DETAILS OF REGISTER

European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
Belgium

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

dataprotection@eda.europa.eu

N/A

EDA as the controller has contracted: 1. NTT Belgium NV/SA (group leader) as a Processor, 2. GlobalSign as a Sub-Processor, using further third party services as documented under - https://www.globalsign.com/en/repository/GlobalSign-Subprocessors.pdf; The processing takes place in the context of the EU Framework Contract (FWC) No DI/07890 launched by DG DIGIT (also on behalf of EDA) and signed by the latter with the NPX group of economic operators. The group is reseller of the GlobalSign IT product/licences. The FWC details the respective roles and responsibilities on data protection under Articles I.9 and II.9. Contractor and sub-contractors must comply with data protection obligations resulting from Regulation (EU) 2016/67912 and Regulation (EU) 2018/1725.

For the purpose of providing the Authorising Officer and his/her delegates with the option of signing electronically, EDA uses the electronic signature services of GlobalSign, purchased under the EU Framework Contract Natacha IV No DI/07890 concluded with NPX group of economic operators, where NTT Belgium NV/SA is group leader. The EDA Contractor NTT Belgium is a reseller of the e-certificates licences/products provided by GlobalSign.

EDA data subjects concerned are

• Chief Executive (as the Authorising Officer)
• Authorising Officers by Delegation, as required.

Categories of personal data processed:

• Given name(s) (as mentioned in an official ID)
• Surname (as mentioned on the official ID)
• Date of Birth
• Residential address: Street address and postcode
• Residential address: City, State/Province, Country 
• Financial document (picture of a debit card if possible or a credit card)

Within EDA: Data required for the initial stage of identity verification will be deleted once finalised. The FWC in its Article II.9.2 in conjunction with Article II.22.2 provides for a maximum retention period of five years starting from the payment of the balance of the last specific contract issued under this FWC. GlobalSign as per section 9 of GlobalSign Privacy Policy (https://www.globalsign.com/en/repository/GlobalSign-Privacy-Policy.pdf)refers to the Certification Practice Statement GlobalSign_CPS_v9.8_final.pdf (https://www.globalsign.com/en/repository/GlobalSign_CPS_v9.8_final.pdf) which under its section 5.5.2 stipulates an archive retention period of 10 years after any Certificate based on documentation relating to certificate requests and the verification thereof ceases to be valid, unless specified otherwise in an agreement with GlobalSign.

Within EDA:

• Procurement and contracting unit
• IT unit
• Other staff (DPO, legal advisor, auditor etc) as required.
• External lawyer acting as a Third Party Validator to certify the identify of the data subjects concerned at the initiation of the processing activity.

Within GlobalSign as outlined in section 7 of GlobalSign Privacy Policy (https://www.globalsign.com/en/repository/GlobalSign-Privacy-Policy.pdf).

As per Article I.9.2 (d) of the FWC personal data shall only be processed within and held in data centres located within the territory of the European Union and the European Economic Area and will not leave that territory. - Access to data may be given on a need to know basis only to authorised persons established in a country which has been recognised by the European Commission as providing adequate protection; - the contractor may not change the location of data processing without the prior written authorisation of the contracting authority; - in case of an authorised transfer of personal data under the FWC to third countries or international organisations, such transfer shall fully comply with the requirements laid down in Chapter V of Regulation (EU) 2018/17256 . GlobalSign does not entirely exclude the transfer of personal data outside of the EU/EEA, for example in the case of a request outside of EU working hours that would thus need to be handled by one of the offices in a different time zone. GlobalSign takes measures to ensure that personal information receives an adequate level of protection by only transferring personal information to countries that have received an adequacy decision, or by entering into standard contractual clauses (ref. section 8 of the GlobalSign Privacy Policy).

EDA stores only the data required for the vetting procedure which will be deleted once the initial stage of identity verification is finalised. EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing. GlobalSign’s security measures are laid down in section 12 of GlobalSign Privacy Policy.

Additional information is available by following the link to privacy statement here.