News, events, publications

EDA-DPR-021 - ECP workspace "EDA National PoCs"

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 02-09-2022
2. Reference number EDA-DPR-021 - ECP
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
Official central point for preparation and publication of data on intranet and extranet for Member States Points of Contact for access only by the Agency and Member States having access to ECP workspace “EDA National PoCs”.
8. Description of categories of persons whose data EDA processes and list of data categories
Data are processed from the following individuals or group of people: Points of Contact for Capabilities Directors, National Armaments Directors, R&T Directors, Central Points of Contact, Deputy Central Points of Contact, Brussels Points of Contact from EU Member States. Data processed are the following: Full name and title, address, name of organisation and division, position held, contact numbers (telephone, mobile, fax and e-mail).
9. Time limit for keeping the data
Current lists of PoCs available during tenure as EDA Point of Contact only, i.e. as decided by subject’s Member State, and subsequently deleted. Previous versions of the PoCs table are kept on EDANet with link to SPU Sharepoint (who has sole modification rights) as a point of reference. Points of Contact (PoCs) are the key professional contacts between the EDA pMS and the Agency, as a result the personal data included in the list is solely based on the professional occupation of the data subject as PoC (i.e. professional address, professional title, etc). The retention of personal data for historical purposes is justified by the need to ensure the ‘institutional memory’ of the Agency which includes information on the representation of pMS at a given point in time. This is useful, for example, to cross check information, facilitate contact with pMS, among other things. Since the historical value of the PoC list depends precisely on the presence of data which allows the data subjects to be identified, the data cannot be anonymised. However, an equivalent level of protection to that of encryption is ensured by a restricted access to the prior lists. Indeed, the appropriate safeguards have been put in place to ensure that the data kept on the basis of historical value are not processed for any other purposes or used in support of individual measures or decisions regarding a particular individual. In particular, only the current list of PoCs is accessible to all EDA staff. Previous lists of PoCs are only accessible to SPU (which has sole modification rights).
10. Recipients of the data
Agency staff members and members of ECP workspace “EDA National PoCs” only.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Information is limited to Agency staff only and members of ECP with access rights to EDA National PoCs workspace. Previous versions of the PoCs table only accessible by SPU.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.