Re: Fwd: Re: Taxonomy of legal bases from Bud Bruegger on 2019-04-10 (public-dpvcg@w3.org from April 2019)

From: Bud Bruegger <uld613@datenschutzzentrum.de>
Date: Wed, 10 Apr 2019 07:58:54 +0200
To: public-dpvcg@w3.org
Message-ID: <7d823cca-fd38-653a-757f-31cb4f453464@datenschutzzentrum.de>
Good morning, Harsh

I think we should be precise with the wording.  I think it should be as 
follows:

A6(1)(a)-non-explicit-consent:

      legal basis that requires valid consent but not at level "explicit"

    or

      legal basis that requires valid consent but not at level
      GDPR-explicit

A6(1)(a)-explicit-consent:

      legal basis that requires valid consent at level "explicit"

    or

      legal basis that requires valid consent at level GDPR-explicit

Best cheers
-b

Am 09.04.2019 um 15:32 schrieb Harshvardhan J. Pandit:
> Thanks Eva, that clears up (and shows my lack of legal knowledge *gulp*)
> So we will add to the spreadsheet the terms as listed in 
> https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0089.html with 
> the change in description as suggested by Bud and Eva regarding valid 
> and explicit consent.
> 
> On 09/04/2019 14:29, Eva Schlehahn wrote:
>> Hi Harsh, hi all,
>>
>> I agree with Bud that your solution might cause misunderstanding in 
>> terms of validity of the consent because this is always required. :)
>>
>> If you read the GDPR text for  A22(2)(c) and A49(1)(a) carefully, you 
>> will see that the give not the permission to process this data, but 
>> only impose additional conditions because of the higher risk.
>>
>> Let me explain a little bit what I mean:
>>
>> The GDPR in principle imposes a general prohibition to process 
>> personal data, unless you have a permission. This prohibition with 
>> permission reservation is expressed clearly in Art. 6 and in Art. 9 , 
>> whereas both Articles then enlist the legal bases that constitute a 
>> permission.
>>
>> I am citing the relevant parts of these two articles to illustrate 
>> this (bold highlights by me):
>>
>> _Art. 6 para 1: _
>>
>>      '/1. Processing //*shall be lawful only if and to the 
>> extent*//*that*//at least one of the following applies:/' -> *[list of 
>> legal bases follows]*
>>
>> _Art. 9 para 1 and 2:_
>>
>>      '/1. Processing of personal data revealing [...here catalogue of 
>> special categories...] //*shall  be prohibited.*/
>>
>> /    2. //*Paragraph 1 shall not apply if *//one of the following 
>> applies:/' *[list of legal bases follows]*
>>
>> A22(2)(c) and A49(1)(a) have no such a general rule - exception 
>> because of permission expression in them. They just express that a 
>> certain modality of the consent (laid down in Art 6+9) is needed in 
>> specific cases (namely automated decisions/profiling, absence of 
>> adequacy decision, absence of appropriate safeguards like BCR etc...). 
>> So you can just believe me that they are indeed NOT legal bases by 
>> themselves. :)
>>
>> Greetings,
>>
>> Eva
>>
>> Am 09.04.2019 um 14:10 schrieb Harshvardhan J. Pandit:
>>> Okay. So our terms will be -
>>> A6(1)(a)-non-explicit-consent
>>>     legal basis where valid explicit consent is NOT required
>>> A6(1)(a)-explicit-consent
>>>     legal basis where valid explicit consent IS required
>>>
>>> as not -
>>> A6(1)(a)
>>>     legal basis where valid consent is required
>>> A6(1)(a)-explicit-consent
>>>     legal basis where valid explicit consent is required
>>>
>>>> One additional comment with regard to Art. 22 para 2 (c) and Art. 49 
>>>> para. 1 (a) GDPR - these are NOT legal bases on their own! Rather, 
>>>> they describe situations where e.g. consent based on Art. 6 para 1 
>>>> (a) is possible, but which trigger the additional condition that it 
>>>> needs to be the explicit version of this consent.
>>> I'm curious - why is A9(2)(a) treated as a legal basis but not 
>>> A22(2)(c) and A49(1)(a) ?
>>> Doesn't A9 also state conditions where the explicit version of 
>>> consent in A6(1)(a) is needed? i.e. use of special categories of 
>>> personal data
>>>
>>> In my mind, I'm seeing this as -
>>> ------------------------------------------------------------------
>>> consent for:     legal basis       special case       legal basis
>>> ------------------------------------------------------------------
>>> personal data      A6(1)(a)     special categories       A9(2)(a)
>>> ------------------------------------------------------------------
>>> data transfer      A6(1)(a)   third country transfer    A49(1)(a)
>>> ------------------------------------------------------------------
>>> Of course there are more conditions to A49 such as safeguards etc.
>>>
> 

-- 
Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
ULD613@datenschutzzentrum.de
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Wednesday, 10 April 2019 05:59:31 UTC