- From: Eva Schlehahn <uld67@datenschutzzentrum.de>
- Date: Tue, 9 Apr 2019 15:29:43 +0200
- To: "Harshvardhan J. Pandit" <me@harshp.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
- Message-ID: <f4fea2bb-a112-14ac-3e86-b523883d75a1@datenschutzzentrum.de>
Hi Harsh, hi all,
I agree with Bud that your solution might cause misunderstanding in
terms of validity of the consent because this is always required. :)
If you read the GDPR text for A22(2)(c) and A49(1)(a) carefully, you
will see that the give not the permission to process this data, but only
impose additional conditions because of the higher risk.
Let me explain a little bit what I mean:
The GDPR in principle imposes a general prohibition to process personal
data, unless you have a permission. This prohibition with permission
reservation is expressed clearly in Art. 6 and in Art. 9 , whereas both
Articles then enlist the legal bases that constitute a permission.
I am citing the relevant parts of these two articles to illustrate this
(bold highlights by me):
_Art. 6 para 1: _
'/1. Processing //*shall be lawful only if and to the
extent*//*that*//at least one of the following applies:/' -> *[list of
legal bases follows]*
_Art. 9 para 1 and 2:_
'/1. Processing of personal data revealing [...here catalogue of
special categories...] //*shall be prohibited.*/
/ 2. //*Paragraph 1 shall not apply if *//one of the following
applies:/' *[list of legal bases follows]*
A22(2)(c) and A49(1)(a) have no such a general rule - exception because
of permission expression in them. They just express that a certain
modality of the consent (laid down in Art 6+9) is needed in specific
cases (namely automated decisions/profiling, absence of adequacy
decision, absence of appropriate safeguards like BCR etc...). So you can
just believe me that they are indeed NOT legal bases by themselves. :)
Greetings,
Eva
Am 09.04.2019 um 14:10 schrieb Harshvardhan J. Pandit:
> Okay. So our terms will be -
> A6(1)(a)-non-explicit-consent
> legal basis where valid explicit consent is NOT required
> A6(1)(a)-explicit-consent
> legal basis where valid explicit consent IS required
>
> as not -
> A6(1)(a)
> legal basis where valid consent is required
> A6(1)(a)-explicit-consent
> legal basis where valid explicit consent is required
>
>> One additional comment with regard to Art. 22 para 2 (c) and Art. 49
>> para. 1 (a) GDPR - these are NOT legal bases on their own! Rather,
>> they describe situations where e.g. consent based on Art. 6 para 1
>> (a) is possible, but which trigger the additional condition that it
>> needs to be the explicit version of this consent.
> I'm curious - why is A9(2)(a) treated as a legal basis but not
> A22(2)(c) and A49(1)(a) ?
> Doesn't A9 also state conditions where the explicit version of consent
> in A6(1)(a) is needed? i.e. use of special categories of personal data
>
> In my mind, I'm seeing this as -
> ------------------------------------------------------------------
> consent for: legal basis special case legal basis
> ------------------------------------------------------------------
> personal data A6(1)(a) special categories A9(2)(a)
> ------------------------------------------------------------------
> data transfer A6(1)(a) third country transfer A49(1)(a)
> ------------------------------------------------------------------
> Of course there are more conditions to A49 such as safeguards etc.
>
Received on Tuesday, 9 April 2019 13:30:17 UTC