Re: Agenda for tomorrow's DPVCG call and some thoughts on strategy ahead

Hi all,

moreover what needs to be considered is that the storage location is 
relevant for legal considerations, e.g. when the server is either inside 
or outside Europe, in the US, or elsewhere.

Greetings,

Eva

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Eva Schlehahn, uld67@datenschutzzentrum.de
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung/

Am 06.11.2018 um 15:55 schrieb Stefano Bocconi:
> Hello Harsh,
>
> Storage is a type of processing according to the GDPR, but you need to specify in the informed consent how you are going to secure the data and for how long you are going to keep it. This is what was meant with storage, maybe a different term could be more appropriate.
>
> Regards,
>
>  Stefano
>
>> On 6 Nov 2018, at 14:38, Harshvardhan J. Pandit <me@harshp.com> wrote:
>>
>> Hello all. Comments/replies are inline.
>> On 05/11/2018 09:50, Axel Polleres wrote:
>>> 4) Progress since last time (which we may not discuss in detail, but rather table, discuss action items around:
>>> Discussion around categories of legitimation categories/lawfulness of processing https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0027.html <https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0027.html> -> I would like to task someone to summarize these and make a proposal to the group we can discuss.
>> I have tried to summarise these as terms at https://www.w3.org/community/dpvcg/wiki/Legal_Basis <https://www.w3.org/community/dpvcg/wiki/Legal_Basis> along with a terms from two existing vocabularies. The proposal is to have a vocabulary of legal basis / lawfulness of processing terms which can be used to justify the processing or activities carried out.
>>> Elements of consent/competency questions for consent https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0025.html <https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0025.html>, https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0038.html <https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0038.html> -> I would like to task someone to summarize these and make a proposal to the group we can discuss, e.g. based on what we had in the minutes last time:
>>> consent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]
>>> which of these aspects are similarly relevant for other forms of legitmation than consent?
>> 1) Are processing and storage two separate actions/activities? Under the definition provided by the GDPR, Article 4(2), ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
>>
>> Where storage is defined as a 'type' of processing. I would therefore propose to specify storage as a category of processing. Some of the categories or types of processing have further information associated with them that we should model e.g. storage -> location, jurisdiction, duration OR sharing -> recipient.
>>
>> I would also propose to add the terms from GDPR A4(2) under the types/categories of processing.
>>> Harsh's mail on collecting terms from vocabularies: https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0041.html <https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0041.html>, https://www.w3.org/community/dpvcg/wiki/Taxonomy <https://www.w3.org/community/dpvcg/wiki/Taxonomy>In terms of scope, how much of these specified properties do we want to model? Because if we decide to include terms describing consent itself (data subject, duration, etc.), at what point does it become feasible to also define it as an ontology?
>> Conversely, should we agree on a set of questions that any such consent ontology should answer/describe? These would allow us to define the terms and let (individual) implementations be based on them.
>>> To this end, I would like to go - in tomorrow's call to go through the Use Case Stakeholders
>>> https://www.w3.org/community/dpvcg/wiki/Use-Cases,_Requirements,_Vocabularies#Use-Cases <https://www.w3.org/community/dpvcg/wiki/Use-Cases,_Requirements,_Vocabularies#Use-Cases>
>>> and task them to add subections on top of each use cases to describe, in bullet points, the aspects we agreed [1] (plus the means of ligitmation discussed in [2] to focus on in each use case:
>>>
>>> 1. categories of personal data involved
>>> 2. purposes for personal data handling
>>> 3. different kinds of processing involved
>>> 4. data subjects, controllers, processors, and recipients involved
>>> 5. storage & security aspects:
>>>      * storage locations
>>>      * storage duration
>>>      * security measures (including e.g. anonymisation "levels", pseudonymisation)
>>> 6. means of legitimation for personal data processing
>>>      e.g. consent, legitimate interest, etc. ...
>> These are only the use-cases added to the wiki. What about capturing use-cases in the 'wild'? E.g. adding arbitrary use-cases based on information publicly available via privacy policies. My argument here is towards making it possible to use these vocabularies to also describe terms/concepts in privacy policies if we can.
>>> "The current goal is to agree on first public drafts of minimal sets of vocabularies to be finished by December 2018, with first stable working drafts being reached latest on 25 May 2019."
>>>   
>> Should we have a plan (now) on how to reach consensus on the drafts later in December?
>>
>>
>> Best,
>> -- 
>> ---
>> Harshvardhan Pandit
>> PhD Researcher
>> ADAPT Centre
>> Trinity College Dublin
>

Received on Tuesday, 6 November 2018 14:58:39 UTC