News, events, publications

EDA-DPR-025 -  Selection and Recruitment

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 19-04-2023
2. Reference number EDA-DPR-025
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
Belgium
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

dataprotection@eda.europa.eu

5. Name and contact details of joint controller (where applicable)
N/A     
6. Name and contact details of processor (where applicable)

For outsourced online written tests invigilation:

TestReach

NexusUCD, Block 9-10 Belfield Office Park

Clonskeagh, Dublin 4

IRELAND

info@testreach.com

+353 (0)1 536 3820

 

For outsourced assessment center (for management positions):

Hudson Belgium SA/NV

Avenue Bourget 42

1200 Brussels

Belgium

7. Purpose of the processing

Personal data are collected and processed in view of selecting and recruiting the most suitable candidates, following an appropriate selection procedure for various staff categories, namely:

  • Temporary agents (TAs);
  • Contract agents (CAs);
  • Seconded National Experts (SNEs);
  • Trainees,

to manage applications at the various stages of these selections and to manage and check the use of reserve lists when applicable with the view of eventually recruiting staff to EDA.

The selection and recruitment procedure is necessary for the management and functioning of the Agency in order to allow it to carry out its tasks in the public interest on the basis of the Treaty on European Union.

Recruitment procedures of TAs, CAs, SNEs at EDA are organized as described under Recruitment Procedure (europa.eu). For trainees, relevant info can be found under Traineeship (europa.eu).

8. Description of categories of persons whose data EDA processes and list of data categories

Data subjects:

  • All candidates applying for a position of TA, CA, SNE or trainee at EDA following a publication of a vacancy notice.
  • Individuals sending a spontaneous application to EDA.

     

    List of data categories processed:

  • Identification data, i.e. surname, first name, date of birth, gender;
  • Contact information, i.e. address, telephone, e-mail;
  • Information regarding eligibility and selection criteria laid down in the vacancy notice, i.e. nationality, languages, education, employment record, military/civil service record, other relevant for the job skills such as knowledge of computer software;
  • Information about the length of the legal notice period required, objection against inquiry with present employer, periods spent abroad, references, motivation, declaration of honour as well as where the applicant found out about the vacancy;
  • If applicable, results of the pre-selection or written/oral tests (TAs, CAs and SNEs);
  • Information regarding security clearance;
  • For candidates invited to the interviews: if needed, financial information (BAF- bank details form) – for the reimbursement of costs incurred;
  • For selected TA, CA candidates only: medical data in the context of the pre-employment medical check;
  • Information about disability might be requested in order to facilitate the access of the candidate(s) to the EDA premises.

     

    For candidates invited to the remote written test (for TAs, CAs and SNEs only)

  • some personal data (name, surname) and contact details are shared by EDA with the provider, TestReach, for the practical arrangement of the written test.

     

    In the context of the actual remote written test, the following additional personal data are also processed:

  • Video log of the candidate during the remote written test;
  • IP address, browser header data (user agent) and other similar information about the computer used to take the assessment;
  • User access and activity data within their system (e.g. when the candidate logs in, when the candidate logs out, when the candidate answered a question, etc.) for audit-trailing and security purposes;
  • Video recording of the screen of the candidate taking the test.

     

    For candidates for management positions invited to the Assessment Center:

    CVs of the candidates are shared with the provider – Hudson, containing:

  • Identification data, i.e. surname, first name, date of birth, gender;
  • Contact information, i.e. address, telephone, e-mail;
  • Information regarding eligibility and selection criteria laid down in the vacancy notice, i.e. nationality, languages, education, employment record, military/civil service record, other relevant for the job skills such as knowledge of computer software;
  • Information about the length of the legal notice period required, objection against inquiry with present employer, periods spent abroad, references, motivation, declaration of honour as well as where the applicant found out about the vacancy.

