News, events, publications

EDA-DPR-015 - Management of personal security clearances (PSC)

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 19-08-2022
2. Reference number EDA-DPR-015 - Management of personal security clearances (PSC)
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
Personal data are processed by EDA in the context of requests for obtaining a personal security clearance (PSC) for EDA staff and other persons working for EDA in order to allow them to access EU classified information (EUCI).
While working within EDA, the employee may need to access EU classified information (EUCI); therefore, EDA requires that its employee holds, or is in a position to obtain a Personnel Security Clearance (PSC).
A Personnel Security Clearance Certificate (PSCC) is a certificate issued by the national competent authority (NSA of the employee) attesting that a person is security cleared and indicating the level of EUCI to which that individual may have access (CONFIDENTIEL-EU/EU-CONFIDENTIAL; SECRET UE/EU SECRET).
8. Description of categories of persons whose data EDA processes and list of data categories

Categories of data subjects:

  • (future) EDA Staff (Temporary Agents, Contractual Agents and Seconded National Experts (SNE)), and other Staff working in the Agency (trainees, interims, seconded other than SNE, contractors),
  • EDA temporary contractors’ personnel if access to classified areas or IT networks is needed,
  • Delegates and officials from EDA participating Member States (pMS), delegates from Third Countries, Staff from other EU institutions, etc., participating in EDA classified meetings,
  • Other visitors that need access to EDA secured areas or classified information.
  • Categories of personal data:
    • Surname, First name(s),
    • Date of Birth, Place of Birth, Nationalit(y)(ies),
    • EDA Unit where the applicant will be working,
    • Passport or ID card number, issuing national entity of Passport or ID card, Date of issue of Passport or ID card,
    • Email address,
    • Type and level of clearance, Issuing national authority of the clearance, Validity date.
No sensitive data in the meaning of Article 10 of Regulation 2018/1725 are processed by EDA.
9. Time limit for keeping the data
  • For EDA personnel, personal data will be kept up to 1 month after termination/end of contract.
  • For the original paper document: EDA is required to return to the national security authority (NSA) or other competent authority the original Personnel Security Clearance of its staff on termination of his/her employment contract.
  • The personal data of delegates and officials from EDA pMS, from third countries, other EU institutions staff, etc. will be immediately destroyed after the meeting is finished or the need for it extinguished otherwise.
10. Recipients of the data

Internal recipients: HR Unit and Security Unit

  • HR Unit receives a filled-in form (related to the security clearance status) of the future employee of EDA in the recruitment process and transfers it to the Security Unit. Security Unit contacts the person asking to fill in specific forms, as requested by the NSA of the applicant in the process of obtaining a PSC.
  • The filled-in forms of the person requesting a PSC are sent directly to, seen and handled only by the Security Unit before being transmitted to the relevant NSA. The Security Unit act as an intermediary between the NSA and the applicant, hence conducting all transfers of information to and from them.

External recipients: EDA participating Member States’ National Security Authorities/ Designated Security Authorities.

11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
In principle, EDA does not transfer personal data to recipients which are not subject to Regulation 2016/679 (GDPR) or Regulation 2018/1725 (EuDPR), Exceptionally, transfers of personal data may occur in the context of classified meetings with third countries and/or international organisations requiring an EDA staff member to provide a PSC certificate.
12. General description of security measures, where possible.
Electronic and original PSC certificates are stored in the EDA IT Server and/or in the Security containers of the Security Office. An electronic record of these PSCs is stored on a classified computer.
The controller has implemented appropriate technical and organisational measures to ensure a high level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement

Additional information is available by following the link to privacy statement here.