- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Tue, 9 Apr 2019 14:32:28 +0100
- To: Eva Schlehahn <uld67@datenschutzzentrum.de>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Thanks Eva, that clears up (and shows my lack of legal knowledge *gulp*) So we will add to the spreadsheet the terms as listed in https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0089.html with the change in description as suggested by Bud and Eva regarding valid and explicit consent. On 09/04/2019 14:29, Eva Schlehahn wrote: > Hi Harsh, hi all, > > I agree with Bud that your solution might cause misunderstanding in > terms of validity of the consent because this is always required. :) > > If you read the GDPR text for A22(2)(c) and A49(1)(a) carefully, you > will see that the give not the permission to process this data, but only > impose additional conditions because of the higher risk. > > Let me explain a little bit what I mean: > > The GDPR in principle imposes a general prohibition to process personal > data, unless you have a permission. This prohibition with permission > reservation is expressed clearly in Art. 6 and in Art. 9 , whereas both > Articles then enlist the legal bases that constitute a permission. > > I am citing the relevant parts of these two articles to illustrate this > (bold highlights by me): > > _Art. 6 para 1: _ > > '/1. Processing //*shall be lawful only if and to the > extent*//*that*//at least one of the following applies:/' -> *[list of > legal bases follows]* > > _Art. 9 para 1 and 2:_ > > '/1. Processing of personal data revealing [...here catalogue of > special categories...] //*shall be prohibited.*/ > > / 2. //*Paragraph 1 shall not apply if *//one of the following > applies:/' *[list of legal bases follows]* > > A22(2)(c) and A49(1)(a) have no such a general rule - exception because > of permission expression in them. They just express that a certain > modality of the consent (laid down in Art 6+9) is needed in specific > cases (namely automated decisions/profiling, absence of adequacy > decision, absence of appropriate safeguards like BCR etc...). So you can > just believe me that they are indeed NOT legal bases by themselves. :) > > Greetings, > > Eva > > Am 09.04.2019 um 14:10 schrieb Harshvardhan J. Pandit: >> Okay. So our terms will be - >> A6(1)(a)-non-explicit-consent >> legal basis where valid explicit consent is NOT required >> A6(1)(a)-explicit-consent >> legal basis where valid explicit consent IS required >> >> as not - >> A6(1)(a) >> legal basis where valid consent is required >> A6(1)(a)-explicit-consent >> legal basis where valid explicit consent is required >> >>> One additional comment with regard to Art. 22 para 2 (c) and Art. 49 >>> para. 1 (a) GDPR - these are NOT legal bases on their own! Rather, >>> they describe situations where e.g. consent based on Art. 6 para 1 >>> (a) is possible, but which trigger the additional condition that it >>> needs to be the explicit version of this consent. >> I'm curious - why is A9(2)(a) treated as a legal basis but not >> A22(2)(c) and A49(1)(a) ? >> Doesn't A9 also state conditions where the explicit version of consent >> in A6(1)(a) is needed? i.e. use of special categories of personal data >> >> In my mind, I'm seeing this as - >> ------------------------------------------------------------------ >> consent for: legal basis special case legal basis >> ------------------------------------------------------------------ >> personal data A6(1)(a) special categories A9(2)(a) >> ------------------------------------------------------------------ >> data transfer A6(1)(a) third country transfer A49(1)(a) >> ------------------------------------------------------------------ >> Of course there are more conditions to A49 such as safeguards etc. >> -- --- Harshvardhan Pandit PhD Researcher ADAPT Centre Trinity College Dublin
Received on Tuesday, 9 April 2019 13:33:36 UTC