W3C

– DRAFT –
DPVCG Meeting Call

22 SEP 2021

Attendees

Present
:, beatriz, davidH, georgK, harsh, ranaS
Regrets
-
Chair
harsh
Scribe
harsh

Meeting minutes

Concepts for Data Transfers

term - Art45-Adequacy ; we have 45-3 in DPV-GDPR as a legal basis

davidH: when working with adequacy decisions, the country of data transfer is mentioned and whether the country has adequacy

georgK: the specific adequacy decision is also referenced

harsh: so if we create instances of specific adequacy decisions (e.g. for South Korea), then use the decision itself as IRI or link to document, and use annotations to specify country either as string or ISO code

term - Art46 - related to transfer tools

david: A46 provides use of 'safeguards' which include BCR, SCCs, others

david: unclear whether safeguards are techorg measures

proposal - OrgMeasure -> Safeguard -> DataTranferSafeguard

We're unclear where SCCs fit in GDPR. They are a form of contract, but not clear whether they are called SCC globally

We can model them in DPV-GDPR, but specifying SCC as a type of DataTransferSafeguard and a Contract and an implementation A46 legal basis

term - A46 Binding Corporate Rules

davidH: they are essentially contracts, so could be modelled similar to SCC

georgK: BCR are defined in A4.20

We're unclear whether BCR, like SCC, have a global use as a concept. So we model them in the same way as SCC.

term - A46.2 clauses

A46.2a can be any legal instrument, so we leave as is

A46.2b is BCR

A46.2c and 2d are SCC approved by commission but 2d are by supervisory authority

Separate concepts for 2c and 2d

A46.2e is a code of conduct with additional requirements - complex to model. We have a CoC in techorg measure, but this is not sufficient to merely subclass. More research needed.

A46.2f has certification mechanism with additional requirements - also complex to model. More research needed.

A46.3a contractual clauses - subclass of contract

A46.3b - leave as is

term - Supplementary Measure, to be added under DPV-GDPR

term A49.1 are similar to legal bases, in DPV-GDPR the individual clauses are subclassed with these concepts, except e and f

Next Meeting

In 2 weeks, OCT-06 WED 13:00 CEST / 14:00 CEST

Harsh will share dpv v0.3 outputs for review and ready for publication

Harsh will share list of collected concepts/items to be considered for next steps / actions in DPV

Minutes manually created (not a transcript), formatted by scribe.perl version 136 (Thu May 27 13:50:24 2021 UTC).

Diagnostics

Succeeded: s/26/46

Maybe present: david