News, events, publications

EDA-DPR-013 - BCM-Business Continuity Management

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 19-08-2022
2. Reference number EDA-DPR-013 - BCM-Business Continuity Management
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The purpose of the personal data collected is to be able to mobilize and contact staff in case of crises/emergencies and to inform staff as soon as possible.
8. Description of categories of persons whose data EDA processes and list of data categories
EDA staff (temporary agents, contractual agents, seconded national experts), and other staff working in the agency (interns, interims, blue book trainees, etc.) EDA temporary contractors' personnel. The only data processed are the phone numbers. No sensitive data in the meaning of Article 10 of Regulation 2018/1725 are processed.
9. Time limit for keeping the data
Data will be retained for the period of 1 month after termination/end of contract.
10. Recipients of the data
Based on Security and Infrastructure Head of Unit advice and risk analysis, the CSD Director will be directly informed. He will report directly to Chief Executive. Once decision is taken, the system will be activated by IT.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.

For the personal data that are processed by automated means, measures have been taken with the aim of:

a) preventing any unauthorized person from gaining access to computer systems processing personal data, Salto locks, passwords;

b) preventing any unauthorized reading, copying, alteration or removal of storage media, access limited to IT and HR Unit;

c) preventing any unauthorized memory inputs as well as any unauthorized disclosure, alteration or erasure of stored personal data;

d) preventing unauthorized persons from using data-processing systems by means of data transmission facilities.

13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.