- From: Bud Bruegger <uld613@datenschutzzentrum.de>
- Date: Tue, 12 Mar 2019 09:06:30 +0100
- To: public-dpvcg@w3.org
Good morning everyone, maybe this is of interest: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051 On page 13 there is "3.3.1. Minimum content requirements for consent to be ‘informed’" which seems to be a subset of Art 13/14 GDPR (my off hand impression). Processors and Consent: Here a confirmation for what I already said on skype:(still page 13) "Processors do not need to be named as part of the consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to provide a full list of recipients or categories of recipients including processors. " Interesting also that articles 13/14 are not directly used to define the content necessary to make it "informed consent". Multiple controllers: (page 13) "With regard to item (i) and (iii), WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named." Interesting: so it is possible for "secondary controllers" to use the consent collected by the primary controller as a legal basis! Also, I just learned that according to Recital 42, "Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation". That, to me, seems not done consistently in practice. But maybe this is necessary for "explicit consent"--although, I didn't see this stated anywhere. So short of a signature, what does technically leave some evidence that the data subject provided a consent? The opinon speaks of e-mails and 2 step approaches. But technically, that is very little evidence... I would be interested to discuss what could be done technically that constitutes any kind of evidence for consent. If this is interesting to you, I'm all for it! best cheers -b Am 12.03.2019 um 06:45 schrieb Mark@OC-2: > HI DPVC (and Rigo), > > We have produced a set of consent elements, and have them attached here > in a document that needs a bit of introduction/guidance before reading. > A part of this task has been working though process and I bring the > additional goal of interoperability, which we defer as a topic for the > future. > > As a result, Harsh, Bud and I have worked on a little bit of guidance > as well as suggestions for moving discussion and review forward. This is > as follows; > > *Guidance* > > 1. First, the document attached can be confusing if we do not explain > that this document uses another specification that provides a base set > of consent fields (minimum consent receipt) that are common to most/all > jurisdictions. As a result, a part of the document attached is not > relevant for review. For this reason - we have highlighted the > sections that are *not required to be reviewed* by the CG at this time. > > 2. The minimum consent receipt specification was generated in an > identity management (IdM) community, this is important because IdM is a > required component to consent and its management. This is why in this > GDPR specification we have focused on being very clear about the > identities of the parties involved in the recorded consent interaction > and the delegation of consent to another party. > > 3. The minimum spec, has place/fields for Vocabulary Categories being > worked on in DPVC, this means we can use this format to test the > vocabulary, appended to the spec is a schema example > > > *Suggestions to progress this work: * > > - We Suggest - progressing this work using GitHub - putting only the > relevant fields in the GitHub wiki, and then to track issues or > questions about consent elements using Github - where we can all discuss > a single issue in a single thread, related to a single consent element. > (Note: we already have a couple of issues to add - once we get going, > and perhaps this would make a review easier ) > - add a task, once review has happened, for feeding back to the Kantara > WG, and to include the difference between definitions and taxonomy of > GDPR consent elements and minimum viable specification - with the view > that Kantara WG would update the specification. > > > Best Regards, > > Mark, Bud & Harsh > > > > > -- Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine) ULD613@datenschutzzentrum.de Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223 mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/ Informationen über die Verarbeitung der personenbezogenen Daten durch die Landesbeauftragte für Datenschutz und zur verschlüsselten E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Tuesday, 12 March 2019 08:08:50 UTC