News, events, publications

EDA-DPR-082 - EDA Postal Mail Management

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 22-10-2024
2. Reference number EDA-DPR-082 - EDA Postal Mail Management
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
Belgium
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

dataprotection@eda.europa.eu

5. Name and contact details of joint controller (where applicable)
N/A
6. Name and contact details of processor (where applicable)

Regarding outgoing mail, the data is processed via a commercial courier, i.e. DHL Postal Services; DHL Postal Services process personal data to send and distribute the postal mail on behalf of EDA.

Full Official name: DHL International Official legal form: Limited Liability Company Statutory

Registration Number or ID or Passport Number: BE0406.796.224

Country of Registration: Belgium

Full Official address: Woluwelaan 151, 1831 Diegem, Belgium

V.A.T. Registration Number: BE0406.796.224

Forename, Surname and position of legal representative: Tim Claessens

Contact person: Jos Derekx Position: Key Account Manager

E-mail address for correspondence: jos.derekx@dhl.com

Telephone number: +32 475 68 19 62

7. Purpose of the processing
The purpose of this activity is to describe the process of personal data used in the context of the EDA system for the management of postal mail as well as ensuring a clear workflow and the appropriate follow-up of formal correspondence in a systematic manner. Regarding incoming mail, the relevant personal data is registered and collected in the EDA Incoming Mail Register (SharePoint based). Outgoing official mail is registered in EDA Records Center and it is subsequently sent out via commercial courier (DHL Postal Services)
8. Description of categories of persons whose data EDA processes and list of data categories

Applicable to EDA Internal staff members and externals

Categories of data subjects

  • Sender
  • Addressee/ Receiver
  • Staff member in charge of following up the correspondence

List of data categories registered in the Incoming Mail Tool:

  • Reference Code, i.e. EDA internal reference number assigned to each mail;
  • Receipt Date;
  • Registration Date;
  • Certified letter (if applicable);
  • Name of Receiver;
  • Name of Sender;
  • Directorate/ Unit;

 

9. Time limit for keeping the data

Personal data are stored within RMO archives and will be retained only for the time needed to perform the task for which they were collected or processed, and in any case no longer than 1 year.

10. Recipients of the data
  • Records Management Office (RMO)
  • INFRA team (replaces RMO when applicable)
  • Security guards
  • Assistants of directorates
  • Other EDA functions and competent entities on a need-to-know basis (e.g. Internal Auditor, supervisory authorities etc.)
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?

N/A; unless the receiver of an outgoing mail is based outside of the EEA. The use of postal mail services internationally requires the transfer of limited personal data in accordance with the applicable regulatory framework and contractual agreements.

12. General description of security measures, where possible.

Personal data is stored electronically in a designated Incoming Mail Register, maintained through the Microsoft SharePoint application. The access is restricted to the Records Management Office and INFRA team, who works as a replacement.

EDA external contractors (e.g. Security guards) are obliged by the respective contract to adopt appropriate technical and organisational security measures having regard to the risks inherent in the processing and to the nature of the personal data concerned.

EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken to prevent any unauthorised disclosure or access, accidental or unlawful destruction, accidental loss or alteration, and to prevent all others unlawful forms of processing.

13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement

Additional information is available by following the link to privacy statement here.