News, events, publications

EDA-DPR-050 - External Active Directory

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-050 - External Active Directory
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
Active Directory (AD) is a core database, which Microsoft Server Windows uses to store information about the users of the system as well as Microsoft environment. It enables the network communication between devices and the functioning of most External EDA Software applications and EDA work assets. More importantly AD is used to provide each legitimate user with valid credentials to EDA network and its resources and manage their access rights. Active Directory EDA-EXT is synchronised with AppSecStore only in one direction (AppSecStore - AD EDA-EXT), so any modification applied in AppSecStore by any process or administrator is applied to AD EDA-EXT.
8. Description of categories of persons whose data EDA processes and list of data categories
All EDA External stakeholders who need to have access to any EDA collaboration platform. Electronic data on official business coordinates: first name, last name, email, telephone number, title, unit, company and office number. In addition, their credentials to access EDA resources.
9. Time limit for keeping the data
  • An inactive user (that has not visited EDA applications for more than 6 months): their access rights will be temporarily withdrawn (suspended). An email will be sent to notify the user and will contain instructions to contact EDA administrators or any of the moderators of the application that they had access to, in order to reactivate their account.
  • All inactive accounts for a period of 1 year will be removed from MYEDA.
  • An organisation administrator can remove at any time any member of the organisation using MYEDA portal.

10. Recipients of the data
EDA IT System Administrators
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Having regards to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unathorised disclosure of access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.