News, events, publications

EDA-DPR-082 - EDA Postal Mail Management

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPR-082 - EDA Postal Mail Management
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
For outgoing mail the data is processed via DHL postal services as they are processing personal data to send the postal mail on EDA behalf. Full Official name: DHL International Official legal form: Limited Liability Company Statutory registration number or ID or passport number: BE0406.796.224 Country of registration: Belgium Full Official address: Woluwelaan 151, 1831 Diegem, Belgium V.A.T. Registration number: BE0406.796.224 Forename, surname and position of legal representative: Tim Claessens Contact person: Jos Derekx Position: Key Account Manager E-mail address for correspondence: Telephone: +32 475 68 19 62
7. Purpose of the processing
The purpose of this processing activity is to describe the treatment of personal data used in the context of the EDA system for handling of postal mail at EDA as well as ensuring a clear workflow and the appropriate follow-up of formal correspondence in a systematic manner. Regarding incoming mail, the relevant personal data are collected in the EDA Postal Mail Register (excel table). Outgoing mail is registered in EDA Record Centres and then sent via DHL postal services.
8. Description of categories of persons whose data EDA processes and list of data categories

Applicable to the following: internal staff members and externals:

  • Sender - Addressee
  • Staff member in charge of following up.

List of personal data categories included in the register:

  • Name
  • Address
  • Email address (where applicable)
  • Reference Code (internal reference assigned to each mail after registration)
9. Time limit for keeping the data
Personal data are stored within RMO archives and will be retained only for the time needed to perform the task for which they were collected or processed, in any case no longer than 2 years.
10. Recipients of the data
  • The security guards
  • The mail handler
  • INFRA team (the mail handler backup)
  • Records Management Office
  • Assistants
  • Others on a need-to-know basis (e.g. DPO, Legal Office, Internal Auditor, supervisory authorities etc.)
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
N/A, unless sender of incoming mail or addressee of outgoing mail is based outside of the EEA. The use of postal mail services internationally requires the transfer of limited personal data in accordance with the applicable regulatory framework and contractual agreements while the content is protected by the legal principle of privacy of correspondence.
12. General description of security measures, where possible.
Personal data are stored in electronic format in RMO files. The access is restricted and only the Mail Handler, INFRA and RMO can access, as relevant. EDA external contractors (e.g. Security guards) are obliged by the respective contract to adopt appropriate technical and organisational security measures having regard to the risks inherent in the processing and to the nature of the personal data concerned. EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken to prevent any unauthorised disclosure or access, accidental or unlawful destruction, accidental loss or alteration, and to prevent all others unlawful forms of processing.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement

Additional information is available by following the link to privacy statement here.