News, events, publications

EDA-DPR-073 - Azure Active Directory

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-073 - Azure Active Directory
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
SoftwareOne, AG, Riedenmatt 4, CH-6370 Stans, Switzerland (only intermediate, does not process personal data) Microsoft Ireland Operations Limited One Microsoft Place, South County Industrial Park, Leopardstown, Dublin 18, D18 P521
7. Purpose of the processing
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based directory, and identity management service that combines core directory services, application access management, and identity protection into a single solution. Azure AD also offers a rich, standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules.
8. Description of categories of persons whose data EDA processes and list of data categories
All current EDA personnel who based on the need to have access to EDA IT resources in order to perform their contractual duties within EDA premises and via remote access. Electronic data on official business coordinates: first name, last name, email, telephone number, title, unit, company and office number. In addition, their credentials to access EDA resources.
9. Time limit for keeping the data
User account is deactivated as soon as the personnel member’s contract is terminated and data erased no later than 30 days after the employee’s departure from the agency. At all times during the term of Customer’s subscription, Customer will have the ability to access and extract Customer Data stored in each Online Service. Microsoft will retain Customer Data stored in the Online Service in a limited function account for 90 days after expiration or termination of Customer’s subscription so that Customer may extract the data. After the 90-day retention period ends, Microsoft will disable Customer’s account and delete the Customer Data.
10. Recipients of the data
Azure Active Directory data is accessible to all current EDA personnel via Microsoft Azure portal.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
EDA has implemented appropriate technical and organizational measure (firewall, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorized disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.