News, events, publications

EDA-DPR-051 - External Visitors Application

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-051 - External Visitors Application
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
External participants' personal data to regular events organized in EDA's premises are stored and retained for organizational, security and safety reasons. Reports with participants are regular extracted from the applications. A history of the participations at meeting organized by EDA is maintained.
8. Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people: - External visitors - Any person who needs to enter EDA premises without a permanent badge Data processed are the following:

  • Personal information (full name, birthday, nationality, country of residence, document ID)
  • Organization (representing country or organisation, function, role, responsibility) - Contact information (email, phone, mobile, fax)
  • Security (security clearance level, date of clearance required) - Others (car license, car brand/model, car colour)
  • History of attended meetings (day, room, meeting title)
9. Time limit for keeping the data
Data are automatically erased from the visitor application after a period of 6 months following the last visit. Reports with participants can be extracted from the applications. A history of the participations at meeting organized by EDA is maintained by IT.
10. Recipients of the data
  • HR/ Security;
  • EDA Assistants;
  • EDA staff responsible for meetings organisation.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Having regards to the state of the art and the cost of their implementation, the controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Computers are personal, protected by a password. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.