W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal 6bases

From: Bud Bruegger <uld613@datenschutzzentrum.de>
Date: Wed, 3 Apr 2019 09:47:31 +0200
To: public-dpvcg@w3.org
Message-ID: <5b8eaa15-28b5-1fa6-59a6-2c9c51b0316d@datenschutzzentrum.de>
Hi Harsh,

if you find a "name" for Art 9(2)(h) GDPR that is short enough and 
captures the essence and that people then also map to Art 9(2)(h), you 
have totally convinced me.

This being legal, I would think Article/paragraph/letter/optional-type 
is the only way to go.  What syntax to chose is open.

preparing for the trip and leave in a sec..


Am 02.04.2019 um 19:26 schrieb Harshvardhan J. Pandit:
> Dear Eva, Bud. Thanks for sharing the legal basis taxonomy. A few points 
> of discussion:
> 1) Regarding fields, I would propose the following:
> name of field: regular-consent
> source/reference/defined by: GDPR Article 6(1)(a), [1]
> description: information about regular consent
> example: some scenario (preferably real-world)
> Regarding the reference field: another way someone might prefer to model 
> these would be as "subclasses" of that legal basis. E.g. A6-1c (legal 
> obligation) subclassed or specialised as "compliance with anti-fraud 
> law" (made up example). Here, the legal basis in GDPR is the top-level 
> taxonomy, and all legal basis fall under one or more categories. 
> Additionally, "compliance with anti-fraud law" also becomes a purpose 
> with processing, data storage, data sharing associated with it. This is 
> more 'explicit' than a purpose of "compliance with legal obligation".
> 2) How to avoid confusion between A6 and A9 use of the same terms? e.g. 
> explicit consent is mentioned in both - perhaps the A9 ones can be named 
> as "explicit consent for special categories of personal data" to 
> distinguish between the two (assuming the requirement that field names 
> be unique)
> 3) Consider the case where data processing has not yet taken place (but 
> is planned) and the legal basis is explicit consent, but the consent has 
> not been given yet. Example use-case would be a privacy policy. In this 
> case, the "reference to consent" field would not be present because 
> consent has not been given yet. This is distinct from 'legal obligation' 
> where the reference field can point to a specific law (e.g. URI) even 
> when processing has not yet taken place.
> This is relevant if we were to state requirements such as - reference 
> fields are required to filled.
> 4) Would some legal basis appear as purposes? - IMHO any/all legal basis 
> can be used as purposes depending on how the Controller uses them. The 
> case for 'legal obligation' is above. Consider the case where the 
> Controller needs some information in order to collect consent - the 
> purpose of collection for that information would be "legal basis: 
> explicit consent". This information/data regarding consent can be 
> distinct from the personal data the consent is about - which will have 
> its own separate purpose.
> e.g. we require your ID card to "verify your identity" for "collecting 
> consent"; the consent itself is about collection of postal address for 
> delivery. In this case, we have two methods:
>    a: verify your identity is the purpose with legal basis "(collecting) 
> explicit consent"
>    b: verify your identity is a sub-purpose under the main purpose 
> "collecting (explicit) consent"
> 5) In our taxonomy, it would be nice to have (real-world) examples of 
> legal basis, particularly ones with references so that we can try/test 
> how these can be also be modeled further into ontologies/graphs.
> Thanks,
> Harsh
> On 01/04/2019 14:36, Eva Schlehahn wrote:
>> Dear all,
>> Bud and I developed further the taxonomy of legal bases according to 
>> the GDPR. Please find attached
>>   * in the Word document file Bud's version of such a vocabulary, as
>>     well as
>>   * in the image file my extension of the already existing
>>     visualization from lawyer perspective. ;-)
>> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
>> there. :-)
>> Greetings,
>> Eva
>> -- 
>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>> Eva Schlehahn,uld67@datenschutzzentrum.de
>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>> mail@datenschutzzentrum.de  -https://www.datenschutzzentrum.de/
>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/
> -- 
> ---
> Harshvardhan Pandit
> PhD Researcher
> ADAPT Centre
> Trinity College Dublin

Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Wednesday, 3 April 2019 07:48:07 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC