News, events, publications

EDA-DPR-052 - EDA Meetings and Conferences

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-052 - EDA Meetings and Conferences
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
External contractors (e.g. security staff, booking agency or hotel which is hosting the concrete event) may be used to perform certain tasks for the controller. All contractors are contractually obliged to ensure data protection compliance when processing personal data
7. Purpose of the processing
The purpose of this processing activity is the organisation of meetings and conferences, including management of contact lists, invitations, participants lists, distribution of minutes/reports, follow-up actions and networking among participants.
Personal data are collected and retained by EDA in order to facilitate the organisation, conduct and follow-up of these events and to provide participants with information (including name and affiliation of other participants), to record the presence of persons and to communicate conclusions and reports.
EDA regularly organises meetings (e.g. workshops, working groups, conferences etc.) with externals. Meetings may take place in-house, in external locations, via webtools or in a hybrid format and may involve both EDA staff and/or external stakeholders from various backgrounds.
8. Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people:

  • external stakeholders participating in meetings / conferences / working groups/ events held by EDA on EDA premises or elsewhere;
  • EDA staff participating in such meetings.

Data processed are necessary for the organization or management of follow-up to a meeting and can include the following:

  • Identification and contact details such as name, position, entity, nationality,
  • Photographs, audio or video recording or livestreaming in the context of a meeting (opt-in required as per separate consent form);
  • Others, such as dietary requirements, if relevant.
9. Time limit for keeping the data
Personal data are kept only as long as necessary for the purposes of the specific meeting/event. It will be deleted 1 year after the respective meeting, if not needed for network building, setting up databases and follow-up interaction, under specific notified processing operations.
Data other than contact details will be retained for a maximum period of 1 year after the last conference of the series or after the database is no longer necessary for networking as defined under the purposes for the relevant processing operation.
The contact details of participants will be part of a list shared internally amongst EDA staff for the purpose of contacting the participants in the future in the context of subsequent EDA activities related to the meeting/conference. Data subjects can always unsubscribe and ask EDA for their data to be deleted.
10. Recipients of the data

The access to all personal data as well as all information collected in the context of the meeting, and the organisation thereof, is granted to a defined number of users, without prejudice to a possible transmission to the bodies in charge of a monitoring or inspection task in accordance with Union legislation. These users typically are:

  • Organiser of the meeting;
  • EDA staff assigned to the project;
  • Other participants of the meeting;
  • External contractors (if relevant).
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
Such transfers are not envisaged. However, participation in meetings or conferences is in principle open to data subjects from third countries or international organisations which may have limited access to the personal information of other participants displayed in the context of meetings/conferences. Personal data collected from these data subjects will be kept separate, as far as possible.
12. General description of security measures, where possible.
Data will be processed in accordance with the high security standards established by EDA. EDA external contractors are obliged by the respective contract to adopt appropriate technical and organizational security measures having regard to the risks inherent in the processing and to the nature of the personal data concerned.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here