- From: Georg Philip Krog <georg@signatu.com>
- Date: Thu, 2 Jul 2020 12:15:56 +0200
- To: "Harshvardhan J. Pandit" <me@harshp.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
- Message-ID: <CAPOUEwkynKOFXKYs8vcszZ-wDJH4+17JX2LHRKEG9s3LiwHGvg@mail.gmail.com>
Hi Harsh, everyone, Regarding point 5) here re-stated: An example: On Linkedin, (1) a controller collects my personal data, (2) which I on Linkedin made publicly available and which originate from me. The controller can name the source where s/he collected the data (Linkedin), but cannot with certainty state that it was I who made the data publicly available and that the data originated from me (i.e. I wrote the text and made the photo of myself). When the controller does not collect the data directly from the data subject, the GDPR Article 14.2(f) wants specified (1). Hence, I propose: (1) we specify where data was collected from. (2) we do not specify where the data originate from. Regards, Georg On Tue, Jun 30, 2020 at 3:35 PM Georg Philip Krog <georg@signatu.com> wrote: > Thanks Harsh, > > Here are some comments to your numbered points: > > 1) > > Should the Data Controller address be convertible into geographic > coordinates? > > https://www.bing.com/api/maps/sdkrelease/mapcontrol/isdk/searchbyaddress > > https://developers.google.com/maps/documentation/geocoding/intro > > 2) > > If two controllers participate in one and the same data processing action, > the two controllers are either joint-controllers or each controller is a > separate controller. Hence, Controller has the sub-class Separate > Controller or Joint Controller? > > 5) > > An example: > > On Linkedin, (1) a controller collects my personal data, (2) which I on > Linkedin made publicly available and which originate from me. > > The controller can name the source where s/he collected the data > (Linkedin), but cannot with certainty state that it was I who made the data > publicly available and that the data originated from me (i.e. I wrote the > text and made the photo of myself). > > When the controller does not collect the data directly from the data > subject, the GDPR Article 14.2(f) wants specified (1). > > 11) > > I do not think it is necessary to provide a list of third countries since > an adopter would need to state recipient name and recipient country and > then provide a transfer legal basis. If the transfer happens within the EU, > then the controller needs legal basis within GDPR Art 6 or 9. > > Best regards, > > Georg > > > On Tue, Jun 30, 2020 at 11:17 AM Harshvardhan J. Pandit <me@harshp.com> > wrote: > >> Hello. Thank you Georg for providing the data. >> >> This email concerns ACTION-140 Share missing concepts in dpv for privacy >> policy generation >> https://www.w3.org/community/dpvcg/track/actions/140 >> >> 1) Identity (Data Subject Identity, Data Controller Identity, etc.) >> - In the semantic web (AFAIK) uses the IRI as the identity of the entity >> - In legal terms, however, identity refers to something else e.g. >> company name, number, address, etc. as the fields reflect >> - The question for DPVCG, then, is - how do we represent or suggest >> these be represented? >> - There are external vocabularies (e.g. FOAF) that define some of the >> semantics required here (e.g. name, address) that we should suggest for >> use. And if there is some specific legal requirement that is not >> captured/provided by existing (well-defined) work then we should provide >> that through DPV >> - Pros: flexibility and freedom to define attributes as required e.g. >> address as string or granular street name, post-code, etc. >> - Cons: adopters might want a single vocabulary i.e. DPV should provide >> all required concepts >> >> 2) Joint Controller >> - Should this be a sub-class of Controller given that a Joint Controller >> acts as a Controller? (IMHO - yes) >> >> 3) Data Processor >> - This is defined in dpv - https://www.w3.org/ns/dpv#dpv:DataProcessor >> >> 4) Personal data >> - This is defined in dpv - >> https://www.w3.org/ns/dpv#dpv:PersonalDataCategory >> >> 5) Source of personal data >> - IMO it is unclear whether this is an attribute associated with data >> collection i.e. where was data collected from OR origin i.e. where did >> this data originate from >> - We also (probably) need to define what/who the data was collected from >> - How to specify this? >> >> We already have a property 'location' within Technical measures that >> concerns storage restriction - to an uinformed mind this property would >> appear to also be suitable for use with source of personal data. But I >> do not think this is appropriate (see below) >> IMHO the source of personal data *is* associated with its collection and >> therefore should be defined as an attribute of processing. >> >> Doing something like this - >> >> x a dpv:Collect ; >> dpv:location "phone" . >> >> has inherent problems: >> a) it is not clear whether the location specifies location of processing >> or data >> b) it does not specify who/what the data was