News, events, publications

EDA-DPR-029 - Health Data

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-029
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
European Council Medical Service
7. Purpose of the processing

The processing of health data serves various organisation management purposes at EDA, including:

  • Management of pre-employment check-ups to future EDA staff members and annual medical check-ups for TA and CA;
  • Management of certain leave entitlements for TA, CA, SNEs, Trainees and Interim;
  • Determining working conditions for TA & CA;
  • Annual Health promotion and sickness prevention programs for TA and CA.
8. Description of categories of persons whose data EDA processes and list of data categories
  • TA, CA and SNEs, Trainee and Interim Staff.

In connection to certain types of leave documented:

  • relatives of EDA, including spouse and relatives in ascending line;
  • Candidates offered a TA or CA position at EDA, when undergoing a pre-recruitment medical check-up First name, last name, date of birth, place and country of birth, nationality, gender, address, tel; email, civil and family status (for pre-employment medical check-ups). Medical certificates from staff members that could contain health data Special leave documents including medical reports.
9. Time limit for keeping the data
The "apt for duty note" for the pre-employment check-up as long as the "Personal file" exists Confirmation that staff members underwent the annual medical check-up: 5 years Confirmation of the invalidity for the duration of the invalidity until the pensionable age The "apt for duty" or "not apt for duty" note of non-recruited persons: 2 years Medical certificates are kept for a period of 5 years.
10. Recipients of the data
Medical Council of the Council and EDA HR Unit. 
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, others). Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.