News, events, publications

EDA-DPR-047 - CapTech and EDA R&T WG activities

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-047
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
Support the EDA CapTech and R&T WGs Activities: A capability Technology group ("CapTech") or an R&T WG is an EDA working group dedicated to a particular technology area. The core task of such groups is to gather advice from the Member States' experts in order to identify technology gaps and common areas of interest for cooperation. Non-governmental experts are also part of the discussion group, contributing with ideas and the most up-to-date technology trends. The purpose of the processing operation is to provide information to the CapTech Members (industrial and pMS representatives), to support a smooth functioning of the associated EDA working bodies and promote awareness of related activities to maximize synergies and avoid duplication of efforts. Personal data is processed in order to share working documents, distribute information of relevance to the different working bodies, to establish an effective working network of experts and to allow invitation and registration for meeting and/or forums.
8. Description of categories of persons whose data EDA processes and list of data categories
Personal Data from the following individuals or group of people are processed: - CapTech National Coordinators (CNCs) - CapTech Governmental Experts (CGEs) - CapTech Non-Governmental Experts (CnGEs) - Members of management groups nominated by CNCs to follow CapTech related Studies - Ad-hoc groups of experts for specific technological areas and/or topics (e.g. attending to conferences, workshops, seminars organized by CapTechs, or other DGs, ESA expert groups meetings) Data processed are the following: Name, Surname, e-mail address, Organization name and type, Role in the organization, Country of work, Nationality, phone number, access rights to EDA tools No sensitive data is involved in this processing.
9. Time limit for keeping the data
Data will be kept as long as needed to serve the purpose for which they have been gathered or until the data subject indicates that he/she wants the data to be removed. If not needed anymore, the data will be deleted within 12 months.
10. Recipients of the data
EDA staff : the internal recipients of the data are the ESI and CAT Unit, the IT and Security Units and other operational Units involved in a specific project. Meeting Participants and members of the CapTech/R&T WG to which the meeting is related. The information will not be communicated to third parties unless necessary for the purpose outlined above.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Data will be processed in accordance with the high security standards established by EDA. Personal data within the EDA network is restricted so that only EDA staff can access, as relevant. EDA external contractors are obliged by the respective contract to adopt appropriate technical and organisational security measures having regard to the risks inherent in the processing and to the nature of the personal data concerned.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here