News, events, publications

EDA-DPR-065 - Administrative investigations

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-065 - Administrative investigations
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The processing of personal data is necessary in order to establish whether a staff member failed to comply with his or her obligations under the EDA Staff Regulations and, where appropriate, impose a disciplinary penalty in accordance with them.
8. Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people:

The staff member being investigated (present and former staff engaged under contract by the EDA as defined under Article 1.1 of the Staff Regulations), witnesses, third parties (persons merely quoted in the file) and alleged victims (of psychological or sexual harassment for instance).

Data processed are the following:

Title, first name, surname, date of birth and function; The behaviour, action or inaction of the person subject to an administrative inquiry and/or a disciplinary procedure; The personal data related to the outcome of the procedure for the person concerned, e.g. penalties, financial liability; As the case may be, the penalty imposed on the person concerned; Information regarding third parties (witnesses, informants); Sensitive data in the meaning of Article 10; In some cases, the processing of personal data, such as health data or data regarding the civil status of the persons involved in the inquiry, might also be necessary.

9. Time limit for keeping the data

Pre-inquiry file: maximum retention period of two years after the adoption of the decision that no inquiry will be launched. This maximum retention period could be necessary for audit purposes, access requests from affected individuals and complaints to the Ombudsman.

Inquiry file: When the Agency launches an inquiry including the collection of evidence and interviews of individuals, there could be three possibilities: i) the inquiry is closed without follow-up, ii) a caution is issued or iii) the AACC adopts a formal decision that a disciplinary proceeding should be launched. For cases i) and ii), a maximum of five-year-period from closure of the investigation is a necessary retention period, taking into account audit purposes and legal recourses from the affected individuals. For case iii), the Agency transfers the inquiry file to the disciplinary file, as the disciplinary proceeding is launched on the basis of the evidence collected during the administrative inquiry.

Disciplinary file: taking into consideration the nature of the sanction, possible legal recourses as well as audit purposes, the maximum retention period after the adoption of the final Decision is 10 years. No personal data is kept for historical, statistical or scientific purposes. Only aggregated data (e.g. list of open and completed cases) will be used for statistic purpose.

10. Recipients of the data
EDA Chief Executive, Senior Management, Director Corporate Services, Head of Human resources, appointed Investigators, Legal Advisor/DPO; Disciplinary board, in the event where a disciplinary procedure is opened; Authorised staff of the Human Resources Department, for filing and including the final disciplinary decision in the personal file. OLAF in accordance with Decision 16/04 of 22 February 2016. EDA will ensure, through a case-by-case review, that the transfer of personal data is not automatic but will only take place when and as necessary for the legitimate performance of the tasks under the recipient’s competence. Involvement of staff must be strictly limited on a need to know-basis and only when necessary for the legitimate performance of tasks covered by the competence of the recipient. Any recipient of the data shall be reminded of their obligation not to use the data received for other purposes than the one for which they were transmitted.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Personal and disciplinary files are stored in secure cupboards within the Human Resources Unit accessible only to authorised persons. Access to personal and disciplinary files of the staff member concerned is limited to the data subject and to EDA personnel specifically authorised to have access to personal files, i.e. the authorised HR staff, the internal auditor, the members of the College of Auditors and the AACC. The data subject does not have direct access. The personal file and/or disciplinary file is taken out of the secure cupboard by the authorised staff member and handed to the data subject for consultation on the spot. Electronic files will be stored in the shared drive with access restricted to authorised HR persons and the legal adviser. Exchange of emails shall be strictly limited to authorised recipients on a need to know basis and treated through confidential emails that contain only strictly relevant data. If sensitive information has to be exchanged with the external partners mentioned among the list of recipients, IT shall provide, upon request, certificates (Public/private keys) externally recognised to encrypt and/or sign that information.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.