News, events, publications

EDA-DPR-030 - Handling of harassment

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-030 - Handling of harassment
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)


6. Name and contact details of processor (where applicable)
7. Purpose of the processing
Personal data processing carried out by EDA in the context of the informal and formal procedure to prevent psychological or sexual harassment in accordance with the provisions of EDA Staff Regulations. The purpose of the data processing, the implementation modalities and the role of parties involved in the procedure(s) are described in a policy document available to all staff on EDA Portal (Decision N 18/14 of 16 May 2018), namely to prevent, investigate and take any necessary measures concerning psychological or sexual harassment.
8. Description of categories of persons whose data EDA processes and list of data categories
Data are processed from the following individuals or group of people: In the informal procedure: -each and every person working at EDA, regardless of grade or contract of employment (this includes the trainees and all those working under a contract under national law) in the situation of he/she being identified or defined as an alleged victim of harassment by a member of staff of EDA; -any person aware of a situation of harassment insofar as he/she is involved in the informal procedure; -the alleged harasser is also considered as a data subject insofar as she/he is involved in the informal procedure; In the formal procedure: -staff identified or defined as an alleged victim of harassment by a member of staff of EDA (only staff covered by the EDA Staff Regulations have access to the formal procedure); - the alleged harasser (only staff covered by the EDA Staff Regulations have access to the formal procedure); - any person aware of a situation of harassment insofar as he/she is involved in the procedure. Personal data processed in the context of the anti-harassment procedure may comprise: -objective ("hard") data collected necessary to properly administer the case; - subjective ("soft") data collected by the External Prevention Advisor, based on statements and reflecting facts and perceptions of the alleged victim, of any person aware of a situation of harassment and of the alleged harasser (provided the victim provided the Advisor with a prior consent to contacting the latter). As far as relevant and necessary for the specific purpose of the case, data processed may comprise data qualified as sensitive in Article 10 of Regulation 2018/1725 (i.e. data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, biometric or genetic data, health or data concerning the data subject’s sexual orientation). The collection of soft data does not follow systematic rules as to the type of data processed and it is not possible to determine a priori the type of data collected. In accordance with Article 4 of Regulation 2018/1725, data collected should anyway be adequate, relevant and not excessive in relation to the case handled. This analysis must be conducted on a case-by-case basis.
9. Time limit for keeping the data
The External Prevention Advisor and the Investigation Team shall not keep personal data on a case for a period longer than three months following its closure. Personal data should be either destroyed or returned to the data subject who provided them. The Human Resources Unit holds the historical memory of anti-harassment procedures for maximum five years from the opening of the procedure. Five years is the period considered necessary for the Human Resources Unit to evaluate the harassment prevention policy, to reply to any legal questions and to identify multiple or recurrent cases. Files may be retained for a further five years period in case an administrative or legal action is pending (e.g. with the European Ombudsman or the Court of the European Union).
10. Recipients of the data
The hierarchal superior of the alleged victim, the Head of HR unit, the External Prevention Advisor/Mediator, the Corporate Service Director, the Chief Executive, the Deputy Chief Executive, the Investigation team, the Internal Auditor, the College of Auditors, OLAF, the Court of Justice of the EU, the European Ombudsman and any national court.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Having regard to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.