Meeting minutes
Concepts for Data Transfers
term - Art45-Adequacy ; we have 45-3 in DPV-GDPR as a legal basis
davidH: when working with adequacy decisions, the country of data transfer is mentioned and whether the country has adequacy
georgK: the specific adequacy decision is also referenced
harsh: so if we create instances of specific adequacy decisions (e.g. for South Korea), then use the decision itself as IRI or link to document, and use annotations to specify country either as string or ISO code
term - Art46 - related to transfer tools
david: A46 provides use of 'safeguards' which include BCR, SCCs, others
david: unclear whether safeguards are techorg measures
proposal - OrgMeasure -> Safeguard -> DataTranferSafeguard
We're unclear where SCCs fit in GDPR. They are a form of contract, but not clear whether they are called SCC globally
We can model them in DPV-GDPR, but specifying SCC as a type of DataTransferSafeguard and a Contract and an implementation A46 legal basis
term - A46 Binding Corporate Rules
davidH: they are essentially contracts, so could be modelled similar to SCC
georgK: BCR are defined in A4.20
We're unclear whether BCR, like SCC, have a global use as a concept. So we model them in the same way as SCC.
term - A46.2 clauses
A46.2a can be any legal instrument, so we leave as is
A46.2b is BCR
A46.2c and 2d are SCC approved by commission but 2d are by supervisory authority
Separate concepts for 2c and 2d
A46.2e is a code of conduct with additional requirements - complex to model. We have a CoC in techorg measure, but this is not sufficient to merely subclass. More research needed.
A46.2f has certification mechanism with additional requirements - also complex to model. More research needed.
A46.3a contractual clauses - subclass of contract
A46.3b - leave as is
term - Supplementary Measure, to be added under DPV-GDPR
term A49.1 are similar to legal bases, in DPV-GDPR the individual clauses are subclassed with these concepts, except e and f
Next Meeting
In 2 weeks, OCT-06 WED 13:00 CEST / 14:00 CEST
Harsh will share dpv v0.3 outputs for review and ready for publication
Harsh will share list of collected concepts/items to be considered for next steps / actions in DPV