News, events, publications

EDA-DPR-031 - Communication Database - EDA hardcopy magazine and e-newsletter

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-031 - Communication Database - EDA hardcopy magazine and e-newsletter
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
SendinBlue, a simplified joint stock company registered with the Paris commercial registry under No 498019298 and whose registered office is located at 47, rue de la Chaussee d'Antin, 75009 Paris, provides email and/or SMS marketing and/or transactional solutions via its website website and is used by EDA for the sending of the e-mail newsletter. Under EDA General Terms and Conditions all contractors are obiged to ensure data protection compliance when processing personal data.
7. Purpose of the processing
The purpose of the processing is to group information on data subjects in order to convey information on EDA activities, in particular by sending e-news and postal sending of hard-copy EDA magazines. The explicit and legitimate purpose of this action is to keep stakeholders informed on the activities of the EDA, serving the principle of public information and transparency.
8. Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: -National Administrations' civil servants;

  • European Institutions' civil servarnts;
  • Industry professionals;
  • Academic & Think-thank professionals;
  • Sectoral associations' professionals;
  • Army/Navy/Air Force
  • Press
  • Any individual interested in receiving news from EDA indicated by completing the e-news sign-up form.

Data processed are the following: For e-news:

  • First name and surname;
  • E-mail address Additional information needed for the paper magazine:
  • Postal address.

The following additional information may be processed for further costumer relations management:

  • additional personal information (organisation, department, job title);
  • additional contact information (phone, fax, website)
  • roles (representing country, representing organisation)
9. Time limit for keeping the data
Data will be kept in the database for the purposes outlined above until the data subject expresses his/her wish to be deleted from the database: -An annual email reminder is sent to all data subjects informing them that are included in EDA's database and providing the Privacy Statement. -Every e-newsletter sent via the EDA communication database contains an usubscribe option; the data of the data subject requesting to usubscribe is subsequently deleted from the database. -Emails that are returned to the sender will be deleted from the database.
10. Recipients of the data
The internal recipients of the data are the Media and Communication Unit, the EDA assistants and IT Unit. The Media and Communication Unit commissions an external contractor (through a framework contract for communications services) for the postal sending operations of the EDA magazine in print, in case the subscriber has expressed the wish to receive such publication.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
The data are stored on the host servers on which SendinBlue processes and stores its databases, located exclusively within the European Union. SendinBlue does not transfer data outside of the European Union under the supervision and responsibility of the EDA IT unit. Only MCU & IT staff & assistants have access to the EDA database. EDA's contractors are bound by a specific contractual clause under EDA general Terms and Conditions and under the respective contract for any processing operations of personal data on behalf of EDA, abiding to strict technical and organisational security measures in adherence to Regulation 2018/1725. SendinBlue has taken all necessary precautions to safeguard personal data and, in particular, to prevent it from being misrepresented, damaged or accessed by an unauthorised third party. These measures include the following: -Multi-level firewall; -Anti-virus with a proven reputation for detecting attempted intrusions -Encrypted data transmission.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.