News, events, publications

DETAILS OF REGISTER

EDA-DPR-090- Defence Innovation Course (DEFIC)

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 19-03-2026
2. Reference number EDA-DPR-090
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
Belgium
4. Name and contact details of DPO

Data Protection Officer

[email protected]
5. Name and contact details of joint controller (where applicable)
N/A
6. Name and contact details of processor (where applicable)
Capgemini Belgium NV
1831 Machelen, Belgium
7. Purpose of the processing
The European Defence Agency (EDA) is implementing the Defence Innovation Course (DEFIC), a training initiative aimed at strengthening innovation management capabilities within EU Member States’ defence organisations.
In the context of this project, EDA collects and processes personal data of stakeholders participating in questionnaires and interviews to support the needs analysis and the development of the training programme. The consultation aims to:
• identify current practices, challenges, and training gaps in defence innovation management;
• gather expert input to inform the design of the course curriculum, training materials, and delivery format;
• support the preparation of reports and recommendations related to the DEFIC project.
8. Description of categories of persons whose data EDA processes and list of data categories
(a) Data subject categories:
Stakeholders participating in the consultation activities:
• Representatives of EU Member States’ Ministries of Defence or related public authorities
• Representatives of EU institutions, bodies and agencies
• Representatives of international organisations
• Representatives of industry, research and technology organisations (RTOs), and academia
• Subject matter experts involved in defence innovation policy or implementation

 

(b) Data categories processed:

The categories of personal data processed may include:
• Title
• First name
• Last name
• Organisation and organisational affiliation
• Country / location of the organisation
• Job title or professional function
• Professional contact details (e.g. email address & phone number)
• Professional opinions, views, and expertise voluntarily shared during interviews or questionnaires on DEFIC topics
No special categories of personal data are processed.
9. Time limit for keeping the data

Personal data collected in the context of questionnaires and interviews will be retained only for the time necessary to carry out the consultation and analysis activities related to the DEFIC project and will be deleted once these activities are completed.

Limited indirect identifiers may be retained up to five years after the implementation of the associated budgetary commitments in accordance with the EDA financial rules (Council Decision 2016/1335).

A final report, containing anonymised data only may be kept for an unlimited time, for statistical purposes.
10. Recipients of the data

The recipients are:

  • Authorised EDA staff members responsible for the DEFIC project;
  • The data Processor, contracted to support the implementation of the project (Capgemini Belgium NV) and its authorised personnel acting on behalf of EDA.

The Processor, entrusted with processing personal data only for the purpose described in this notice and in accordance with contractual obligations towards EDA.

Personal data will not be disclosed to third parties outside the project unless required by law.

Only aggregated and anonymised information will be used in reports and project deliverables.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
N/A
12. General description of security measures, where possible.

Personal data may be collected and processed through:

  • online questionnaires or surveys;
  • structured or semi-structured interviews;
  • focus group;
  • electronic communication tools (e.g. email, online meeting platforms, collaboration tools).

Data are stored in secure information systems and restricted project workspaces.

EDA has implemented appropriate technical and organisational security measures (including access control, firewalls, and antivirus protection) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.

EDA contractors are contractually obliged to adopt appropriate security measures when processing personal data on behalf of the Agency.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.