Meeting minutes
Consequence and Impact concepts
Last week we discussed concepts related to Consequences and Impacts, see minutes
No further comments or objections on acceptance of those
Regarding Negative Impacts i.e. Harms, the proposal is to distinguish 'Damage' with further specification as 'Material' and 'Non-Material' given their importance in legal proceedings and investigations.
Regarding Consequence, we currently have distinction between consequences arising from success or failure of a context. In cases where neither is applicable, i.e. consequence happens in due course of something without it being intended directly, the proposal is to specify this as `ConsequenceAsSideEffect`.
These concepts were discussed and accepted. The concepts related to risk and consequences have been structured in to a _Risk_ module in the documentation.
mark: For consequence as side effect, would this be useful to denote consequence of data stored in another country -> yes, it can be used for that with further extensions/specific expression
Extension for Jurisdictions, Laws, and DPAs
The proposal (FEB-24) https://
The data is here https://
As of now, it contains all countries (based on ISO and UN lists), EU memberships (EU27 and EU28), and expression of GDPR and its applicability in terms of being linked to each of the enforced areas as applicable law, and the relevant Data Protection Authority for each jurisdiction (including German Federal States).
The term _juris_ has an issue in terms of being also used by several law-related firms and companies. To avoid this, we rename this to `dpv-legal`.
These concepts were discussed and accepted. They will be published as "Extension for Jurisdictions, Laws, and Authorities" with prefix `dpv-legal`.
For further expansion, we welcome proposals and contributions. Contributors who wish to expand this data can provide their input by referring to existing data e.g. similar country, law, or authority structure.
Contributors can utilise the existing list of sources https://
Extension for Technologies
See https://
There is no existing ready-to-adopt list/hierarchy that we can use. Therefore this proposal is opinionated and is based on common use of technologies e.g. for storage, processing, etc.
In this, there is an overlap between the technologies and technical measures. This is resolved as follows. The technical measures as a theoretical or abstract notation for a measure/process that is used to secure/safeguard data. A technology is the implementation that achieves this.
There will be overlaps between both, e.g. security can be both technology and technical measure based on what is being done. In this case, it is fine to define them as both, though ideally it would be beneficial to separate them to indicate distinction between a measure and an implementation.
paul: So would the pseudo-anonymisation algorithm used be a technology or a technical measure?
harsh: The algorithm itself would be the measure, but its a theoretical measure, but its implementation would be a technology e.g. in some system or as code.
We welcome contributions for the more technologies.
Data Subject Categories
We have a list of proposed data subject categories. Of these, the proposal is to select those that are common and useful to lots of use-cases, and provide them in DPV.
Examples include - Adult, Patient, Employee, Citizen, Consumer and so on.
We have discussed acceptance of - `NaturalPerson` as the parent concept of other data subject concepts, `Adult` as the counter to `Child`, `Patient`, `Employee`, `Student`, `Citizen`, `NonCitizen`, `Immigrant`.
We have discussed non-acceptance of - `Tourist`
We have discussed more discussions needed regarding `Customer` and `Consumer` and the distinction between these two
Next Meeting
We will continue discussion on proposed concepts regarding technologies and data subjects in the next meeting.
It will take place on APR-06 14:00 CEST.