W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Fwd: Re: Taxonomy of legal bases

From: Bud Bruegger <uld613@datenschutzzentrum.de>
Date: Wed, 10 Apr 2019 07:58:54 +0200
To: public-dpvcg@w3.org
Message-ID: <7d823cca-fd38-653a-757f-31cb4f453464@datenschutzzentrum.de>
Good morning, Harsh

I think we should be precise with the wording.  I think it should be as 


      legal basis that requires valid consent but not at level "explicit"


      legal basis that requires valid consent but not at level


      legal basis that requires valid consent at level "explicit"


      legal basis that requires valid consent at level GDPR-explicit

Best cheers

Am 09.04.2019 um 15:32 schrieb Harshvardhan J. Pandit:
> Thanks Eva, that clears up (and shows my lack of legal knowledge *gulp*)
> So we will add to the spreadsheet the terms as listed in 
> https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0089.html with 
> the change in description as suggested by Bud and Eva regarding valid 
> and explicit consent.
> On 09/04/2019 14:29, Eva Schlehahn wrote:
>> Hi Harsh, hi all,
>> I agree with Bud that your solution might cause misunderstanding in 
>> terms of validity of the consent because this is always required. :)
>> If you read the GDPR text for  A22(2)(c) and A49(1)(a) carefully, you 
>> will see that the give not the permission to process this data, but 
>> only impose additional conditions because of the higher risk.
>> Let me explain a little bit what I mean:
>> The GDPR in principle imposes a general prohibition to process 
>> personal data, unless you have a permission. This prohibition with 
>> permission reservation is expressed clearly in Art. 6 and in Art. 9 , 
>> whereas both Articles then enlist the legal bases that constitute a 
>> permission.
>> I am citing the relevant parts of these two articles to illustrate 
>> this (bold highlights by me):
>> _Art. 6 para 1: _
>>      '/1. Processing //*shall be lawful only if and to the 
>> extent*//*that*//at least one of the following applies:/' -> *[list of 
>> legal bases follows]*
>> _Art. 9 para 1 and 2:_
>>      '/1. Processing of personal data revealing [...here catalogue of 
>> special categories...] //*shall  be prohibited.*/
>> /    2. //*Paragraph 1 shall not apply if *//one of the following 
>> applies:/' *[list of legal bases follows]*
>> A22(2)(c) and A49(1)(a) have no such a general rule - exception 
>> because of permission expression in them. They just express that a 
>> certain modality of the consent (laid down in Art 6+9) is needed in 
>> specific cases (namely automated decisions/profiling, absence of 
>> adequacy decision, absence of appropriate safeguards like BCR etc...). 
>> So you can just believe me that they are indeed NOT legal bases by 
>> themselves. :)
>> Greetings,
>> Eva
>> Am 09.04.2019 um 14:10 schrieb Harshvardhan J. Pandit:
>>> Okay. So our terms will be -
>>> A6(1)(a)-non-explicit-consent
>>>     legal basis where valid explicit consent is NOT required
>>> A6(1)(a)-explicit-consent
>>>     legal basis where valid explicit consent IS required
>>> as not -
>>> A6(1)(a)
>>>     legal basis where valid consent is required
>>> A6(1)(a)-explicit-consent
>>>     legal basis where valid explicit consent is required
>>>> One additional comment with regard to Art. 22 para 2 (c) and Art. 49 
>>>> para. 1 (a) GDPR - these are NOT legal bases on their own! Rather, 
>>>> they describe situations where e.g. consent based on Art. 6 para 1 
>>>> (a) is possible, but which trigger the additional condition that it 
>>>> needs to be the explicit version of this consent.
>>> I'm curious - why is A9(2)(a) treated as a legal basis but not 
>>> A22(2)(c) and A49(1)(a) ?
>>> Doesn't A9 also state conditions where the explicit version of 
>>> consent in A6(1)(a) is needed? i.e. use of special categories of 
>>> personal data
>>> In my mind, I'm seeing this as -
>>> ------------------------------------------------------------------
>>> consent for:     legal basis       special case       legal basis
>>> ------------------------------------------------------------------
>>> personal data      A6(1)(a)     special categories       A9(2)(a)
>>> ------------------------------------------------------------------
>>> data transfer      A6(1)(a)   third country transfer    A49(1)(a)
>>> ------------------------------------------------------------------
>>> Of course there are more conditions to A49 such as safeguards etc.

Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Wednesday, 10 April 2019 05:59:31 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC