News, events, publications

EDA-DPR-027 - Leave management

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-027 - Leave management
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The personal data are processed for the management of all entitlements for annual leave, special leave, sick leave and in general all the related working conditions of Temporary Agents (TAs), Contract Agents (CAs), Seconded National Experts (SNE) and Trainees at EDA.
8. Description of categories of persons whose data EDA processes and list of data categories

There are 2 main categories of data subjects, namely:

  • EDA staff members and SNEs and trainees (SNEs and trainees for a restricted number of leave entitlements);
  • In connection to special categories of leave, relatives of EDA staff, including spouse, children and relatives in ascending line.

Personal data processed:

  • main employment and career data at EDA;
  • start date of EDA employment, category/statues, termination/end of contract with EDA, place of origin, age;
  • documents containing personal data such as justification documents for various categories of specific leave, information on carry-over of not taken annual leave from the previous year;
  • information on the EDA staff member's family situation, including the relationship to family members;
  • Sensitive data in the meaning of Article 10 of Regulation 2018/1725, namely health related data, including medical certificates, confirmation on treatment/medical appointments, medical data and health diagnosis information of the EDA staff members and of their relatives, including spouse, children, relatives in ascending line. The processing of medical personal data has been notified to the EDPS.
  • Information on political appointment and participation in elections of the EDA staff member.
9. Time limit for keeping the data
Annual/Special and Sick leave requests are stored electronically in the leave management workflow on the EDA server. Medical certificates with no indication of the medical diagnosis are stored in a locked cupboard with restricted access to the HR Unit. Such data are kept for a period of 3 years. Additionally, the leave management tool is used to run several reports including statistics on sick and special leave and leave requests per directorates.
10. Recipients of the data
  • The Line Manager of the data subject and his/her Head of Unit;
  • his/her Director; - the Chief Executive;
  • the Deputy Chief Executive; -
  • the Corporate Services Director;
  • the HR Unit; -the Council Medical Service; 
  • the European Council Invalidity Committee;
  • the EDA IT Unit (for support on the electronic management system);
  • the EDA Internal Auditor; -the College of Auditors;
  • the European Ombudsman;
  • the European Data Protection Supervisor;
  • the Court of Justice of the European Union.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Leave requests are stored in an electronic database. The data are kept in the Leave Management System with password protected. Medical certificates with no indication of medical diagnosis are stored in a locked cupboard with limited access to the HR Unit.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement

Additional information is available by following the link to privacy statement here.