News, events, publications

EDA-DPR-028 - Staff learning and development activities

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-028
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
EDA uses the EU Commission learning management system (LMS) EU Learn on the basis of an SLA.
In addition to this, EDA uses other in-house and external training providers. All contractors are contractually obliged to ensure data protection compliance when processing personal data on behalf of EDA.
Any further information can be provided by EDA HR at
7. Purpose of the processing

EDA processes personal data in order to provide staff with (continuous) learning and development possibilities while in employment with the Agency.
The purpose of the processing is:

  • to plan and organize learning and development (L&D) activities for EDA staff
  • to monitor the training budget
  • to manage all the procedures regarding L&D actions
  • to keep a training history of the EDA staff
  • to evaluate the L&D actions in view of quality control
Learning and development offers include:
  • EU Learn online and presence trainings
  • EDA in-house and internal trainings
  • Training/coaching programmes
  • External training courses
8. Description of categories of persons whose data EDA processes and list of data categories

Data subjects include:

  • All categories of EDA staff,
  • internal and external trainers
Categories of data processed may include:
1. Identification data
  • Name
  • Date of birth and ID number (for courses organized by the European Security and Defence College)
2. Contact data
  • Email address
  • Address
  • Phone number
3. Other (if required)
  • Job title, name of Directorate/Unit/Office,
The Learning Management System also records the anonymized evaluation provided by the course participants on a voluntary basis after the training in order to guarantee the quality of the training.
The system provides the possibility for statistical reports about evaluations regarding the trainers and the courses.
9. Time limit for keeping the data

For files that are closed without follow-up, the time limit for storage is as follows:
For the data processed by EDA:

  • Presence lists are kept for a maximum of 15 years after the training: Taking account of the maximum number of 10 years of service at EDA, plus 5 years after end of service as also defined for EU Learn;
  • For justification of the payment of the external contractor in accordance with the periods determined under the Financial Regulation as justification for the payment of contractors/training providers invoices (5 years after discharge).
For the data in EU Learn:
  • Training records in EU Learn are kept for the duration of the staff member’s career in the EU Institutions and 5 years after the end of service or contract in accordance with the EU Learn - Privacy Policy (
For data processed by external service providers:
  • Retained only as long as necessary for the performance of the programme.
  • Data obtained in surveys and/or in interviews are stored in electronic form on servers maintained by the training provider. The processor will delete the data it holds for the purposes of this processing operation as soon as the programme is terminated (end of specific contract with EDA).

For files that lead to a follow-up (internal investigations, disciplinary procedure) data will be retained for the period of time stipulated by these follow-up procedures. A final report, containing anonymised data only, may be kept for an unlimited time.
EDA may retain anonymous data for statistical purposes. EDA pays particular attention to preserve anonymity of personal data for these purposes, especially to all the measures necessary to avoid indirect identification.
10. Recipients of the data
  • EDA HR staff dealing with L&D, the Corporate Services Director, the Chief Executive, the Deputy Chief Executive, the Line Manager of staff member(s) requesting a training, EDA internal trainers;
  • Other EDA staff on a need-to-know basis (Internal auditor, Finance, DPO, Legal)
  • External contractors, i.e. specific training organiser and trainer (for enrolment and attendance list)
  • Others on a need-to-know basis (e.g. supervisory authorities, courts etc.).
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.

Data is stored in:

  • EU Learn tool
  • HR files on Sharepoint (limited access on a need-to-know-basis)
EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all other unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.
Data subjects have the right to access their personal data and the right to correct any inaccurate or incomplete personal data, as well as to request the removal of their personal data, which will be implemented within 15 working days after the request has been deemed legitimate. If the data subject has any queries concerning the processing of his/her personal data, s/he may address them to the data controller at the following mailbox:
Direct access for staff on EU Learn Tool: EDA staff members also have access to their personal data stored in their profile on EU Learn.
Access for external trainers and contractors: external trainers are able to request access to their data by simple request to the EDA HR Head of Unit (