Privacy Level Agreement

Back to discussions
Expand all | Collapse all

Meeting Minutes July 11th, 2023+reminder of tomorrow's WG call!

  • 1.  Meeting Minutes July 11th, 2023+reminder of tomorrow's WG call!

    Posted Jul 17, 2023 03:05:00 PM

    Dear members,

    Please find below the minutes form our last call on the 11th of July:

    Minutes:

    The working group went through the  '2023_04_13_CPRA - PLA_CoP_Mapping (WiP)' document and the comments made, from step one.

    • Accepted the comment by Jen Amaral row 22, and Mark had updated the mapping in column C.  Continued with rows 24, 42 that Jen had reviewed as well.
    • Row 12 marked as out-of-scope: Chairs addressed the commenting of column C ('a 3rd party would not be the controller of personal info. It would be the processor') by writing their feedback in column K that verifies that even in the 3rd party case, they would again act as a controller in this case and not as a processor. Hence, this provision remains out-of-scope, as verified by the WG on the call.
    • Row 23: Working group agreed that the mapping here is correct for Article 28.1. Noting that: In article 28, broadly, is no specific obligation for the processor to comply with the applicable obligations under the GDPR but exclusively the obligation to comply with the instructions of the controller.
    • Row 25, column C: updated with the mapping to Article 28.3 (a, f).  
    • Row 26, working group agreed that article 28 is the not the right match for this CCPA provision. Column C was updated mentioning that there is no corresponding provision under GDPR for this.

    Previous action items:

    • Mark Vinkovits to address comments and notes made on row 22 and 24. - DONE

    New action items:

    • Isabella ( @Isabella Oldani) to update row 24, column K with article 32 also, as agreed on the call.
    • Isabella ( @Isabella Oldani) to update column K, row 42 saying that article 28 fully covers the relevant provision.
    • Isabella ( @Isabella Oldani) to update the status of column K, row 12 to 'agreed'.
    • For row 23 to include footnote mentioning that 'In article 28, broadly, is no specific obligation for the processor to comply with the applicable obligations under the GDPR but exclusively the obligation to comply with the instructions of the controller.'
    • Isabella ( @Isabella Oldani) to include in Row 25 a footnote about the variation existing in the CCPA provision mentioning the obligation by the 3rd party or service provider (CSP) or contractor to notify the business if they are unable to follow the obligations needed.
    • To discuss row 3, where the red cell provision is marked as out-of-scope but 2 members partially disagree.
    • To discuss row 4, 9, 12, column C by Emilio Mazzon.
    • To discuss row 116 mapped by Mark.
    • Working group to continue the mapping for all the un-mapped red cells (column B - CPRA provisions) to GDPR articles (Column C). Review the red cells that have no other volunteer working on them (please check column J)– Identify the corresponding provision of CCPA with GDPR in column C.  That represents the obligations raised for the cloud provider towards their clients. Let's each volunteer choose 10 red cells/ controls to map. Please look at example from rows 25 and 26.
      • Already occupied red cells for mapping to GDPR: 
        • Mark Vinkovits: Rows: 22, 23, 24, 25, 26, 115, 116, 147, 197, 198, 199, 200
        • Emilio Mazzon: Row 4, 9, 12, 60, 62
        • Jen Amaral:  Row 42

    Document logic (color codes):

    The document shows the CCPA provisions after the CPRA changes applied to them: 

    In red cells are the new provisions introduced by the CPRA that didn't exist earlier. Here there is the need to do a new complete mapping to the GDPR as the specific provision appears for the first time.

    Green cells show that the specific provision is as before, and nothing has been added.

    Yellow cells indicate that the provision has been updated from its previous state, thus this GDPR mapping needs to be revised.

    • Column B are the CCPA/CPRA provisions,
    • Column C are the GDPR articles (some are already mapped to those CCPA/CPRA provisions from our previous work). 
    • Column D describes the type of provision. It only contains 2 kinds to choose from: Obligation or Definition and Procedures.
    • Column E is about the identified CSA Code of Conduct (CoC) controls that the cloud providers can check to show compliance with GDPR to their customers.
    • Column J: the name of the volunteer who wants and is working on the specific red cell provision. Mapping CCPA with GDPR for the red cells that are in scope.
    • How to work on the document:
      • E.g. Row 203: For 'Adv+Marketing', find the corresponding provision under GDPR, and fill it in column C, (use as another example to this one of the green cells that have the GDPR provision already filled in there). If there is no correspondence with GDPR, mark it as N/A. 
        • In column D include the 'Type of the provision', e.g. Definition and Procedures.
        • In order to avoid double work in the same row, each reviewer is requested to include their name next to the row they are working on, in column J.

    To connect on the call tomorrow: Tuesday 18 July, at 08:30 a.m. PST / 11:30 EST / 16:30 GMT / 17:30 CET.

    URL: https://cloudsecurityalliance.zoom.us/j/82987382695?pwd=amZ6cEljSCtXVU01OUVRbUUyTTNRdz09  (Meeting ID: 829 8738 2695, Passcode: 794440)

    Kind regards,
    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------