...
Under current legislation, only Model Contracts and Binding Corporate Rules appear to offer the framework required to transfer personal data within trans-national science e-Infrastructures. With hundreds of resource providers and user communities potentially exchanging data, it is impossible to conceive of each party executing a separate, legal agreement with all others as might be required by the standard use of Model Contracts. One possible solution is where each party would sign an adherence form acknowledging compliance with a Code of Conduct (as referred in GDPR Article 46.2(e)) . The signed form is then lodged with the federation. This approach, still a work-in-progress, remains a relatively complex, somewhat lengthy legal document, which may hinder adoption.principle proposal here is the GEANT Data Protection Code fo Conduct. It in itself already provides best practices and excellent guidance on how a service provider (and infrastructure) should conduct itself - e.g. including verbatim the Sirtfi requirements. If and when this DPCoCo can actually be an article 46.2(e) basis still remains open: the EDbP still has to be established before the process can even start.
So for now, we We propose the BCR-inspired model as presented above as a suitable basis for distributed collaborative infrastructures where many independent organizations (with the user communities and their members represented in their professional capacity by their home organizations) collaborate within a well-controlled policy framework - which is a characteristic of most of the cross-national Infrastructures and the AARC selected use cases. For reference, the policy template Policy on the Processing of Personal Data developed jointly with EGI, WLCG, and GridPP, has been appended to this Recommendation.
...