News, events, publications

EDA-DPR-017 - Financial Management and Budgeting

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 02-09-2022
2. Reference number EDA-DPR-017 - Financial Management and Budgeting
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
EDA personal data, including salary and pension rights data are, in principle, processed in ABAC. However, the financial management system AX 2012 and excel files that are necessary for financial operations and budgeting, including payments/reimbursements to third parties are still in use for the time being.
8. Description of categories of persons whose data EDA processes and list of data categories
  •  EDA staff;
  • contractors, experts, candidates, beneficiaries, other third parties reimbursed by EDA.

Data processed are the following:

  • Data processed are the following:
  • full name;
  • address/contact information;
  • date of birth;
  • marital status
  • family members (spouse/partner, children + date of birth)
  • salary level;
  • allowances; -
  • actuarial value of pension rights
  • nationality
  • missions; -
  • bank information (bank account number, bank)
9. Time limit for keeping the data
Data necessary for audit purposes are kept 5 years from the date on which a discharge for a given year was granted. Data kept for statistical purposes are anonymized.
10. Recipients of the data
EDA staff members (Finance Unit, HR Unit, Director CSD, Chief Executive, Deputy Chief Executive) and auditors.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
EDA has implemented appropriate technical and organisational measures, such as restricting data to limited number of users, reminding staff handling the data to anonymise where/as soon as possible to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.