Do we need a TRG for GDPR compliance?

[kelaja]

Proposal

title: TRG 7.10 - GDPR compliance

Why

Its an legal requirement, in the automotive industry in germany GDPR is basis requirement.

Description

GDPR compliance must be ensured!
Assessment must be completed via Catena-X questionnaire LINK to be added.

• Either the product/service doesn`t process any relevant data,
• or - in case the assessment reveals potential issues - a more severe "Data Privacy Impact Assessment" shall be conducted (if applicable: robust mitigation actions must be completed).

LINK to GDPR

Best Practice

Put into Issue Template
Provide evidence for GDPR compliance prior to Gate review.

Previous assessments remain valid, as long as approach to handling of personal data was not changed.

[ClosedSourcerer]

If a TRG for GDPR gets added, why not also add one for DMCA or one each for the mainfold of legal requirements that do exist in diverse jurisdictions?

• Stuff needs to be legal.
• Sometimes legal requirements from different jurisdictions are not compatible with each other.
• Putting the spotlight on certain legal requirements, by representing it as an own TRG, needs to be substantiated.
• And in my humble oppinion I currently cannot see a well enough made argument for that.