News, events, publications

EDA-DPR-072 - EDA website

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-072 - EDA website
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The purpose of the processing operation is to provide information to the public, to keep stakeholders informed of the activities of the European Defence Agency and to allow participation, serving the principle of public information and transparency. Personal data is processed in order to send e-news and postal sending of hard-copy EDA magazines and to allow registration for conferences and forums for data subjects interested in EDA activities.
8. Description of categories of persons whose data EDA processes and list of data categories
Data processed are the following: - personal data provided by the data subject on a voluntary basis (e.g. name, function, contact details) - personal data contained in publications on the website on EDA activities (e.g. name, photo, contact details) No sensitive data in the sense of Article 10 of Regulation 2018/1725 is involved in this processing.
9. Time limit for keeping the data
Data will be kept as long as needed to serve the purpose for which they have been gathered or until the data subject indicates that he/she wants the data to be removed. If not needed anymore, the data will be deleted within 6 months.
10. Recipients of the data
The internal recipients of the data are the Media and Communication Unit, IT Unit and other Units involved in a specific project or conference. The information will not be communicated to third parties unless necessary for the purpose outlined above.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.