News, events, publications


Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-070 - EMAPSIX
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The purpose of this processing operation is providing external users with access to the EDA platform specified above. EMAPSIX Identity Server uses a database for storing authentication data . It is used to process login requests from users. It provides each legitimate user with valid credentials to the EMAPSIX AD Repository. User data from the EMAPSIX Identity Server is synchronized with the EMAPSIX Airworthiness Directive Repository. Within the EMAPSIX AD Repository, user data is stored together with information about user organisation and roles to determine their eligibility to access the data provided by any Organisations of EDA pMS and third parties within the application. The relation between User data, User organisation and their roles is subject to accreditation and validation by Organisation Moderators. Organisation Moderators get only data from Data Subjects that declared these organisations as their User Organisations.
8. Description of categories of persons whose data EDA processes and list of data categories

Individuals representing any public or private Organisation with justifiable interest in accessing military airworthiness data shared by EDA Member States. Data processed are the following:

1. First name and surname, nationality

2. Email

3. Nationality

4. Employer

9. Time limit for keeping the data
Data will be kept as long as the data subject needs to access EMAPSIX AD Repository. Inactive members will be deleted once every 12 months.
10. Recipients of the data

• EDA Project Officers

• EDA IT Unit Application Moderators

• Organsiation Moderators

11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.