Re: Missing concepts in dpv from GDPR Art 13 and 14, Treaty 108 and ISO/IEC 29184

Thanks for starting the work on mapping ISO/IEC 29184 concepts to DPV.

a) A lot of concepts are the same as shared previously in context of 
privacy policies. So my reply to those also applies here in regards to 
information as well concept coverage in DPV.

b) The ISO/IEC 29184 analysis is correct in most parts. However, IMHO a 
few fields are 'missing' information here. E.g. the document does 
concern processors, data source, automated decision making & profiling, 
data transfer, technical measures whereas the fields are empty in the 
table. Additionally, the document references are misleading (or can be) 
because these are not 'defined' but sometimes merely mentioned. For 
example, the document mentions that the rights (of GDPR without calling 
them as such) 'may' exist jurisdictionally in the context of providing 
information about rights.

c) ISO/IEC 29184 also mentions the concept of 'risk' or 'impact' 
associated with processing, which the DPV currently does not represent. 
I feel this is an important concept that should be represented as part 
of 'risk and mitigation'.

On 24/06/2020 13:29, Georg Philip Krog wrote:
> Dear DPV folks,
> Signatu contributes herewith:
>   * missing concepts in dpv from GDPR Art 13 and 14, Treaty 108 and
>     ISO/IEC 29184.

Harshvardhan Pandit, Ph.D
Researcher at ADAPT Centre, Trinity College Dublin

Received on Tuesday, 30 June 2020 14:25:07 UTC