 

For recruited candidates (Conflict of Interest forms):

As part of this processing activity, it is necessary for EDA to obtain conflicts of interest (CoI) declarations before recruitment, in which (future) staff provide personal data about their professional and private lives such as their name, past/present employment or professional activities; shareholdings in companies; functions in associations/organisations; the professional activities of their spouse, partner or household members.

Declarations of CoI of senior staff will be published on EDA’s website.
9. Time limit for keeping the data

For EDA (the data controller):

  1. Spontaneous applications are deleted after having informed the applicant(s) that the application will not be kept since EDA only considers applications for vacancies published on its website.

     

  2. For non- selected candidates
    • Personal data contained in supporting documents of applicants for TA, CA and SNE positions will be deleted after 6 years following the closure of the selection for candidates invited for the interview, or after 3 years for candidates not invited for the interview.
    • Personal data of non-selected applicants for trainee positions will be deleted after 3 years following the closure of the selection.
    • For candidates who created an application but finally did not submit it, the personal data is deleted as soon as the selection is completed.
    • Anonymised data could be kept longer for statistical purposes.
  3. Candidates selected for recruitment

Recruitment documents for selected TAs and CAs are kept in the agent's personal file, in accordance with Art. 33 and Art. 104 of the EDA Staff Regulations for a period of 5 years after the jobholder has terminated employment at the agency. The same filing practice and retention is applied for recruited SNEs and trainees.

With regard to the processing of police record and security clearance:

  • The formal job offer to candidates which are to be recruited includes a request to provide a recent excerpt of the police record, which is conditional for confirmation of the recruitment. This document is only consulted by the HR Officer in charge of the respective recruitment and then always returned to the candidate concerned. An acknowledgment of receipt is placed in the personal file of the candidate who becomes a staff member.
  • Security clearance(s) are handled in accordance with record DPO-15-PSC.

 

For the data processors

  1. TestReach – remote written exams

    All video records and Invigilation Reports are held by TestReach for a period of 6 months after which they are deleted, unless TestReach is specifically requested by EDA to hold it for longer, for example in the case of an appeal process, to ensure the availability of relevant data until the finalization of the selection and/or related legal proceedings.

  2. Hudson – assessment center

CVs of the candidates invited to the Assessment Center are kept for 2 months from the acknowledgement by EDA of receipt of the Assessment Centre Reports and de-briefing materials to ensure the delivery of feedback if requested by candidates.

10. Recipients of the data

The recipients are/may be:

  • designated EDA staff members involved in the selection and recruitment procedure (e.g. HR, selection panel, Finance)
  • where applicable, external members of the selection panel
  • external contractors acting as processors;
  • -other staff members on a need-to-know basis (e.g. internal auditor, DPO, Legal Office)
  • If applicable, supervisory authorities and/or courts.

With regard to pre-employment medical checks: The Medical Service of the Council (not applicable for SNEs and trainees).

11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

No, there is no transfer of personal data to a third country or international organization, neither by the data controller nor by the data processors.

12. General description of security measures, where possible.

Submission of applications to vacancies are done electronically via the appropriate IT tool. The applicant has to register an account accessible via a username and a password.

EDA has implemented appropriate technical and organisational measures (secure access methods, firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

Appropriate security measures are implemented also by the data processors against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.

13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement

Data subjects have the right to access their personal data and the right to correct any inaccurate or incomplete personal data, as well as to request the removal of their personal data, which will be implemented within 15 working days after the request has been deemed legitimate.

If the data subject has any queries concerning the processing of his/her personal data, s/he may address them to the data controller at the following mailbox: recruitment@eda.europa.eu. Candidates placed on a reserve list have the right to amend their identification data such as surname, email, address, phone number, by contacting the HR Unit at the same address.

All legitimate requests will be handled within 15 working days.

Additional information is available in the following EDA privacy statements:

  • Selection and recruitment, here;
  • Remotely invigilated written tests in the context of EDA’s selection procedures, here;
  • Assessment center, here;
  • Health Data is handled in accordance with record EDA-DPO-29.