- From: Harald Zwingelberg <uld6@datenschutzzentrum.de>
- Date: Wed, 17 Oct 2018 22:50:05 +0200
- To: public-dpvcg@w3.org
- Cc: uld6@datenschutzzentrum.de
Dear DPVCG community group, *dpvcg-ACTION-20* please find in the Wiki and below my suggestions for a public entities' specific duties use-case covering specific requirements stemming from public law directly addressing public bodies to process personal data for consideration. Use case has been uploaded to the wiki (and marked as pending input / italics in the overview-page): https://www.w3.org/community/dpvcg/wiki/SPECIAL/PUB01_use_case Best regards Harald ===== copy and paste of the Wiki-source ==== = Use Case PUB01 – Public bodies specific requirements = = Owner of Use Case = Harald Zwingelberg affiliations: ULD, H2020-project SPECIAL = Description = This use case contains and depicts some legal requirements that are specific to some or all entities governed by public law in comparison to entities governed by private law and private cooperate law. Public entities may have specific rules applicable that mandate them to store, transfer or share personal information based on the applicable public law, e.g. freedom of information acts or the duty to cooperate with other public bodies. * public entities * event/situation it applies to ** request to acting entity *** freedom of information request *** request for administrative cooperation, which may be mandatory to reply to *** Public Prosecutor's investigations and requests *** ... ** condition met triggering data processing *** archives: obligation to offer files and data to public archives / open access / public access prior to deletion *** jurisdiction: in the course of the administrative process some change in the circumstances determining competenceobligation occurs and transfer of the case to another entity is demanded *** ... * actors/entities involved ** public entity (controller) ** recipient entity ** private or public entity requesting information = Requirements = * Public law demanding certain processing of personal data. == Related functional requirements == * Can address specific demands to process (store, retain, transfer) personal data by public entities. == Related non-functional requirements == == Requirement conflicts (if any) == Potential conflicts: Usually none. The legal norms often contain a balance between processing and preserving informational self-determination anticipated by the lawmaker or a balancing-test to be performed to resolve arising conflicts with in particular data protection laws. == Requirement similarities (if any) == Potential similarities == Requirement subsets/refinements (if any) == = Component(s) = * List of components and short explanation = Types/classes of data involved = * List with short explanation = Actors = * Public entity addressed * may have: Public or private entity demanding data = Preconditions = * Specific legal requirement applicable to public bodies triggers processing of personal data. Triggering event may e.g. be a request by a person under a freedom of information act or the end of the usual retention period triggering planned deletion of files that must by law be offered for transfer to a public archive prior to deletion. Currently used technologies: Depends on the particular case. As standard use case assume an individual request and an individual response by searching for requested data, evaluation of legal ground to process data followed by the processing asked for denial or thereof. There may be automated data exchanges in place, e.g. in German social security systems there are periodic automated data matchings foreseen to identify social fraud by e.g. obtaining unemployment benefits while already employed again. Example § 52 SGB_II (Book II of the German Social security Act). = Postconditions = * Decision done on basis of applicable law. * Met Decision followed by permitting or refusing data processing. = Normal Flow = * Trigger: ** Incomeing request for personal data ** other trigger such as a condition met * decision process to process personal data * allow or deny processing = Alternate Flows = Specify potential alternate flows = Evaluation of UC and requirements realisation = (e.g. manual, automatically...) ===== /copy and paste of the Wiki-source ==== -- Landesbeauftragte für Datenschutz Schleswig-Holstein Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1222, Fax -1223 mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/ Harald Zwingelberg, uld6@datenschutzzentrum.de Informationen über die Verarbeitung der personenbezogenen Daten durch die Landesbeauftragte für Datenschutz und zur verschlüsselten E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Wednesday, 17 October 2018 21:45:19 UTC