News, events, publications

EDA-DPR-019 - SecInfra contractor contacts

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 02-09-2022
2. Reference number EDA-DPR-019 - SecInfra contractor contacts
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
These processing operations serve the specified, explicit and legitimate purpose to manage and make possible execution of Security & Infrastructure support services through different contractors (e.g. supply of items and services). 
8. Description of categories of persons whose data EDA processes and list of data categories

The personal data of the following category of data subject(s) are processed: EDA Security & Infrastructure Unit contractors' personnel (e.g. ISS, Cofely, Jeune jardiniers, Lyreco, Securitas, Ambius, AIB Vincotte, SasConsult, RadarRisk, Guest...)

Personal data processed are the following: Name, nationality, data of birth, work telephone and email (all this information is provided by the contractors during the tender exercise in accordance with EDA contractual clauses and technical requirements, and some of them are mandatorily required to have permanent access to the EDA premises).

Any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and of data concerning health or sex life, are not collected, and therefore not processed.

9. Time limit for keeping the data
Personal data will be stored in infra archives for future reference, for retention period of 4 years, which correspond to the standard duration of a framework contract. After expiration of each contract, data will be stored for a period of 2 years.
10. Recipients of the data
EDA staff
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Data are processed in accordance with the security standards established by EDA. Head of Unit and deputy are the sole officers having access to these data.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.