Regulation (EU) No 2018/1725 of the European Parliament and of the Council (hereinafter Regulation 2018/1725) provides a layered approach to guaranteeing data protection in the institutions and bodies: EDA, its controllers, the Data Protection Officer (DPO) and the European Data Protection Supervisor (EDPS) all contribute to the application of the Regulation at the Agency. EDA protects the fundamental rights and freedoms of natural persons and in particular their right to privacy with respect to the processing of personal data (Article 1.1 of Regulation No 2018/1725).

Data protection – Definitions & general principles

What is personal data?

Any information about a natural person (i.e. a human being) can be personal data. If an individual is identified by name, or by an identifier, it is likely that the information processed is personal data. An identifier could be an identification number or one or more specific factors specific to the individual's physical, psychological, mental, economic, cultural or social identity.

Personal data may include names, dates of birth, photographs, email addresses or other details such as identity numbers. Sounds recording or images are also personal data, if a person can be identified. The processing of such data needs to be justified by reference to a specific purpose.

Some categories of personal data require special attention; these are:

  • Data revealing racial or ethnic origin;
  • Political opinion;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Data about health and sex life.

Personal data in the form of paper records as well as data processed by electronic means are subject to the Regulation.

Personal data are to be kept for a period no longer than necessary for carrying out the purpose for which they were collected.

What is a processing operation?

Almost anything that can be done to personal data constitutes a processing operation. Collecting, storing, consulting, diffusing data are all examples of kind of processing, as are erasing or destroying data.

Data processing may be justified by either necessity – to carry out a contract or meet a legal obligation – or by the consent of the data subject. The data processed must be up to date, adequate, relevant and not excessive for the purpose of processing which must be determined in advance of collection. Unless a change of purpose is explicitly authorised by internal rules, the purpose of processing may not be altered subsequently. As well as ensuring that data are up to date, the data controller must allow data subjects to access their data.

What information shall be given to the data subjects whose personal data are being processed?

The data controller has to give certain information when data are collected. This information includes the identity of the data controller, the purpose of the processing, any recipients of the data, and the existence of the rights of access and of rectification.

The EDA Data Protection Officer keeps a register of processing operations, based on records received from data controllers. This register enables data subjects to find out which administrative entity is keeping what information about them.

Transmissions & transfer of personal data

Under certain conditions, personal data may be transmitted within the same Union institution or body, or to other institutions or bodies. Personal data maybe also transmitted to recipients either within or established in the Union other than the institutions of the European Union.

Special conditions apply when data are transferred to third countries and international organisations.

Rights and obligations

The data subject enjoys certain rights and the data controller has certain obligations under the Regulation.

What are my rights as a data subject?

The rights granted to data subjects are the cornerstone of the data protection Regulation.

The rights include:

  • Access to your personal data, free of charge, and without constraint, within three months;
  • Rectification of inaccurate or incomplete personal data;
  • Blocking data processing in certain circumstances;
  • Erasure of unlawfully processed data;
  • The right to object to a processing operation on compelling grounds; 
  • Right to data portability.

To exercise your rights, address yourself directly to the data controller.

You may also consult the EDA Data Protection Officer for an opinion on processing operations either concerning you or carried out by you. Please refer to the contact details at the end of this site.

What are my obligations as a data controller?

The data controller's primary duty is to identify personal data processing operations he or she carries out and to notify them to the Data Protection Officer. Records should take place before the operation is undertaken. Operations already in place should be notified as soon as possible.

As mentioned previously, the data controller also has a responsibility to furnish certain information to data subjects. The data controller must also facilitate data subjects' access to their data and their exercising other rights such as rectification and erasure.

The data controller must also ensure that appropriate security measures are in place, and issue appropriate instructions to ensure confidentiality if data are processed by others (for example, by a sub‐contractor).

Furthermore, in the event of a transfer of data, the controller has to check that requirements of the Regulation (such as the necessity of the transfer) have been met.

How to submit a record?

The records are filled in electronically. Submitted records to the DPO can be found on the data protection page of the EDA's site, once they are approved by the DPO.

What remedies do I have?

If you think that your rights have been infringed you may lodge a complaint directly with the European Data Protection Supervisor.

In the absence of a response within six months, it is possible to bring an action, including claims for damages, before the Court of Justice of the European Union.

For more detailed information, please consult the web site of the European Data Protection Supervisor (see ‘Quick Links’ or contact details below).

Further information and contact details

The EDA’s Head of the Legal Office, Legal Advisor / Data Protection is Mr Pedro Rosa Plaza. Please do not hesitate to direct any questions or queries concerning data protection to the DPO by email under

EDA Head of the Legal Office, Legal Advisor / Data Protection

Mr Pedro Rosa Plaza
Tel.: +32 2 789 71 78
European Defence Agency
Rue des Drapiers 17-23 
B-1050 Brussels


European Data Protection Supervisor
Mr Wojciech Wiewiórowski
Tel.: +32 2 283 19 00
Rue Wiertz 60 
B-1047 Brussels