News, events, publications

EDA-DPR-061 - CDP - AppSecStore

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-061
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The Capability Development Plan (CDP) - Tool is a web-based tool designed to support participating Member States in sharing information on EU Capability Development. The Application is restricted to governmental users representing EDA participating Member States and to governmental authorities representing the EU (EC, EUMS, EUMC). Personal data are processed in order to allow participation and to provide information to the CDP-Tool user community.
8. Description of categories of persons whose data EDA processes and list of data categories
The users are managed through Security Group CDP Reader in AppSecStore. We process the following data on every person who opens an user account: Name, E-Mail, Phone, Mobile, Address (Street, Postalcode, City), Employer. The data processed are not sensitive personal data in the sense of Article 10 of Regulation 2018/1725.
9. Time limit for keeping the data
Data will be retained for the duration of validity of the CDP 2018 and will be deleted once the CDP will be revised (expected not earlier than 2020). Data might be stored for longer periods if users retain their EDA Account in AppSecStore.
10. Recipients of the data
EDA Administrators of the CDP-Tool (role is managed by the PO CDP) have access to all CDP user data. All CDP national PoCs have access to all personal data of other users of their country. All Users of the CDP-tool have access to contact details (E-Mail Address and Telephone number) of all CDP national PoCs.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
The measures implemented in the framework of AppSecStore and ECP are applicable also in this case, namely firewalls, checkpoints, antivirus, in order to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.