News, events, publications


Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-066 - CODABA
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The Collaborative Database (CODABA) is primarily a web based system / operated database for defence inventory, requirements, plans and programmes. It is a non-binding platform for participating Member States’ capability development which allows for improved harmonisation in capability planning of participating Member States. Personal data is processed in order to allow participation and to provide information to the CODABA user community. User registration for an EDA Account according to the form provided at The user is required to enter personal data and information on the organisation the user is belonging to.
8. Description of categories of persons whose data EDA processes and list of data categories
Users of CODABA Users managed through the security groups starting with CODABA in AppSecStore. Data processed are the following: Name, e-mail, phone, mobile, address (street, postal code, city), employer.
9. Time limit for keeping the data
Time for the validity of the user's access to CODABA. The data will be deleted 1 day after the access rights to CODABA are removed. Data might be stored for a longer period if users retain their EDA Account.
10. Recipients of the data
EDA Administrators and EDA Administrative Assistants of CODABA (roles are managed by the PO CDP & CODABA) have access to all CODABA User data. All CODABA Users have access to names and organisations of users who are national PoCs or PoCs to one or more CODABA records.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
Data could be transferred to CH, NO and RS on the basis of the existing administrative arrangements. Additionally data could be transferred to OCCAR on the basis of the respective administrative arrangement.
12. General description of security measures, where possible.
The measures implemented in the framework of AppSecStore and EDA SharePoint are applicable also in this case, namely firewalls, checkpoints, antivirus, in order to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be preserved. Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all other unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement

Additional information is available by following the link to privacy statement here.