W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Fwd: Re: Taxonomy of legal bases

From: Eva Schlehahn <uld67@datenschutzzentrum.de>
Date: Tue, 9 Apr 2019 15:29:43 +0200
To: "Harshvardhan J. Pandit" <me@harshp.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <f4fea2bb-a112-14ac-3e86-b523883d75a1@datenschutzzentrum.de>
Hi Harsh, hi all,

I agree with Bud that your solution might cause misunderstanding in 
terms of validity of the consent because this is always required. :)

If you read the GDPR text for  A22(2)(c) and A49(1)(a) carefully, you 
will see that the give not the permission to process this data, but only 
impose additional conditions because of the higher risk.

Let me explain a little bit what I mean:

The GDPR in principle imposes a general prohibition to process personal 
data, unless you have a permission. This prohibition with permission 
reservation is expressed clearly in Art. 6 and in Art. 9 , whereas both 
Articles then enlist the legal bases that constitute a permission.

I am citing the relevant parts of these two articles to illustrate this 
(bold highlights by me):

_Art. 6 para 1: _

     '/1. Processing //*shall be lawful only if and to the 
extent*//*that*//at least one of the following applies:/' -> *[list of 
legal bases follows]*

_Art. 9 para 1 and 2:_

     '/1. Processing of personal data revealing [...here catalogue of 
special categories...] //*shall  be prohibited.*/

/    2. //*Paragraph 1 shall not apply if *//one of the following 
applies:/' *[list of legal bases follows]*

A22(2)(c) and A49(1)(a) have no such a general rule - exception because 
of permission expression in them. They just express that a certain 
modality of the consent (laid down in Art 6+9) is needed in specific 
cases (namely automated decisions/profiling, absence of adequacy 
decision, absence of appropriate safeguards like BCR etc...). So you can 
just believe me that they are indeed NOT legal bases by themselves. :)

Greetings,

Eva

Am 09.04.2019 um 14:10 schrieb Harshvardhan J. Pandit:
> Okay. So our terms will be -
> A6(1)(a)-non-explicit-consent
>     legal basis where valid explicit consent is NOT required
> A6(1)(a)-explicit-consent
>     legal basis where valid explicit consent IS required
>
> as not -
> A6(1)(a)
>     legal basis where valid consent is required
> A6(1)(a)-explicit-consent
>     legal basis where valid explicit consent is required
>
>> One additional comment with regard to Art. 22 para 2 (c) and Art. 49 
>> para. 1 (a) GDPR - these are NOT legal bases on their own! Rather, 
>> they describe situations where e.g. consent based on Art. 6 para 1 
>> (a) is possible, but which trigger the additional condition that it 
>> needs to be the explicit version of this consent.
> I'm curious - why is A9(2)(a) treated as a legal basis but not 
> A22(2)(c) and A49(1)(a) ?
> Doesn't A9 also state conditions where the explicit version of consent 
> in A6(1)(a) is needed? i.e. use of special categories of personal data
>
> In my mind, I'm seeing this as -
> ------------------------------------------------------------------
> consent for:     legal basis       special case       legal basis
> ------------------------------------------------------------------
> personal data      A6(1)(a)     special categories       A9(2)(a)
> ------------------------------------------------------------------
> data transfer      A6(1)(a)   third country transfer    A49(1)(a)
> ------------------------------------------------------------------
> Of course there are more conditions to A49 such as safeguards etc.
>
Received on Tuesday, 9 April 2019 13:30:17 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC