Re: Taxonomy of legal 6bases from Harshvardhan J. Pandit on 2019-04-03 (public-dpvcg@w3.org from April 2019)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Wed, 3 Apr 2019 16:00:12 +0100
To: Bud Bruegger <uld613@datenschutzzentrum.de>
Cc: public-dpvcg@w3.org
Message-ID: <d42e7dea-19ae-652f-3b02-40c56f1d4837@harshp.com>
Hi Bud.

I agree that legal references follow the particular format (based on 
Article-Para...), however my argument was for a more "human-readable" or 
"layman-friendly" name such as consent or legitimate interest with a 
reference to its 'source' or 'definition' provided by the 
Article-Para... reference.

On 03/04/2019 08:47, Bud Bruegger wrote:
> Hi Harsh,
>
> if you find a "name" for Art 9(2)(h) GDPR that is short enough and 
> captures the essence and that people then also map to Art 9(2)(h), you 
> have totally convinced me.
>
> This being legal, I would think Article/paragraph/letter/optional-type 
> is the only way to go. What syntax to chose is open.
>
> preparing for the trip and leave in a sec..
>
> -b
>
> Am 02.04.2019 um 19:26 schrieb Harshvardhan J. Pandit:
>> Dear Eva, Bud. Thanks for sharing the legal basis taxonomy. A few 
>> points of discussion:
>>
>> 1) Regarding fields, I would propose the following:
>>
>> name of field: regular-consent
>>
>> source/reference/defined by: GDPR Article 6(1)(a), [1]
>>
>> description: information about regular consent
>>
>> example: some scenario (preferably real-world)
>>
>> Regarding the reference field: another way someone might prefer to 
>> model these would be as "subclasses" of that legal basis. E.g. A6-1c 
>> (legal obligation) subclassed or specialised as "compliance with 
>> anti-fraud law" (made up example). Here, the legal basis in GDPR is 
>> the top-level taxonomy, and all legal basis fall under one or more 
>> categories. Additionally, "compliance with anti-fraud law" also 
>> becomes a purpose with processing, data storage, data sharing 
>> associated with it. This is more 'explicit' than a purpose of 
>> "compliance with legal obligation".
>>
>> 2) How to avoid confusion between A6 and A9 use of the same terms? 
>> e.g. explicit consent is mentioned in both - perhaps the A9 ones can 
>> be named as "explicit consent for special categories of personal 
>> data" to distinguish between the two (assuming the requirement that 
>> field names be unique)
>>
>> 3) Consider the case where data processing has not yet taken place 
>> (but is planned) and the legal basis is explicit consent, but the 
>> consent has not been given yet. Example use-case would be a privacy 
>> policy. In this case, the "reference to consent" field would not be 
>> present because consent has not been given yet. This is distinct from 
>> 'legal obligation' where the reference field can point to a specific 
>> law (e.g. URI) even when processing has not yet taken place.
>>
>> This is relevant if we were to state requirements such as - reference 
>> fields are required to filled.
>>
>> 4) Would some legal basis appear as purposes? - IMHO any/all legal 
>> basis can be used as purposes depending on how the Controller uses 
>> them. The case for 'legal obligation' is above. Consider the case 
>> where the Controller needs some information in order to collect 
>> consent - the purpose of collection for that information would be 
>> "legal basis: explicit consent". This information/data regarding 
>> consent can be distinct from the personal data the consent is about - 
>> which will have its own separate purpose.
>>
>> e.g. we require your ID card to "verify your identity" for 
>> "collecting consent"; the consent itself is about collection of 
>> postal address for delivery. In this case, we have two methods:
>>
>>    a: verify your identity is the purpose with legal basis 
>> "(collecting) explicit consent"
>>
>>    b: verify your identity is a sub-purpose under the main purpose 
>> "collecting (explicit) consent"
>>
>> 5) In our taxonomy, it would be nice to have (real-world) examples of 
>> legal basis, particularly ones with references so that we can 
>> try/test how these can be also be modeled further into 
>> ontologies/graphs.
>>
>> Thanks,
>>
>> Harsh
>>
>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>>
>>> Dear all,
>>>
>>> Bud and I developed further the taxonomy of legal bases according to 
>>> the GDPR. Please find attached
>>>
>>>   * in the Word document file Bud's version of such a vocabulary, as
>>>     well as
>>>   * in the image file my extension of the already existing
>>>     visualization from lawyer perspective. ;-)
>>>
>>> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
>>> there. :-)
>>>
>>> Greetings,
>>>
>>> Eva
>>>
>>> -- 
>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>> mail@datenschutzzentrum.de -https://www.datenschutzzentrum.de/
>>>
>>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ 
>>>
>>
>> -- 
>> ---
>> Harshvardhan Pandit
>> PhD Researcher
>> ADAPT Centre
>> Trinity College Dublin
>>
>
-- 
---
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Wednesday, 3 April 2019 15:01:10 UTC