Reference number

EDA-DPO-70

 

Part 1 - Article 31 Record (recommendation: publicly available)

3. 

Name and contact details of controller

European Defence Agency

Rue des Drapiers 17-23

B-1050 Brussels

Belgium

4. 

Name and contact details of DPO

Clarisse Ribeiro
dataprotection@eda.europa.eu

5. 

Name and contact details of joint controller (where applicable)

N/A

6. 

Name and contact details of processor (where applicable)

N/A

7. 

Purpose of the processing

The purpose of this processing operation is providing external users with access to the EDA platform specified above. EMAPSIX Identity Server uses a database for storing authentication data . It is used to process login requests from users. It provides each legitimate user with valid credentials to the EMAPSIX AD Repository. User data from the EMAPSIX Identity Server is synchronized with the EMAPSIX Airworthiness Directive Repository. Within the EMAPSIX AD Repository, user data is stored together with information about user organisation and roles to determine their eligibility to access the data provided by any Organisations of EDA pMS and third parties within the application. The relation between User data, User organisation and their roles is subject to accreditation and validation by Organisation Moderators. Organisation Moderators get only data from Data Subjects that declared these organisations as their User Organisations.

8. 

Description of categories of persons whose data EDA processes and list of data categories

Individuals representing any public or private Organisation with justifiable interest in accessing military airworthiness data shared by EDA Member States. Data processed are the following: 1. First name and surname, nationality 2. Email 3. Nationality 4. Employer

 9.

Time limit for keeping the data

Data will be kept as long as the data subject needs to access EMAPSIX AD Repository. Inactive members will be deleted once every 12 months.

10. 

Recipients of the data

• EDA Project Officers • EDA IT Unit Application Moderators • Organsiation Moderators

11. 

Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

No

12. 

General description of security measures, where possible.

EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. 

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement:

Additional information is available by following the link to privacy statement here.

  

Participating Member States

  • Belgium
  • Bulgaria
  • Czech
  • Germany
  • Estonia
  • Ireland
  • Greece
  • Spain
  • France
  • Croatia
  • Italy
  • Cyprus
  • Latvia
  • Lithuania
  • Luxembourg
  • Hungary
  • Malta
  • Netherlands
  • Austria
  • Poland
  • Portugal
  • Romania
  • Slovenia
  • Slovakia
  • Finland
  • Sweden
  • UK