W3C home > Mailing lists > Public > public-dpvcg@w3.org > March 2019

Re: dpvcg-ACTION-68: consent elements

From: Bud Bruegger <uld613@datenschutzzentrum.de>
Date: Tue, 12 Mar 2019 09:06:30 +0100
To: public-dpvcg@w3.org
Message-ID: <3c233999-b291-c7fe-08ca-1a0342a47990@datenschutzzentrum.de>
Good morning everyone,

maybe this is of interest:

On page 13 there is "3.3.1.  Minimum content requirements for consent to 
be ‘informed’" which seems to be a subset of Art 13/14 GDPR (my off hand 

Processors and Consent:
Here a confirmation for what I already said on skype:(still page 13)
"Processors do not need to be named as part of the consent requirements, 
although to comply with Articles  13  and  14  of  the  GDPR, 
controllers  will  need  to  provide  a  full  list  of  recipients  or
categories  of  recipients  including  processors. "

Interesting also that articles 13/14 are not directly used to define the 
content necessary to make it "informed consent".

Multiple controllers: (page 13)
"With regard to item (i) and (iii), WP29 notes that in a case where the 
consent sought is to be relied upon  by  multiple  (joint)  controllers 
or  if  the  data  is  to  be  transferred  to  or  processed  by  other
controllers  who  wish  to  rely  on  the  original  consent,  these 
organisations  should  all  be  named."

Interesting:  so it is possible for "secondary controllers" to use the 
consent collected by the primary controller as a legal basis!

Also, I just learned that according to Recital 42, "Where processing is 
based on the data subject’s consent, the controller should be able to 
demonstrate that the data subject has given consent to the processing 

That, to me, seems not done consistently in practice.  But maybe this is 
necessary for "explicit consent"--although, I didn't see this stated 

So short of a signature, what does technically leave some evidence that 
the data subject provided a consent?  The opinon speaks of e-mails and 2 
step approaches.  But technically, that is very little evidence...

I would be interested to discuss what could be done technically that 
constitutes any kind of evidence for consent.  If this is interesting to 
you, I'm all for it!

best cheers

Am 12.03.2019 um 06:45 schrieb Mark@OC-2:
> HI DPVC (and Rigo),
> We have produced a set of consent elements, and have them attached here 
> in a document that needs a bit of introduction/guidance before reading. 
>    A part of this task has been working though process and I bring the 
> additional goal of interoperability, which we defer as a topic for the 
> future.
> As a result, Harsh, Bud and I have worked on a little bit of  guidance 
> as well as suggestions for moving discussion and review forward. This is 
> as follows;
> *Guidance*
> 1. First, the document attached can be confusing if we do not explain 
> that this document uses another specification that provides a base set 
> of consent fields (minimum consent receipt) that are common to most/all 
> jurisdictions. As a result, a  part of the document attached is not 
> relevant for review.  For this reason -  we have highlighted the 
> sections that are *not required to be reviewed* by the CG at this time.
> 2. The minimum  consent receipt specification was generated in an 
> identity management (IdM)  community, this is important because IdM is a 
> required component to consent and its management. This is why in this 
> GDPR specification we have focused on being very clear about the 
> identities of the parties involved in the recorded consent interaction 
> and the delegation of consent to another party.
> 3. The minimum spec, has place/fields for Vocabulary Categories being 
> worked on in DPVC, this means we can use this format to test the 
> vocabulary, appended to the spec is a schema example
> *Suggestions to progress this work: *
> -  We Suggest - progressing this work using GitHub - putting only the 
> relevant fields in the GitHub wiki, and then to track issues or 
> questions about consent elements using Github - where we can all discuss 
> a single issue in a single thread, related to a single consent element. 
> (Note: we already have a couple of issues to add - once we get going, 
> and perhaps this would make a review easier )
> - add a task, once review has happened, for feeding back to the Kantara 
> WG, and to include the difference between definitions and taxonomy of 
> GDPR consent elements and minimum viable specification - with the view 
> that Kantara WG would update the specification.
> Best Regards,
> Mark, Bud & Harsh

Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Tuesday, 12 March 2019 08:08:50 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:56 UTC