News, events, publications

EDA-DPR-014 - Management of Facility Security Clearances (FSC)

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 19-08-2022
2. Reference number EDA-DPR-014 - Management of Facility Security Clearances (FSC)
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing

Personal data are processed by EDA in the context of concluding classified contracts. Contractors who are required to access, handle or store EU classified information (EUCI) within their facilities, either during the pre-contractual stage or during the performance of the classified contract itself, must hold a valid Facility Security Clearance (FSC) at the required level, and as requested by national rules, the appropriate Personnel Security Clearance (PSC) for the personnel concerned.

As defined in the EDA Security Instructions (CE Dec. 18/24), an FSC is an administrative determination by a National Security Authority (NSA) or Designated Security Authority (DSA) that, from the security viewpoint, a facility can afford an adequate level of protection to EUCI of a specified security classification level.

8. Description of categories of persons whose data EDA processes and list of data categories

In order to obtain confirmation of the FSC, the Security Unit processes the personal data of the Facility Security Officers (FSO) and of the personnel concerned of potential contractors/subcontractors:

  • Surname, First name(s),
  • Date of Birth, Place of Birth, Nationalit(y)(ies),
  • Phone number
  • Email address,
  • Type and level of clearance, issuing national authority of the clearance, validity date;

No personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, are processed by EDA.

9. Time limit for keeping the data
The SIS (Security Information Sheet) and the FSCIS (Facility Security Clearance Information Sheet) containing personal data of the security officers appointed for the purpose of the classified contract are kept in the Security unit’s records for the entire duration of the contract and maximum 1 year after the termination of the contract.
10. Recipients of the data

Internal recipients: Procurement and Contracting Unit and Security Unit

  • PCU Unit receives a filled-in form (Security Information Sheet - related to the security clearance status) of the potential contractor/subcontractor of EDA in the context of a classified project and transfers it to the Security Unit.
  • Based on the information provided in the Security Information Sheet, the Security Unit submits a request (Facility Security Clearance Information Sheet – FSCIS) to the NSA of the contractor’s location. The Security Unit acts as an intermediary between the NSA and the contractor, hence transferring information to and from them.

External recipients: NSA / DSA, in charge of a specific FSC request.

11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.

Electronic Facility Security Clearance Information Sheets and Security Information Sheets are stored in the EDA IT Server and/or in the locked safes of the Security Office (if printed).

The controller has implemented appropriate technical and organisational measures to ensure a high level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental destruction or loss. Data are processed in specific administrative areas both in the Security and Contracting units, the access to which is very limited and only made possible with prior authorisation on a need-to-know basis.

13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.