Meeting minutes
Purposes taxonomy (continued review)
No glaringly obvious issues with minutes from last time
No objections or additional items from participants on this topic
Consensus on purpose additions/changes
Proposed Concepts for Data Transfers
David's email AUG-20 https://
David: (shared screen of spreadsheet) Data Exporter/Importer is used by EDPB, and therefore these should be defined in DPV
Georg: Supporting inclusion of these terms
harsh: are these concepts global (DPV) or scoped (DPV-GDPR) ?
markL: would be preferable to have this as global concepts for expressing adequacy
Georg: agree that it should be in DPV
(no disagreements on inclusion of these in DPV)
harsh: inclusion in LegalEntities similar to 'role' as DataController
harsh: How to clarify definition and scope, e.g. importer relates to extra-judicial third-country data transfer recipient
davidH: agree that this has global relevance, third countries everywhere as non-jurisdictional country
Georg: In Signatu, there is data transfer with a 'recipient country' classified on jurisdiction (in/out EU). If there is transfer outside EU/EEA, then there is separate legal basis and term data export/import
davidH: broadening the notion of third country, there is 'recipient country' which can be any country
dicussing how closely required the constraint of imported being in a third country is to the definition
consensus on removing third country, relating data importer to 'recipient country' and including DataExporter and DataImporter
Next terms - A45, A46, A49 legal bases and their relation to data transfers
Suggestion (prior discussions led by Georg) are to structure the DPV-GDPR legal bases as a hierarchy (e.g. legal bases related to consent), and use data transfer legal bases as a similar categorisation
For this, davidH has proposed adding DataTransferLegalBasis as a category of legal basis (subclass dpv:LegalBasis) within DPV
Consensus on this proposal, no objections. Term added in spreadsheet for DPV.
Note on need to restructure DPV-GDPR based on new(-ish) list of legal bases.
Further categorisations have been proposed along the lines of adequacy (A45), transfers (A46), derogations (A49).
A discussion on how to express the 'relation' and 'applicability' of legal basis for particular contexts, such as data transfers taking place in third countries without adequacy decisions, took place regarding how to express such terms and relations in DPV
Whether to include the 'rules', 'constraints', or 'applicability' as some form of taxonomy. Consensus was that at this stage it would introduce complexity, and force using a particular notion (e.g. specifying where legal bases apply)
Consensus that such explorations can take place outside the DPV and DPV-GDPR documents in a separate extension which can then be merged later depending on correctness and validity.
Next terms - TransferStartDate and TransferEndDate
As per earlier conversation in davidH email with feedback by harsh, DPV does not provide 'minor' terms for strings, dates, times, etc. because they vary in their use and application.
Instead, the 'generic properties' of hasDuration can be used (as is, or specialised) for expressing data transfer durations in terms of start and date with XSD or OWL-TIME.
Next Meeting
Discussion stopped due to end of meeting time. Next week discussion continues on terms related to transfer safeguards and supplementary measures.
We will have a presentation by Piero Bonatti on work in TRAPEZE, which utilises DPV for expressing policies and checking legal compliance, including consent.
For expressing disagreements or changes to current consensus on terms, members are welcome to submit comments by end of (this) week.
Following next week's meeting, the next iteration of DPV (v0.2.x) will be finalised and published.