News, events, publications

EDA-DPR-069 - 360 Feedback exercise for managers at EDA

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-069 - 360 Feedback exercise for managers at EDA
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)

The EDA has contracted the company Deloitte Consulting & Advisory BV, Luchthaven Brussel Nationaal 1 J, 1930 Zaventem registered under company number BE 0474.429.572 (hereafter referred to as “Deloitte”) to carry out the 360° feedback exercise.

The processor Deloitte uses a sub-processor, Medallia (, a survey platform provider  for the data hosting and launch for the feedback surveys.

The processor and sub-processor are located in Europe.

7. Purpose of the processing

The 360° feedback exercise is a professional developmental tool for EDA managers.

The purpose of the processing is to allow managers (reviewees) participating in the exercise to obtain feedback on their management and leadership skills from a number of respondents (assessors) through an online survey with a view to increase evaluated managers’ awareness of their strengths and of areas that could be further developed.

To allow participants and respondents to reply to an online survey and to compile the results in one single report, the Human Resources Unit of EDA has to:

a) identify the potential participants and respondents; and

b) transmit this information to Deloitte who will conduct the survey on a dedicated external website managed by Medallia and compile the information in a report.

Participating reviewees middle and senior managers of the Agency.

Respondents are identified by EDA’s Human Resources Unit on the basis of their assignments within the EDA, and more specifically: hierarchical superior(s), peers within the EDA, direct reports of the participating manager. Internal stakeholders, i.e. EDA staff members with whom the participating reviewee collaborates regularly or more closely, are nominated by the participating reviewee; they all constitute the group of respondents.

Personal data are not used for automated decision-making, including profiling.

The results of the exercise are compiled in:

  • an aggregated organisational report with anonymous results to the Human Resources Unit of questionnaire answers; open comments are reproduced ad verbatim
  • an individual report to each reviewee which is the basis for a series of confidential discussions between the participating manager (reviewee) and a human resources expert from Deloitte as a starting point for further professional development. It is at the reviewee’s discretion to disclose the outcomes with their line manager or other stakeholders.

The data will not be used in any form of evaluation (appraisal) process of any of the persons involved.

The legal bases of the procedure are EDA Staff Regulations (Article 30(1)), EDA learning and development framework and EDA Internal Control Standards.

8. Description of categories of persons whose data EDA processes and list of data categories

Subjects participating in the 360° Feedback Programme are considered as data subjects:

• The participating manager (Director, Deputy Directors and Heads of Unit);

• The hierarchical superior(s) of the participating manager;

• Peers of the participating manager;

• Subordinates of the participating manager

• internal stakeholders (e.g. EDA staff members who cooperate regularly and/or closely with the manager concerned).

Data processed are the following:

Data relating to the participating manager: name, email address, directorate/unit, managers’ job descriptions.

Data relating to the respondents: name, email address, category of respondents (manager of reviewee, peer, team member, internal stakeholder)

9. Time limit for keeping the data

Personal data collected for this processing operation is retained only as long as necessary for the EDA (name, category of respondent (peer, etc.) and e-mail address) and as long as participants pursue follow-up actions in relation to the 360° Feedback Programme or until the next time the manager participates in the 360° Feedback Programme within a maximum of three years.

The processor and sub-processor will delete the data they  hold for the purposes of this processing operation at the controller’s request to delete the data, once the exercise is concluded. Otherwise, the retention period by the processor and sub-processor will be 10 years .

EDA, as controller, may retain anonymous data for statistical purposes. EDA pays particular attention to preserve anonymity of personal data for these purposes, especially to all the measures necessary to avoid indirect identification.

10. Recipients of the data

The controller (HR Unit - staff in charge of learning & development activities) will have access to the data referred to under point 8.

In addition, the processor (Deloitte) and sub-processor (Medallia) will have access to the data referred to under point 8 and to respondents’ replies to the questions as set out in the questionnaire sent to reviewees and assessors.

Lastly, data subjects (reviewees) will have access to their own individual report with the anonymous aggregated results per competency cluster, per competency and per respondent group, including a graph with the overall score per competency; all answers to the open questions, reproduced ad verbatim; an overview of three competencies which would most benefit from further development.

The full report and detailed findings are discussed between the external consultant and the reviewee during the debriefing session and the coaching session. The report is not shared with the manager of the reviewee (participating manager). The report belongs exclusively to the participant and only the participant can decide to share it with others.

11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.

Having regards to the state of the art and the cost of their implementation the controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, etc.). Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing. The processor has a national and global Information security control framework, which serves as the standard for data protection. The processor team handling the data on behalf of EDA commits to respect the principles laid out in that internal data protection policy. Deloitte Belgium's Security & Privacy office is responsible for bringing about the necessary mechanisms for compliance with relevant Data Protection rules.

All documents are transferred via a secure solution that allows for sending and receiving documents in a protected environment. Medallia, the sub-processor, hosts the online survey platform in multiple data centres in different EU locations.  All data is stored in highly secure Class A data centres located within the EU that undergo regular security audits. Data is encrypted at multiple levels ( storage (3 layered encryption), field-level; on the wire, and for file transfer).  In addition, all data is synchronized in real time between data centres, with multiple copies on multiple servers and hard drives, making data loss impossible. European Deloitte Member Firms keep their Medallia data within Europe where no account data is ever transferred between regions. The Medallia platform is secured with 128-bit SSL certificates that guarantee  a very high level of encryption and security. The use of SSL ensures that all data exchanged between browser and server is encrypted. Deloitte has audited Medallia and found that it to be the best system assessed so far in terms of privacy, confidentiality, and security.

13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement

For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement         

Data subjects will receive, when invited to answer the questionnaire, a link to the applicable privacy statement.

Additional information is available by following the link to privacy statement here.