News, events, publications

EDA-DPR-076 - SYSPER for EDA staff

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-76 - SYSPER for EDA staff
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
European Commission, due to its ownership of the system where the data are stored and secured.
7. Purpose of the processing

EDA is using SYSPER, the HRM IT tool owned and managed by the European Commission, to support the management of main HR administration processes and to ensure that personal data is kept accurate,is traceable and rapidly retrievable. SYSPER has different basic and optional modules. EDA currently uses the following basic set of modules:

  • Identity Management module: "Identity Management" (COMREF/RETO),
  • Organisation Management modules: "Organisation Chart" and "Job Quota Management",
  • Personal Data Management modules: "Employee Personal Data" and "Address Declaration",
  • Talent Management modules: "Career Management",
  • Time Management modules: basic "Time Management", including basic work patterns, leave rights, absences,
  • Document management module: "Generation of Certificates";
NDP (Numérisation des Dossiers Personnels) module: EDA Staff’s personal files.
8. Description of categories of persons whose data EDA processes and list of data categories

The data subjects are EDA postholders and their family members, where relevant. This includes temporary agents, contract agents, seconded national experts, trainees, interims, and former staff members (since certain data need to be retained for a longer period if they relate to subsisting rights and obligations, e.g. orphan’s allowance). Within the different SYSPER basic modules, the following types of personal data are processed for the above-mentioned purposes:

  • Surname, first name, personnel number, gender, nationality, address, telephone number, place of origin;
  • Date of birth, marital status, officially recognised registered partnership, identity and date of birth of spouse or partner, identity and date of birth of dependent children and date of adoption if relevant;
  • EDA Unit to which the jobholder is assigned, category, grade, status, duration of contract, years of service, unique payroll number (NUP), administrative status and career;
  • Information on medical fitness (only administrative data);
  • Information on absences: sick leave (with or without a medical certificate), special leave, annual leave, parental and family leave, and the results of calculations, particularly regarding the balance of entitlements (balance of absences, leave, parental and family leave entitlement, time credits purchased). In case of absences for health reasons (absences with or without medical certificate) and in case of special leave, SYSPER does not process medical data of the EDA staff member or his/her family members, just administrative data related to the nature of the absence.
  • Decisions on invalidity (only administrative data).
Decisions relating to outside and to post-employment activities.
9. Time limit for keeping the data
The retention takes place within the SYSPER system. Personal files are kept for 8 years after the extinction of all rights of the person concerned and of any dependents, and no less than 20 years after the recruitment of the staff member.
10. Recipients of the data

Access to the data is provided on a strict need-to-know basis depending the function and responsibility of each user. In addition, access rights may be adjusted to cover specific parts of the data. The following user groups have been identified as having access rights:

  • All jobholders in relation to their own data;
  • The EDA HR team;
  • The AACC and managers with roles in respective workflows, as well as staff to whom such roles have been delegated. Not all of the users have the same access rights to personal data. The profile of each user (function and responsibility) determines their need and entitlement to access specific sets of data in SYSPER.
  • Commission services in relation to their specific field of competence. This relates in particular to PMO that falls under the Directorate General of Human Resources (DG HR) and with whom EDA has a Service-Level Agreement;
  • External contractors that may be working on the maintenance of the IT infrastructure linked to SYSPER;
  • Belgian authorities in the context of processing access to the “digital key” for staff and family members holding a special ID card.
Upon request if relevant for the handling of files: European Court of Justice, European Ombudsman, European Data Protection Supervisor, European Anti-Fraud Office (OLAF), Internal Auditor, EDA College of Auditors.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.

SYSPER is an IT application that employs a series of horizontal, generic components to support all business functions in a uniform and consistent manner. This is particularly important in key areas such as:

  • Security (SYSPER allows for the definition – and the enforcement – of a coherent, transparent and easy security policy via configuration)
  • Actors (SYSPER uses information in the organisational hierarchy and jobs defined therein, in order to automatically determine who needs to do what at each step of the administrative procedures)
  • Workflows and notifications (SYSPER uses common workflow and notification engines to define and execute the various workflow steps and to deliver required notifications, depending on configurable conditions).

A Security Convention has been agreed with the Commission and delivers key aspects on security features such as the security of the facilities and of EDA network. Annex 1 of the Convention provides EDA physical security measures, while Annex 2 and 3 of the Convention provide EDA network and IT security measures. For information, the present notification provides requirements of the Convention - but cannot disclose technical measures. Some of the aspects of Annex 1 are:

  • Access control measures
  • Monitoring activity with logging and reporting on physical access • Physical security measures for outside working hours
  • Specific organisational measures regarding physical protection […]

Some of the aspects of Annex 2 and 3 are:

  • Information security management
  • Information security audit/assessments or penetration tests
  • Alerts and/or regular reports • The hardening is applied on the devices
  • Policy/security operating procedures defined and network access control infrastructure and mechanisms (e.g. external/internal firewall, gateway, router, IDS/IPS, etc.) implemented on the perimeter of the corporate network.
Having regards to the state of the art and the cost of their implementation the controller has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected (restricted access, logs, etc.). Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.