News, events, publications

EDA-DPR-011 - Internal Audit

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 19-08-2022
2. Reference number EDA-DPR-011 - Internal Audit
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The Internal Auditor (IA) is responsible for the Internal Audit process within EDA. The IA advises the Agency on dealing with risks, by issuing independent opinions on the quality of management and control systems and by issuing recommendations for improving the conditions of implementation of operations and promoting sound financial management. The IA carries out audits and systems-based reviews, and operates in accordance with professional internal auditing standards. The IA enjoys accounting, according to the financial rules applied and the Charter for the EDA Internal Audit, unrestricted access to all functions, records, property and personnel. He obtains the necessary assistance of personnel of the Agency when performing audits as well as other specialized services from within or outside the Agency. The necessary assistance is provided via various services, such as Senior Management secretariat, IT Unit and HR Unit. In the course of the work, the IA processes personal data (mostly by consultation, retrieval and, in audit reports, potential disclosure of personal data).
8. Description of categories of persons whose data EDA processes and list of data categories

Data subjects can include any individual or group of people whose data is collected and retained in the context of an internal Audit, including e.g.:

  • EDA staff on issues related to personnel files;
  • EDA auditees on issues related to procurement and management of projects;
  • Externals on issues related to procurement of projects and services provided.

Depending on the nature and the scope of audits, the IA has full access to data, which is relevant for the audit exercise. Access to necessary information includes the possibility of crossing data collected by various sources through different databases provided that it serves the purpose of the specific audit. In the course of his duties the IA will process (i.e. handle) such personal information as described above. However, for the most part the information presented in the final Annual audit reports is anonymized.

9. Time limit for keeping the data
The IA of EDA retains personal data for a maximum period of two years following the conclusion of the audit.
10. Recipients of the data
The processing is used to produce the IA annual report which is delivered to Chief Executive and presented to Agency's Management Board (AMB), in accordance with the EDA Financial Rules. The IA submits to the Agency an annual internal audit report indicating the number and type of internal audits carried out, the recommendations made and the action taken on those recommendations. However, as noted above the IA Annual report is as a rule presented in an anonymized way. Each year the Chief Executive forwards a report to the Steering Board summarizing the number and type of internal audits carried out, the recommendations made and the action taken on those recommendations. This report contains no personal data.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
It is the sole responsibility of the IA to ensure that data and reports are stored in a security locker where only the IA has access.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.