Meeting minutes
Ageda: https://
Where do Safeguards, Adequacy Decisions, Transfer mechanisms, etc. fit into DPV?
paulR: as a DPO, these concepts sit aside other considerations and obligations when defining/representing information about personal data handling
davidH: for SCCs, they refer to data exporter and importer as concepts, which may be controllers or processors - so these have to be fit in with DPV
davidH: three ways to 'legitimise transfers' - derogations under 49, safeguards under 46, or adequacy decision under 45
davidH: EDPB uses the term 'transfer tools' instead of 'safeguards' to refer to these measures
https://
markL: what is the relationship between data importer/exporter and controllers/processors
davidH: (shared screen) items in Art. 45, 46, and 49
proposal - do we model something like `hasTransferTool` and let it point at organisational measures?
example - controller may have server in EU and outside-EU, and transferring data between the two does not need legal basis from Art.6 and 9, but only from 45, 46, and 49
proposal - we use 45 and 49 as legal basis, and 46 is also used as legal basis with corresponding concepts in tech & org measures
we need to model concepts from here regardless of concepts used as legal bases; for example code of conduct and certification mechanisms - which exist in tech & org measures; and BCRs, SCCs, adequacy decisions which don't exist as concepts
Consensus on today's meeting
markL: consensus on legal bases for transfer, not to be confused between Art. 6 and Art. 9 legal bases
paulR: art.45 and art.49 as legal bases, and art.46 in tech & org measures
davidH: cautious about art.46; legal bases must include 45, 46, and 49
markL: reservations about these as they are only technical measures
Next meeting
We meet next week, JUL-14 13:00 WEST / 14:00 CEST
We will discuss purpose vocabulary refinement
Refer to https://