News, events, publications

EDA-DPR-084 - EDA Corporate Business Card

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 12-03-2025
2. Reference number EDA-DPR-084 - EDA Corporate Business Card
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
Belgium
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

dataprotection@eda.europa.eu

5. Name and contact details of joint controller (where applicable)
N/A
6. Name and contact details of processor (where applicable)

EU-Turn SRL
Rue Charles Legrelle 17,
1040 Brussels, Belgium

7. Purpose of the processing
The purpose of this processing operation is to issue Business Cards for EDA staff members and SNEs. Business cards are necessary for facilitating professional contacts with external stakeholders.
To issue the Business Cards, EDA collects the personal data that are necessary and transmits those to the designated external provider, who acts as data Processor, for design and printing services.
8. Description of categories of persons whose data EDA processes and list of data categories

Categories of persons:
EDA staff members and EDA SNEs.

Categories of personal data processed:
· Surname, First Name
· Title/Position
· Unit/Directorate
· Corporate phone / GSM number
· Corporate email address
· Corporate Address

9. Time limit for keeping the data
Personal data processed for issuing Business Cards will be stored by the Infrastructure Officer for a maximum of 6 months after the cards have been issued.
The processor is instructed to delete the personal data 6 months after the delivery and payment of the services. EDA may retain anonymous data for statistical purposes.
10. Recipients of the data
The EDA Infrastructure Office for collecting the data and submitting the design and printing orders to the processor.
The designated external provider, acting as data Processor, for designing and printing.
11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
N/A. Personal data are processed in EU.
12. General description of security measures, where possible.

Data is stored and processed through the Microsoft SharePoint online environment, where authorized user are able to access the information. Any changes or deletion of the information can be tracked using the version history capabilities of SharePoint Online and activity audit logs from Microsoft Purview.

EDA has implemented appropriate technical and organisational measures (firewalls, checkpoints, antivirus) to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. Such measures have been taken in particular to prevent any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and to prevent all others unlawful forms of processing.

13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement

Data subjects can exercise the rights awarded to them by the Regulation (EU) 2018/1725. Data subjects have the right to request access to their personal data, the right to rectify any inaccurate or incomplete personal data, the right to request the deletion of their personal data, the right to request restriction of the processing of their personal data and the right to object to the processing.

Data subject requests will be handled within one month of receipt of the request and in accordance with Article 14(3) of the Regulation (EU) 2018/1725. If the data subject has any queries concerning the processing of his/her personal data, s/he may address them to the data controller at: infrastructure@eda.europa.eu, or to the data protection officer at: dataprotection@eda.europa.eu. Data subjects have the right to recourse to the EDPS.

Privacy Statement addressed to data subjects can be found here.