Meeting minutes
paul: Working on using DPV and DPCat for ROPA-based tools, with a questionnaire to understand uses. Will share with DPVCG when ready for feedback.
Use-cases, Requirements, and Examples
see email https://
These will be moved to the main repo, along with additional functionality that links examples in the tables for relevant concepts within specs
Discussion on rules
See previous minutes for reference and overview
georg: Where should the rules be expressed? Does everything (e.g. each PersonalDataHandling) have to be explicitly declared as permission and prohibition?
harsh: Default is that something is permitted which we implicitly are using currently, so we can explicitly say something is not permitted. But for contexts such as recording a decision for consent, you can explicitly denote permissions and prohibitions to reflect what the user has expressed to indicate a complete decision from choices. Though typically a record only contains the decision rather than all choices.
See beatriz's email - https://
Since there are no specific queries regarding rules, we accept them for inclusion within the spec.
DPV v1 release
We had invited comments until OCT-15, and we received a few major as well as minor comments. Most have been address (ref. mailing list and GitHub issues), with some still pending - such as dpv-tech and Cloud computing concepts.
However, no issues identified that are 'blocking' the release.
We discussed and set NOV-15 as the date for release, to have it published in time for dissemination before the christmas break and to indicate 'stability' in the current work while continuing to enhance it.
We discussed what is 'missing' from the current set of concepts in DPV, namely - rights, data breaches, and data transfers. We agreed that rather than wait to finish these concepts, we will continue with the v1 release, and add them as per their condition at the time.
For example, if the concepts have been accepted, they will be added while documentation may be pending. If the concepts are still being explored, a note to the effect and their proposed status will be added (e.g. appendix). This is to indicate that while the concepts are not present in the spec, they are being worked upon.
Exercising Rights
See email - https://
We will take this up in the next meeting specifically to go over the examples. In this meeting, we discussed the concepts regarding exercising rights.
beatriz has proposed - https://
We discussed and agreed on the term `RightNonFulfilmentJustification` as a type of `Justification` to indicate why a right could not be fulfilled. This is to avoid the phrase "right exemption" which would be interpreted as saying an exemption to providing the right.
In cases where the right cannot be fulfilled, the appropriate status (e.g. RightNotFulfilled) and a justification (i.e. RightNonFulfilmentJustification) would be used. Examples from beatriz's list include (Art.13/Art.14/etc.) - Data subject already has been provided this information, Confidentiality breach, and so on.
Additional discussion and notes
Systematic and extensive evaluation of personal aspects relating to natural persons - from GDPR's DPIA 35.3a can be a list of SKOS concepts that suggest what other concepts are relevant to interpret this (complex) concept. Need to figure out how to provide such a list.
DPV-PD - adding CriminalOffense as subtype of Criminal
DPV-GDPR - adding Proportionality, SystematicExtensiveEvaluationOfPersonalAspects
Risk - New category of consequences related to ConsequenceOnDataSecurity and new category for ConsequenceForDataSubject and ImpactOnDataSubject
OrgMeasure - new concepts for reviewing validity, effectiveness, etc. - with specific types for ReviewImpactAssessmentConformance and ReviewImpactAssessmentAdequacy ; adding ConsultationWithDataSubjectRepresentative for DPIA
Lawfulness as a specific compliance sub type for legal compliance, with types Lawful, Unlawful, and LawfulnessUnknown ; with variations for GDPR as GDPRLawfulness, GDPRCompliant, and so on
ConformanceStatus as a specific type to indicate conformance (as distinct from compliance), with types Conformant and NonConformant
DPIA outcomes in terms of processing recommendations as DPIARecommendsProcessingContinue and DPIARecommendsProcessingNotContinue
DPIA adherence expressed as DPIAConformity with specific types
Next Meeting
We will meet again in 1 week, on OCT-26 WED 13:00 WEST / 14:00 CEST
Topics will be continued discussion on rights, with specifically focusing on the examples shared on mailing list and representing GDPR's rights