W3C home > Mailing lists > Public > public-dpvcg@w3.org > October 2018

Re: Lawfulness of processing

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Wed, 17 Oct 2018 08:58:42 -0700
To: Axel Polleres <axel.polleres@wu.ac.at>, Sabrina Kirrane <sabrina.kirrane@wu.ac.at>
Cc: public-dpvcg@w3.org
Message-ID: <b5208eb6-0476-d423-441c-9acd034778fa@harshp.com>
Hi Axel, Sabrina.
I agree that we should also have a taxonomy of "legal basis" for processing.

 From the text of GDPR Sabrina shared earlier, I have the following 
legal basis listed in GDPRtEXT:
* Contract with Data Subject
* Exempted by National Law
* Employment Law
* Given Consent
* Historic, Statistical, or Scientific Purposes
* Legal claims
* Legal obligation
* Legitimate Interest
* Made public by Data Subject
* Medical, Diagnostic, or Treatement
* Not for Profit Org.
* Public Interest
* Purpose of New Processing
* Vital Interest

I propose we start with this (and the text from GDPR) as our starting 
point for discussion.


On 17/10/18 8:35 AM, Axel Polleres wrote:
> Dear all,
> I agree that we would need then not only to talk about consent but in 
> general a categorisation or "taxonomy" of "justification for processing" 
> or alike (using these as top-level categories), right?
> best regards,
> Axel
> --
> Prof. Dr. Axel Polleres
> Institute for Information Business, WU Vienna
> url: http://www.polleres.net/  twitter: @AxelPolleres
>> On 17.10.2018, at 17:19, Sabrina Kirrane <sabrina.kirrane@wu.ac.at 
>> <mailto:sabrina.kirrane@wu.ac.at>> wrote:
>> Hi Axel & all,
>> As a followup to Rigo's comment yesterday on other lawful means of
>> processing, here is the relevant text from the GDPR:
>> 1.Processing shall be lawful only if and to the extent that at least one
>> of the following applies:
>> (a) the data subject has given consent to the processing of his or her
>> personal data for one or more specific purposes;
>> (b) processing is necessary for the performance of a contract to which
>> the data subject is party or in order to take steps at the request of
>> the data subject prior to entering into a contract;
>> (c) processing is necessary for compliance with a legal obligation to
>> which the controller is subject;
>> (d) processing is necessary in order to protect the vital interests of
>> the data subject or of another natural person;
>> (e) processing is necessary for the performance of a task carried out in
>> the public interest or in the exercise of official authority vested in
>> the controller;
>> (f) processing is necessary for the purposes of the legitimate interests
>> pursued by the controller or by a third party, except where such
>> interests are overridden by the interests or fundamental rights and
>> freedoms of the data subject which require protection of personal data,
>> in particular where the data subject is a child.
>> Point (f) of the first subparagraph shall not apply to processing
>> carried out by public authorities in the performance of their tasks.
>> Best Regards,
>> Sabrina
>> -- 
>> Postdoctoral researcher,
>> Institute for Information Business
>> Vienna University of Economics and Business
>> Tel: +43-1-31336-4494
>> E-mail: sabrina.kirrane [at] wu.ac.at <http://wu.ac.at>
>> Homepage: www.sabrinakirrane.com <http://www.sabrinakirrane.com>

Harshvardhan J. Pandit
PhD Researcher
ADAPT Centre, Trinity College Dublin
Received on Wednesday, 17 October 2018 15:59:09 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:54 UTC