collected from - of course >> one could add another fact using e.g. prov:Agent >> >> Therefore, I would propose having properties for (a) source (b) >> agent/entity. >> >> That being said, there can be multiple sources of data e.g. smartphone, >> web-browser, smartwatch. How they should be represented depends on the >> interpretation whether they are separate instances of processing for >> each device or a single instance of processing with multiple sources. Do >> we support both these interpretations? (IMHO we should) >> >> 6) Agents missing in DPV >> - Joint Data Controller >> - DPO >> - Controller representative >> - Processor representative (representative should be an abstract >> category?) >> - DPA (data protection authority) >> >> 7) GDPR specific items >> - There are some (very) GDPR specific items in the list e.g. legal basis >> and obligations for contract >> - If these are to be defined, they have to be done within dpv-gdpr >> >> 8) Puporse >> - this is defined in dpv - https://www.w3.org/ns/dpv#purpose >> >> 9) Processing categories >> - this is defined in dpv - https://www.w3.org/ns/dpv#processing >> >> 10) Automated decision making >> - this is defined in dpv - >> https://www.w3.org/ns/dpv#dpv:isAutomatedDecisionMaking >> - Logic of automated decision making: DPV does not provide a way to >> describe this currently >> - Describing the logic means we should provide a way to describe logic >> of processing in general (same concepts) >> - Describing consequences would also be similar to the above >> - How to do this? >> >> 11) Data Transfer >> - dpv currently has transfer as a processing category >> https://www.w3.org/ns/dpv#transfer >> - To specify location of transfer, again - we have a location property >> which should be used - which means changing its definition >> - And we already have storage as a restriction >> https://www.w3.org/ns/dpv#storage >> - The larger question here is what the location specifies - location of >> where the data will end up or location of recipient (this affects how >> the property is defined and used). To me, data transfer location would >> indicate where the data ends up being located in. This should be >> clarified in the definition. >> - For location identification, adopters should be able to use their >> preferred method e.g. ISO country codes, plain strings >> - Do we provide a list of "third countries" under GDPR? (IMHO this is >> complicated - not my cup of tea!) >> >> 12) Technical organisational measures >> - This is defined in dpv - >> https://www.w3.org/ns/dpv#dpv:TechnicalOrganisationalMeasure >> >> 13) Data Storage period >> - This is defined in dpv - https://www.w3.org/ns/dpv#storage-duration >> - criteria to determined storage period is currently not defined, so how >> to associate this with storage duration? >> - I see some common semantics in providing explanation of processing, >> effects of processing, criteria to determine storage period - can we >> leverage this to provide a generic attribute that can be tacked on >> anything to provide more information and/or explanations? dpv already >> has a "measure implemented by" property which is not directly applicable >> but related https://www.w3.org/ns/dpv#measure-implemented-by >> >> 14) Time limit for data erasure >> - Is this defined in DPV? And is this separate from data storage >> duration? To my understanding, does data storage indicate time duration >> the data will be stored for, whereas time duration for data erasure when >> the data will be erased *after* the storage period??? >> - We define duration of data storage (see above) >> >> 15) Recipients >> - this is defined in dpv - https://www.w3.org/ns/dpv#recipient >> >> 16) Legitimate interest >> - this is GDPR specific as a legal basis >> - we currently do not provide any means to specify the specifics of >> legitimate interest e.g. description. To my understanding, a >> semantic-web property should be used to indicate this, but which? >> rdfs:comment? Should DPV provide a generic property for annotating with >> additional information within the context of DPV (as opposed to RDFS >> being super-generic)? >> - we currently do not provide a way to indicate the legitimate interest >> is associated with controller or third party -> how to do this? >> >> 17) Legal Basis >> - this is defined in dpv - https://www.w3.org/ns/dpv#legal-basis >> - GDPR specific legal basis are defined in dpv-gdpr >> >> 18) Rights >> - We do not have the concept of rights in DPV - this needs to be added >> - Where to define them? PersonalDataHandling? To my understanding, >> rights are obligations that are based on context e.g. if data is >> collected from data subject then the data subject has the right to >> obtain this data (right to data portability) - which means the right is >> only valid in the context where a) processing is 'collect' b) source of >> data is data subject. >> - For now, we should atleast provide the concept of Legal Right, and the >> GDPR specific rights can (should?) be added