News, events, publications

EDA-DPR-012 - Access control - AEOS Access Control to EDA premises

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 19-08-2022
2. Reference number EDA-DPR-012 - Access control - AEOS Access Control to EDA premises
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing

This set of processing operations related to the functions of the AEOS Access Control System has the purpose of ensuring the physical protection and security of buildings and staff. They furthermore serve the following specific purposes:

  • to manage the access badges for EDA staff and external visitors, access control of all persons in possession of a permanent EDA badge;
  • to control access to individuals with vehicles;
  • to manage the SALTO locks' keys to individual offices;
  • to manage and control access to EDA meeting rooms.
8. Description of categories of persons whose data EDA processes and list of data categories

- EDA postholders : Temporary Agents, Contractual Agents and Seconded National Experts (SNE) as well as trainees, secondees other than SNEs, contractors, interims, Blue Book trainees; - Personnel of EDA temporary contractors;

- All other external visitors : Delegates and officials from EDA participating Member States (pMS), even when in a possession of a permanent EDA badge, delegates from Third Countries, Staff from other EU institutions, other external visitors etc., Data processed includes: - Name (last and first) - Title - Gender - Telephone (mobile/fixed) - Email address - Personnel N° - Department No sensitive personal data in the meaning of Article 10 of Regulation 2018/1725 are processed.

9. Time limit for keeping the data
  • For EDA postholders : up to 1 month after termination/end of contract.
  • For EDA temporary contractors’ personnel: up to 1 month after termination of service contract.
  • For delegates and officials from EDA pMS, from third countries, other EU institutions staff, etc.: up to 1 month after their last visit.
10. Recipients of the data
Staff of the Security and Infrastructure Unit/Corporate Services Directorate.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent all other unlawful forms of processing. For the personal data that are processed by automated means, measures have been taken with the aim of: (a) Preventing any unauthorised person from gaining access to computer systems processing personal data, Salto locks, password; (b) Preventing any unauthorised reading, copying, alteration or removal of storage media, access limited to security unit; (c) Preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure of stored personal data; (d) Preventing unauthorised persons from using data-processing systems by means of data transmission facilities; (e) Ensuring that authorised users of a data-processing system can access no personal data other than those to which their access right refers; (f) Recording which personal data have been communicated, at what times and to whom; (g) Ensuring that it will subsequently be possible to check which personal data have been processed, at what times and by whom; (i) Ensuring that, during communication of personal data and during transport of storage media, the data cannot be read, copied or erased without authorisation; (j) Designing the organisational structure within EDA in such a way that it meets the special requirements of data protection.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.