W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal 6bases

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Tue, 2 Apr 2019 18:26:18 +0100
To: Eva Schlehahn <uld67@datenschutzzentrum.de>, Bud Bruegger <uld613@datenschutzzentrum.de>
Cc: public-dpvcg@w3.org
Message-ID: <492ce973-2ff7-cd75-d79b-98bc5864bfbc@harshp.com>
Dear Eva, Bud. Thanks for sharing the legal basis taxonomy. A few points 
of discussion:

1) Regarding fields, I would propose the following:

name of field: regular-consent

source/reference/defined by: GDPR Article 6(1)(a), [1]

description: information about regular consent

example: some scenario (preferably real-world)

Regarding the reference field: another way someone might prefer to model 
these would be as "subclasses" of that legal basis. E.g. A6-1c (legal 
obligation) subclassed or specialised as "compliance with anti-fraud 
law" (made up example). Here, the legal basis in GDPR is the top-level 
taxonomy, and all legal basis fall under one or more categories. 
Additionally, "compliance with anti-fraud law" also becomes a purpose 
with processing, data storage, data sharing associated with it. This is 
more 'explicit' than a purpose of "compliance with legal obligation".

2) How to avoid confusion between A6 and A9 use of the same terms? e.g. 
explicit consent is mentioned in both - perhaps the A9 ones can be named 
as "explicit consent for special categories of personal data" to 
distinguish between the two (assuming the requirement that field names 
be unique)

3) Consider the case where data processing has not yet taken place (but 
is planned) and the legal basis is explicit consent, but the consent has 
not been given yet. Example use-case would be a privacy policy. In this 
case, the "reference to consent" field would not be present because 
consent has not been given yet. This is distinct from 'legal obligation' 
where the reference field can point to a specific law (e.g. URI) even 
when processing has not yet taken place.

This is relevant if we were to state requirements such as - reference 
fields are required to filled.

4) Would some legal basis appear as purposes? - IMHO any/all legal basis 
can be used as purposes depending on how the Controller uses them. The 
case for 'legal obligation' is above. Consider the case where the 
Controller needs some information in order to collect consent - the 
purpose of collection for that information would be "legal basis: 
explicit consent". This information/data regarding consent can be 
distinct from the personal data the consent is about - which will have 
its own separate purpose.

e.g. we require your ID card to "verify your identity" for "collecting 
consent"; the consent itself is about collection of postal address for 
delivery. In this case, we have two methods:

   a: verify your identity is the purpose with legal basis "(collecting) 
explicit consent"

   b: verify your identity is a sub-purpose under the main purpose 
"collecting (explicit) consent"

5) In our taxonomy, it would be nice to have (real-world) examples of 
legal basis, particularly ones with references so that we can try/test 
how these can be also be modeled further into ontologies/graphs.



On 01/04/2019 14:36, Eva Schlehahn wrote:
> Dear all,
> Bud and I developed further the taxonomy of legal bases according to 
> the GDPR. Please find attached
>   * in the Word document file Bud's version of such a vocabulary, as
>     well as
>   * in the image file my extension of the already existing
>     visualization from lawyer perspective. ;-)
> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
> there. :-)
> Greetings,
> Eva
> -- 
> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
> Eva Schlehahn,uld67@datenschutzzentrum.de
> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
> mail@datenschutzzentrum.de  -https://www.datenschutzzentrum.de/
> Informationen über die Verarbeitung der personenbezogenen Daten durch
> die Landesbeauftragte für Datenschutz und zur verschlüsselten
> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/

Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Tuesday, 2 April 2019 17:27:03 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC