W3C home > Mailing lists > Public > public-dpvcg@w3.org > October 2018

Input public entities use case, relates to: dpvcg-ACTION-20

From: Harald Zwingelberg <uld6@datenschutzzentrum.de>
Date: Wed, 17 Oct 2018 22:50:05 +0200
To: public-dpvcg@w3.org
Cc: uld6@datenschutzzentrum.de
Message-ID: <18392c75-75e0-82fe-e0e4-462cb8e8f3cf@datenschutzzentrum.de>
Dear DPVCG community group,

please find in the Wiki and below my suggestions for a public entities' 
specific duties use-case covering specific requirements stemming from 
public law directly addressing public bodies to process personal data 
for consideration.

Use case has been uploaded to the wiki (and marked as pending input / 
italics in the overview-page):

Best regards

===== copy and paste of the Wiki-source ====

= Use Case PUB01 – Public bodies specific requirements =

= Owner of Use Case =

Harald Zwingelberg
affiliations: ULD, H2020-project SPECIAL

= Description =

This use case contains and depicts some legal requirements that are 
specific to some or all entities governed by public law in comparison to 
entities governed by private law and private cooperate law. Public 
entities may have specific rules applicable that mandate them to store, 
transfer or share personal information based on the applicable public 
law, e.g. freedom of information acts or the duty to cooperate with 
other public bodies.

* public entities
* event/situation it applies to
** request to acting entity
*** freedom of information request
*** request for administrative cooperation, which may be mandatory to 
reply to
*** Public Prosecutor's investigations and requests
*** ...
** condition met triggering data processing
*** archives: obligation to offer files and data to public archives / 
open access / public access prior to deletion
*** jurisdiction: in the course of the administrative process some 
change in the circumstances determining competenceobligation occurs and 
transfer of the case to another entity is demanded
*** ...
* actors/entities involved
** public entity (controller)
** recipient entity
** private or public entity requesting information

= Requirements =
* Public law demanding certain processing of personal data.

== Related functional requirements ==
* Can address specific demands to process (store, retain, transfer) 
personal data by public entities.

== Related non-functional requirements ==

== Requirement conflicts (if any) ==

Potential conflicts: Usually none. The legal norms often contain a 
balance between processing and preserving informational 
self-determination anticipated by the lawmaker or a balancing-test to be 
performed to resolve arising conflicts with in particular data 
protection laws.

== Requirement similarities (if any) ==

Potential similarities

== Requirement subsets/refinements (if any) ==

= Component(s) =

* List of components and short explanation

= Types/classes of data involved =

* List with short explanation

= Actors =

* Public entity addressed
* may have: Public or private entity demanding data

= Preconditions =

* Specific legal requirement applicable to public bodies triggers 
processing of personal data. Triggering event may e.g. be a request by a 
person under a freedom of information act or the end of the usual 
retention period triggering planned deletion of files that must by law 
be offered for transfer to a public archive prior to deletion.

Currently used technologies: Depends on the particular case. As standard 
use case assume an individual request and an individual response by 
searching for requested data, evaluation of legal ground to process data 
followed by the processing asked for denial or thereof. There may be 
automated data exchanges in place, e.g. in German social security 
systems there are periodic automated data matchings foreseen to identify 
social fraud by e.g. obtaining unemployment benefits while already 
employed again. Example § 52 SGB_II (Book II of the German Social 
security Act).

= Postconditions =

* Decision done on basis of applicable law.
* Met Decision followed by permitting or refusing data processing.

= Normal Flow =

* Trigger:
** Incomeing request for personal data
** other trigger such as a condition met
* decision process to process personal data
* allow or deny processing

= Alternate Flows =

Specify potential alternate flows

= Evaluation of UC and requirements realisation =

(e.g. manual, automatically...)

===== /copy and paste of the Wiki-source ====

Landesbeauftragte für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1222, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/
Harald Zwingelberg, uld6@datenschutzzentrum.de

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Wednesday, 17 October 2018 21:45:19 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:54 UTC