W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal bases

From: Axel Polleres <axel.polleres@wu.ac.at>
Date: Mon, 22 Apr 2019 15:14:25 +0200
To: Bud Bruegger <uld613@datenschutzzentrum.de>, public-dpvcg@w3.org
Message-Id: <E15D001E-A0BB-4EC4-A95E-8362A522D334@wu.ac.at>
FWIW: as a small edit, I have changed the IDs in the LegalBasis tab 

 https://docs.google.com/spreadsheets/d/13d1eRXZZBCw84vYGoCJeMU08rzkkzadDzxY3n2iOi8k/edit#gid=1263866022

to use a new prefix 
  dpv-gdpr:

which I proposed to use for referring to specific articles of GDPR, see also the explanation in the namespaces section of the spec document, cf. 

https://docs.google.com/document/d/1Z3Eb5rZjrdWcE5u5o0CYzA_LPyGaTqmg84ecGve_ZLA/edit#heading=h.6nugw4ps9prq

If possible, please discuss this proposed new namespace tomorrow...

Axel

--
Prof. Dr. Axel Polleres
Institute for Information Business, WU Vienna
url: http://www.polleres.net/  twitter: @AxelPolleres

> On 10.04.2019, at 07:58, Bud Bruegger <uld613@datenschutzzentrum.de> wrote:
> 
> Good morning, Harsh
> 
> I think we should be precise with the wording.  I think it should be as follows:
> 
> A6(1)(a)-non-explicit-consent:
> 
>     legal basis that requires valid consent but not at level "explicit"
> 
>   or
> 
>     legal basis that requires valid consent but not at level
>     GDPR-explicit
> 
> A6(1)(a)-explicit-consent:
> 
>     legal basis that requires valid consent at level "explicit"
> 
>   or
> 
>     legal basis that requires valid consent at level GDPR-explicit
> 
> Best cheers
> -b
> 
> Am 09.04.2019 um 15:32 schrieb Harshvardhan J. Pandit:
>> Thanks Eva, that clears up (and shows my lack of legal knowledge *gulp*)
>> So we will add to the spreadsheet the terms as listed in https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0089.html with the change in description as suggested by Bud and Eva regarding valid and explicit consent.
>> On 09/04/2019 14:29, Eva Schlehahn wrote:
>>> Hi Harsh, hi all,
>>> 
>>> I agree with Bud that your solution might cause misunderstanding in terms of validity of the consent because this is always required. :)
>>> 
>>> If you read the GDPR text for  A22(2)(c) and A49(1)(a) carefully, you will see that the give not the permission to process this data, but only impose additional conditions because of the higher risk.
>>> 
>>> Let me explain a little bit what I mean:
>>> 
>>> The GDPR in principle imposes a general prohibition to process personal data, unless you have a permission. This prohibition with permission reservation is expressed clearly in Art. 6 and in Art. 9 , whereas both Articles then enlist the legal bases that constitute a permission.
>>> 
>>> I am citing the relevant parts of these two articles to illustrate this (bold highlights by me):
>>> 
>>> _Art. 6 para 1: _
>>> 
>>>      '/1. Processing //*shall be lawful only if and to the extent*//*that*//at least one of the following applies:/' -> *[list of legal bases follows]*
>>> 
>>> _Art. 9 para 1 and 2:_
>>> 
>>>      '/1. Processing of personal data revealing [...here catalogue of special categories...] //*shall  be prohibited.*/
>>> 
>>> /    2. //*Paragraph 1 shall not apply if *//one of the following applies:/' *[list of legal bases follows]*
>>> 
>>> A22(2)(c) and A49(1)(a) have no such a general rule - exception because of permission expression in them. They just express that a certain modality of the consent (laid down in Art 6+9) is needed in specific cases (namely automated decisions/profiling, absence of adequacy decision, absence of appropriate safeguards like BCR etc...). So you can just believe me that they are indeed NOT legal bases by themselves. :)
>>> 
>>> Greetings,
>>> 
>>> Eva
>>> 
>>> Am 09.04.2019 um 14:10 schrieb Harshvardhan J. Pandit:
>>>> Okay. So our terms will be -
>>>> A6(1)(a)-non-explicit-consent
>>>>     legal basis where valid explicit consent is NOT required
>>>> A6(1)(a)-explicit-consent
>>>>     legal basis where valid explicit consent IS required
>>>> 
>>>> as not -
>>>> A6(1)(a)
>>>>     legal basis where valid consent is required
>>>> A6(1)(a)-explicit-consent
>>>>     legal basis where valid explicit consent is required
>>>> 
>>>>> One additional comment with regard to Art. 22 para 2 (c) and Art. 49 para. 1 (a) GDPR - these are NOT legal bases on their own! Rather, they describe situations where e.g. consent based on Art. 6 para 1 (a) is possible, but which trigger the additional condition that it needs to be the explicit version of this consent.
>>>> I'm curious - why is A9(2)(a) treated as a legal basis but not A22(2)(c) and A49(1)(a) ?
>>>> Doesn't A9 also state conditions where the explicit version of consent in A6(1)(a) is needed? i.e. use of special categories of personal data
>>>> 
>>>> In my mind, I'm seeing this as -
>>>> ------------------------------------------------------------------
>>>> consent for:     legal basis       special case       legal basis
>>>> ------------------------------------------------------------------
>>>> personal data      A6(1)(a)     special categories       A9(2)(a)
>>>> ------------------------------------------------------------------
>>>> data transfer      A6(1)(a)   third country transfer    A49(1)(a)
>>>> ------------------------------------------------------------------
>>>> Of course there are more conditions to A49 such as safeguards etc.
>>>> 
> 
> -- 
> Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
> ULD613@datenschutzzentrum.de
> Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
> Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
> mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/
> 
> Informationen über die Verarbeitung der personenbezogenen Daten durch
> die Landesbeauftragte für Datenschutz und zur verschlüsselten
> E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung


Received on Monday, 22 April 2019 13:14:55 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC