News, events, publications

EDA-DPR-081 - Identity and Access Management (IAM) system

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-081 - Identity and Access Management (IAM) system
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)

Microsoft Ireland Operations Limited Microsoft EU Data Protection Officer One Microsoft Place South County Business Park Leopardstown Dublin 18 D18 P521 Ireland A list of Microsoft’s current sub-processors is available at 

7. Purpose of the processing
The European Defence Agency (EDA) processes personal data to allow users (both internal and external) to access and use communication & collaboration functionalities of Microsoft 365 when performing Agency tasks, including: communication and collaboration using Microsoft Teams; collaboration on documents using Microsoft SharePoint Online; use of integrated Office 365 functionality within these tools; use of EDA Web Applications.
8. Description of categories of persons whose data EDA processes and list of data categories

The EDA IAM system provides a “log-on” dialogue for registered users (see EDA DPO-49 – AppSecStore for details).

Categories of persons whose personal data is collected:

  • EDA staff (internal users), and
  • External users who are invited to collaborate on various EDA resources.


Categories of personal data collected:

  1. Identification data is the user’s email address (as depicted by the user’s organisation).
  2. Service generated data contains information related to the usage of online services, which are the user IP address, creation time, site URL and user email address.
9. Time limit for keeping the data

Identification data (i.e., user email address):

  • for as long as the user account is active, and
  • 90 days after deletion of the guest user account.

Service generated data:

  • Until the business purposes for which the data was collected or transferred have been fulfilled.
10. Recipients of the data

Information collected by the IT Unit administrators may, where necessary, be transmitted to the bodies in charge of monitoring or inspection tasks in accordance with European Union legislation.

Shared workspaces: the name and surname are visible to those people who are in the same workgroup.

No personal data are transmitted to parties outside the scope mentioned herein, and neither Microsoft nor EDA share personal data with any other third party for any other purpose (e.g., direct marketing).

11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
Data transfers to third countries (see list of sub‐processors under section 6)2 may occur but strictly limited to technical support provided by Microsoft. It concerns only minimal data necessary to implement external authentication to EDA applications and workspaces, and exceptional technical support cases in which EDA decides to grant access by Microsoft to specific data required to solve a problem.
12. General description of security measures, where possible.
EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.