Re: Fwd: Re: Taxonomy of legal bases from Eva Schlehahn on 2019-04-10 (public-dpvcg@w3.org from April 2019)

From: Eva Schlehahn <uld67@datenschutzzentrum.de>
Date: Wed, 10 Apr 2019 09:00:54 +0200
To: public-dpvcg@w3.org
Message-ID: <920d8819-7fbe-2931-0f88-1bd6f205a042@datenschutzzentrum.de>
Hi all,

+1 regarding Bud's suggestion. :)

Greetings,

Eva

Am 10.04.2019 um 07:58 schrieb Bud Bruegger:
> Good morning, Harsh
>
> I think we should be precise with the wording.  I think it should be 
> as follows:
>
> A6(1)(a)-non-explicit-consent:
>
>      legal basis that requires valid consent but not at level "explicit"
>
>    or
>
>      legal basis that requires valid consent but not at level
>      GDPR-explicit
>
> A6(1)(a)-explicit-consent:
>
>      legal basis that requires valid consent at level "explicit"
>
>    or
>
>      legal basis that requires valid consent at level GDPR-explicit
>
> Best cheers
> -b
>
> Am 09.04.2019 um 15:32 schrieb Harshvardhan J. Pandit:
>> Thanks Eva, that clears up (and shows my lack of legal knowledge *gulp*)
>> So we will add to the spreadsheet the terms as listed in 
>> https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0089.html 
>> with the change in description as suggested by Bud and Eva regarding 
>> valid and explicit consent.
>>
>> On 09/04/2019 14:29, Eva Schlehahn wrote:
>>> Hi Harsh, hi all,
>>>
>>> I agree with Bud that your solution might cause misunderstanding in 
>>> terms of validity of the consent because this is always required. :)
>>>
>>> If you read the GDPR text for  A22(2)(c) and A49(1)(a) carefully, 
>>> you will see that the give not the permission to process this data, 
>>> but only impose additional conditions because of the higher risk.
>>>
>>> Let me explain a little bit what I mean:
>>>
>>> The GDPR in principle imposes a general prohibition to process 
>>> personal data, unless you have a permission. This prohibition with 
>>> permission reservation is expressed clearly in Art. 6 and in Art. 9 
>>> , whereas both Articles then enlist the legal bases that constitute 
>>> a permission.
>>>
>>> I am citing the relevant parts of these two articles to illustrate 
>>> this (bold highlights by me):
>>>
>>> _Art. 6 para 1: _
>>>
>>>      '/1. Processing //*shall be lawful only if and to the 
>>> extent*//*that*//at least one of the following applies:/' -> *[list 
>>> of legal bases follows]*
>>>
>>> _Art. 9 para 1 and 2:_
>>>
>>>      '/1. Processing of personal data revealing [...here catalogue 
>>> of special categories...] //*shall  be prohibited.*/
>>>
>>> /    2. //*Paragraph 1 shall not apply if *//one of the following 
>>> applies:/' *[list of legal bases follows]*
>>>
>>> A22(2)(c) and A49(1)(a) have no such a general rule - exception 
>>> because of permission expression in them. They just express that a 
>>> certain modality of the consent (laid down in Art 6+9) is needed in 
>>> specific cases (namely automated decisions/profiling, absence of 
>>> adequacy decision, absence of appropriate safeguards like BCR 
>>> etc...). So you can just believe me that they are indeed NOT legal 
>>> bases by themselves. :)
>>>
>>> Greetings,
>>>
>>> Eva
>>>
>>> Am 09.04.2019 um 14:10 schrieb Harshvardhan J. Pandit:
>>>> Okay. So our terms will be -
>>>> A6(1)(a)-non-explicit-consent
>>>>     legal basis where valid explicit consent is NOT required
>>>> A6(1)(a)-explicit-consent
>>>>     legal basis where valid explicit consent IS required
>>>>
>>>> as not -
>>>> A6(1)(a)
>>>>     legal basis where valid consent is required
>>>> A6(1)(a)-explicit-consent
>>>>     legal basis where valid explicit consent is required
>>>>
>>>>> One additional comment with regard to Art. 22 para 2 (c) and Art. 
>>>>> 49 para. 1 (a) GDPR - these are NOT legal bases on their own! 
>>>>> Rather, they describe situations where e.g. consent based on Art. 
>>>>> 6 para 1 (a) is possible, but which trigger the additional 
>>>>> condition that it needs to be the explicit version of this consent.
>>>> I'm curious - why is A9(2)(a) treated as a legal basis but not 
>>>> A22(2)(c) and A49(1)(a) ?
>>>> Doesn't A9 also state conditions where the explicit version of 
>>>> consent in A6(1)(a) is needed? i.e. use of special categories of 
>>>> personal data
>>>>
>>>> In my mind, I'm seeing this as -
>>>> ------------------------------------------------------------------
>>>> consent for:     legal basis       special case       legal basis
>>>> ------------------------------------------------------------------
>>>> personal data      A6(1)(a)     special categories A9(2)(a)
>>>> ------------------------------------------------------------------
>>>> data transfer      A6(1)(a)   third country transfer A49(1)(a)
>>>> ------------------------------------------------------------------
>>>> Of course there are more conditions to A49 such as safeguards etc.
>>>>
>>
>
Received on Wednesday, 10 April 2019 07:01:28 UTC