News, events, publications

EDA-DPR-041 - Mobile phone-Management of service mobile telephone invoices

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-041
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
EDA has a contract with Proximus for the provision of the SIM cards, mobile phones, voice and data transfer services. Proximus client service: 080055800 (from abroad: +32 475 156030). Staff shall call the Proximus helpdesk directly in order to block SIM card in case of loss or theft. 
7. Purpose of the processing
The purpose of the processing is the verification of invoices in order to ensure that the use of the mobile phone by each staff member does not exceed the "flat rate", in other words, the verification of detailed invoices in case of high invoiced amounts. The need to process data is considered necessary for the management and functioning of EDA. As the policy states service mobile phones are a professional tool and provided to certain members of staff in the context of performance of professional activities.
8. Description of categories of persons whose data EDA processes and list of data categories

EDA staff (temporary staff, contract staff, special adviser) and Seconded National Experts (SNEs) who have received a service mobile phone or service SIM card in accordance with EDA Decision 16/16 and who have signed the "Statement of Use" under Annex II of that Decision. The itemized invoices include the following data:

  • basic staff information including name, EDA mobile number and monthly cost;
  • form of communication (text or call, but not the content of communication);
  • numbers called;
  • the destination, the time, the duration of each call;
  • the location from where the call was placed.
9. Time limit for keeping the data
The general billing information shall be stored for 5 years after the discharge as required by the provisions of the Financial Regulation and its Rules of application for audit and discharge purposes. The itemized invoices are deleted immediately after the verification and in any case no later than 6 months after the processing, except where needed for financial or disciplinary follow-up.
10. Recipients of the data
IT and Finance staff involved in payment and verification of invoices.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
As a general rule, EDA IT sends regular messages relating to Security, in particular in relation to the handling of personal data on IT systems in EDA. This, along with regular training on data protection matters (namely, induction to newcomers and general information session for all staff), ensures an adequate level of information of EDA staff to the measures necessary to ensure the security of processing. In addition, EDA units are subject to the internal audits performed by the Agency Internal Auditor. The areas subject to internal audit are determined in accordance with EDA rules and procedures as set out by the EDA Financial Rules, namely the ley areas agreed on an annual basis with senior management. EDA staff is bound by the EDA Staff Regulations which provide for a duty of confidentiality. This along with the other key staff obligations in relation to performance ensures an overall understanding of the requirements when handling personal data. In this particular processing operation, the controller has implemented appropriate technical and organisational measures to ensure an appropriate level of security. The security risk assessment is currently performed on an ad hoc basis by the controller with the support of the DPO and follows the provisions of Regulation 2018/1725 to this regard.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.