News, events, publications

EDA-DPR-079 - EDA electronic signature GlobalSign

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-079 - EDA electronic signature GlobalSign
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
EDA as the controller has contracted: 1. NTT Belgium NV/SA (group leader) as a Processor, 2. GlobalSign as a Sub-Processor, using further third party services as documented under -; The processing takes place in the context of the EU Framework Contract (FWC) No DI/07890 launched by DG DIGIT (also on behalf of EDA) and signed by the latter with the NPX group of economic operators. The group is reseller of the GlobalSign IT product/licences. The FWC details the respective roles and responsibilities on data protection under Articles I.9 and II.9. Contractor and sub-contractors must comply with data protection obligations resulting from Regulation (EU) 2016/67912 and Regulation (EU) 2018/1725.
7. Purpose of the processing
For the purpose of providing the Authorising Officer and his/her delegates with the option of signing electronically, EDA uses the electronic signature services of GlobalSign, purchased under the EU Framework Contract Natacha IV No DI/07890 concluded with NPX group of economic operators, where NTT Belgium NV/SA is group leader. The EDA Contractor NTT Belgium is a reseller of the e-certificates licences/products provided by GlobalSign.
8. Description of categories of persons whose data EDA processes and list of data categories

EDA data subjects concerned are

  • Chief Executive (as the Authorising Officer)
  • Authorising Officers by Delegation, as required.

Categories of personal data processed:

  • Given name(s) (as mentioned in an official ID)
  • Surname (as mentioned on the official ID)
  • Date of Birth
  • Residential address: Street address and postcode
  • Residential address: City, State/Province, Country 
  • Financial document (picture of a debit card if possible or a credit card)
9. Time limit for keeping the data
Within EDA: Data required for the initial stage of identity verification will be deleted once finalised. The FWC in its Article II.9.2 in conjunction with Article II.22.2 provides for a maximum retention period of five years starting from the payment of the balance of the last specific contract issued under this FWC. GlobalSign as per section 9 of GlobalSign Privacy Policy ( to the Certification Practice Statement GlobalSign_CPS_v9.8_final.pdf ( which under its section 5.5.2 stipulates an archive retention period of 10 years after any Certificate based on documentation relating to certificate requests and the verification thereof ceases to be valid, unless specified otherwise in an agreement with GlobalSign.
10. Recipients of the data

Within EDA:

  • Procurement and contracting unit
  • IT unit
  • Other staff (DPO, legal advisor, auditor etc) as required.
  • External lawyer acting as a Third Party Validator to certify the identify of the data subjects concerned at the initiation of the processing activity.

Within GlobalSign as outlined in section 7 of GlobalSign Privacy Policy (

11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
As per Article I.9.2 (d) of the FWC personal data shall only be processed within and held in data centres located within the territory of the European Union and the European Economic Area and will not leave that territory. - Access to data may be given on a need to know basis only to authorised persons established in a country which has been recognised by the European Commission as providing adequate protection; - the contractor may not change the location of data processing without the prior written authorisation of the contracting authority; - in case of an authorised transfer of personal data under the FWC to third countries or international organisations, such transfer shall fully comply with the requirements laid down in Chapter V of Regulation (EU) 2018/17256 . GlobalSign does not entirely exclude the transfer of personal data outside of the EU/EEA, for example in the case of a request outside of EU working hours that would thus need to be handled by one of the offices in a different time zone. GlobalSign takes measures to ensure that personal information receives an adequate level of protection by only transferring personal information to countries that have received an adequacy decision, or by entering into standard contractual clauses (ref. section 8 of the GlobalSign Privacy Policy).
12. General description of security measures, where possible.
EDA stores only the data required for the vetting procedure which will be deleted once the initial stage of identity verification is finalised. EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing. GlobalSign’s security measures are laid down in section 12 of GlobalSign Privacy Policy.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.