v2.4.0 | Report Errata
docs governance docs governance

Annex VII points 4.3 and 4.5 grant the notified body access to training, validation, and testing datasets, and to trained models including parameters, where necessary for the assessment. This access must be managed through a defined protocol that balances the assessment’s information needs against intellectual property and data protection requirements.

The data access protocol specifies the access mechanism (API access, remote desktop, on-site inspection, or anonymised dataset provision), the scope of access (which datasets, which model parameters, which training infrastructure components), the confidentiality arrangements (NDA, data handling commitments, return or destruction of data after assessment), and the data protection measures (particularly where datasets contain personal data).

For datasets containing personal data, the data access protocol must be consistent with the system’s DPIA and the applicable data processing agreements. The DPO Liaison reviews the protocol before it is shared with the notified body.

Key outputs

  • Defined data access protocol for NB assessment
  • Access mechanism, scope, confidentiality, and data protection
  • DPO Liaison review for personal data considerations
  • Annex VII points 4.3 and 4.5 compliance
On This Page