- From: Bud Bruegger <uld613@datenschutzzentrum.de>
- Date: Wed, 3 Apr 2019 09:47:31 +0200
- To: public-dpvcg@w3.org
Hi Harsh, if you find a "name" for Art 9(2)(h) GDPR that is short enough and captures the essence and that people then also map to Art 9(2)(h), you have totally convinced me. This being legal, I would think Article/paragraph/letter/optional-type is the only way to go. What syntax to chose is open. preparing for the trip and leave in a sec.. -b Am 02.04.2019 um 19:26 schrieb Harshvardhan J. Pandit: > Dear Eva, Bud. Thanks for sharing the legal basis taxonomy. A few points > of discussion: > > 1) Regarding fields, I would propose the following: > > name of field: regular-consent > > source/reference/defined by: GDPR Article 6(1)(a), [1] > > description: information about regular consent > > example: some scenario (preferably real-world) > > Regarding the reference field: another way someone might prefer to model > these would be as "subclasses" of that legal basis. E.g. A6-1c (legal > obligation) subclassed or specialised as "compliance with anti-fraud > law" (made up example). Here, the legal basis in GDPR is the top-level > taxonomy, and all legal basis fall under one or more categories. > Additionally, "compliance with anti-fraud law" also becomes a purpose > with processing, data storage, data sharing associated with it. This is > more 'explicit' than a purpose of "compliance with legal obligation". > > 2) How to avoid confusion between A6 and A9 use of the same terms? e.g. > explicit consent is mentioned in both - perhaps the A9 ones can be named > as "explicit consent for special categories of personal data" to > distinguish between the two (assuming the requirement that field names > be unique) > > 3) Consider the case where data processing has not yet taken place (but > is planned) and the legal basis is explicit consent, but the consent has > not been given yet. Example use-case would be a privacy policy. In this > case, the "reference to consent" field would not be present because > consent has not been given yet. This is distinct from 'legal obligation' > where the reference field can point to a specific law (e.g. URI) even > when processing has not yet taken place. > > This is relevant if we were to state requirements such as - reference > fields are required to filled. > > 4) Would some legal basis appear as purposes? - IMHO any/all legal basis > can be used as purposes depending on how the Controller uses them. The > case for 'legal obligation' is above. Consider the case where the > Controller needs some information in order to collect consent - the > purpose of collection for that information would be "legal basis: > explicit consent". This information/data regarding consent can be > distinct from the personal data the consent is about - which will have > its own separate purpose. > > e.g. we require your ID card to "verify your identity" for "collecting > consent"; the consent itself is about collection of postal address for > delivery. In this case, we have two methods: > > a: verify your identity is the purpose with legal basis "(collecting) > explicit consent" > > b: verify your identity is a sub-purpose under the main purpose > "collecting (explicit) consent" > > 5) In our taxonomy, it would be nice to have (real-world) examples of > legal basis, particularly ones with references so that we can try/test > how these can be also be modeled further into ontologies/graphs. > > Thanks, > > Harsh > > On 01/04/2019 14:36, Eva Schlehahn wrote: >> >> Dear all, >> >> Bud and I developed further the taxonomy of legal bases according to >> the GDPR. Please find attached >> >> * in the Word document file Bud's version of such a vocabulary, as >> well as >> * in the image file my extension of the already existing >> visualization from lawyer perspective. ;-) >> >> A pity I cannot make it to Vienna. I wish you all a fruitful meeting >> there. :-) >> >> Greetings, >> >> Eva >> >> -- >> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein >> Eva Schlehahn,uld67@datenschutzzentrum.de >> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223 >> mail@datenschutzzentrum.de -https://www.datenschutzzentrum.de/ >> >> Informationen über die Verarbeitung der personenbezogenen Daten durch >> die Landesbeauftragte für Datenschutz und zur verschlüsselten >> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ > > -- > --- > Harshvardhan Pandit > PhD Researcher > ADAPT Centre > Trinity College Dublin > -- Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine) ULD613@datenschutzzentrum.de Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223 mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/ Informationen über die Verarbeitung der personenbezogenen Daten durch die Landesbeauftragte für Datenschutz und zur verschlüsselten E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Wednesday, 3 April 2019 07:48:07 UTC