News, events, publications

EDA-DPR-059 - PESCO CWS - AppSecStore

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-059
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The PESCO Common Workspace (CWS) is a web-based tool designed to support participating Member States in sharing information on PESCO Projects and Project Proposals. The Application is restricted to governmental users representing PESCO participating Member States and to governmental authorities representing the PESCO Secretariat. Personal data are processed in order to allow participation and to provide information to the PESCO CWS user community.
8. Description of categories of persons whose data EDA processes and list of data categories

The users are managed through Security Groups in AppSecStore:

  • PESCO CWS Country Administrator
  • PESCO CWS Local Administrator
  • PESCO CWS Publisher PESCO CWS Reader
  • PESCO ECP Austria PESCO ECP Belgium
  • PESCO ECP Bulgaria PESCO ECP Croatia
  • PESCO ECP Cyprus
  • PESCO ECP Czech Republic
  • PESCO ECP Estonia
  • PESCO ECP Finland
  • PESCO ECP France
  • PESCO ECP Germany
  • PESCO ECP Greece
  • PESCO ECP Hungary
  • PESCO ECP Ireland
  • PESCO ECP Italy
  • PESCO ECP Latvia
  • PESCO ECP Lithuania
  • PESCO ECP Luxembourg
  • PESCO ECP Netherlands
  • PESCO ECP Poland
  • PESCO ECP Portugal
  • PESCO ECP Romania
  • PESCO ECP Slovakia
  • PESCO ECP Slovenia
  • PESCO ECP Spain
  • PESCO ECP Sweden

The total number of users is currently 300 and subject to daily change. We process the following data on every person who opens an user account: Name, E-Mail, Phone, Mobile, Address (Street, Postalcode, City), Employer. The data processed are not sensitive personal data in the sense of Article 10 of Regulation 2018/1725.

9. Time limit for keeping the data
Data will be retained for the duration of the specific PESCO project and will be deleted one month after the end of the project. Data might be stored for longer periods if users retain their EDA Account in AppSecStore.
10. Recipients of the data
EDA Administrators of the PESCO CWS (role is managed by the PO CDP & CODABA) have access to all PESCO CPWS user data. All PESCO national PoCs have access to all personal data of other users of their country. All Users of the PESCO CWS have access to contact details (E-Mail Address and Telephone number) of all PESCO national PoCs. All Participants or Observers of a PESCO Project have access to the contact details (E-Mail Address, and if provided Tel.) of the PoCs to this project of the participating or observing Member States. All PESCO CWS users may contact any other PESCO CWS users. By sending a message through the PESCO CWS, the user discloses his/her e-mail address to the other user and may be contacted by this other user through e-mail.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
The measures implemented in the framework of AppSecStore and ECP are applicable also in this case, namely firewalls, checkpoints, antivirus, in order to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.