to dpv-gdpr >> >> @Georg (FYI) the email loses formatting in plain-text on the mailing >> list https://lists.w3.org/Archives/Public/public-dpvcg/2020May/0014.html >> We can put these tables in the wiki for better persistence. >> >> Regards, >> Harsh >> >> On 29/05/2020 13:51, Georg Philip Krog wrote: >> > Hi everyone, >> > >> > I and Signatu contribute with new field values for the DPV taken from >> > the GDPR across Art 13 (Privacy Policy), 14 (Privacy Policy), 15 >> > (access right information) and 30 (Records of processing activities). >> > >> > Please have a look: >> > >> > Value categories DPV GDPR Art 13 GDPR Art 14 GDPR Art >> 15 GDPR Art >> > 30.1 GDPR Art 30.2 >> > Data Subject FALSE >> > >> > >> > A description of the categories of data subjects and of the >> > categories of personal data, GDPR Article 30.1(c). >> > Data Controller Identity FALSE Data Controller Identity, GDPR >> Art >> > 13.1(a) Data Controller Identity, GDPR Art 14.1(a) >> > The name of the Data Controller, GDPR Article 30.1(a) Data >> > Controller Identity, GDPR Art 30.2(a) >> > Data Controller Contact Details FALSE Data Controller Contact >> > Details, GDPR Art 13.1(a) Data Controller Major task for the day: >> > - [ ] [[id:34a7168f-0c0b-458e-8241-8983b94b0972][Send email to >> > Cristiana with ideas]] >> > - [ ] DPVCG - [[id:a7af1cc8-e004-4409-9570-8b37b351cb17][Future >> > Deliverables and Timeline]] >> > >> > Minor tasks for the day: >> > - [ ] DPVCG - [[id:00839c20-4191-4870-9d32-d63498e1a8f7][Review >> > Signatu's privacy-policy concepts]] >> > - [ ] DPVCG - [[id:a1ec628d-dc21-4cb7-9af1-c56bbb59dc4f][Review >> > Signatu's concepts for Art13/14 and ISO29184]] >> > - [ ] DPVCG - [[id:3cf2308e-d3ed-4308-80b2-f772de407cb2][Review >> > Signatu's personal data categories concepts]] >> > - [ ] DPVCG - [[id:2cc99f78-81db-4df3-95eb-03d15379f23b][Review >> > Signatu's purpose concepts]] >> > - [ ] DPVCG - [[id:5e7a8427-f15e-4130-8bce-b65332ece50c][Review >> > SPECIAL's presentation shared by Axel]] >> > >> > If I'm bored, I should do: >> > - [ ] [[id:bc663445-8737-4ba8-a0c2-76b27a74121c][re-organise folders >> > for PhD -> general research]] >> > - [ ] [[id:c79106af-a2d8-4b25-8032-1cbabffc2291][Plan upcoming >> > potential publications]] >> > Contact Details, GDPR Art 14.1(a) >> > Data Controller Contact Details, GDPR Article 30.1(a) Data >> > Controller Contact Details, GDPR Art 30.2(a) >> > Data Controller Representative FALSE Data Controller >> Representative, >> > GDPR Art 13.1(a) Data Controller Representative, GDPR Art 14.1(a) >> >> > >> > Data Controller Representative, GDPR Art 30.2(a) >> > Data Protection Officer FALSE Data Protection Officer of Data >> > Controller, GDPR Art 13.1(b) Data Protection Officer of Data >> > Controller, GDPR Art 14.1(b) >> > Data Protection Officer of Data Controller, GDPR Article 30.1(a) >> > Data Protection Officer, GDPR Art 30.2(a) >> > Data Protection Office Contact Details FALSE Data Protection >> Officer >> > Contact Details, GDPR Art 13.1(b) Data Protection Officer Contact >> > Details, GDPR Art 14.1(b) >> > Data Protection Officer Contact Details, GDPR Article 30.1(a) >> > Joint Controller FALSE >> > >> > >> > The joint controller, where applicable, GDPR Article 30.1(a) >> > Data Processor FALSE >> > >> > >> > >> > The Data Processor, GDPR Art 30.2(a) >> > Data Processor Representative FALSE >> > >> > >> > >> > The Data Processor Representative, GDPR Art 30.2(a) >> > Personal Data FALSE The personal data, GDPR Art 13.1(c) >> The >> > categories of personal data, GDPR Art 14.1(d) The categories of >> > personal data,GDPR Art 15.1(b) >> > >> > Personal Data Source FALSE >> > From which source the personal data originate, GDPR Art 14.2(f). >> > Where the personal data are not collected from the data subject, any >> > available information as to their source, GDPR Art 15.1(g). >> > >> > Personal Data Public or Private Source FALSE >> > Whether the personal data originate from publicly accessible >> sources, >> > GDPR Art 14.2(f). >> > >> > >> > Personal Data Provision Legal Basis FALSE Whether the provision of >> > personal data is a statutory or contractual requirement, or a >> > requirement necessary to enter into a contract, GDPR Art 13.2(e). >> > >> > >> > >> > Personal Data Provision obligation FALSE Whether the data subject >> is >> > obliged to provide the personal data, GDPR Art 13.2(e). >> > >> > >> > >> > Consequence of data provision failure to provide personal data >> FALSE >> > The possible consequences of failure to provide personal data, GDPR >> > Art 13.2(e). >> > >> > >> > >> > Purposes FALSE Purposes of the Processing, GDPR Art 13.1(c) >> Data >> > Controller Identity, GDPR Art 14.1(c) The purposes of the >> processing, >> > GDPR Art 15.1(a) The purposes of the processing, GDPR Article >> 30.1(b) >> > Processing Categories Classes FALSE GDPR Art 4.2 >> > >> > >> > The categories of processing carried out on behalf of each >> > controller, GDPR Art 30.2(b) >> > Processing Categories Classes FALSE >> > >> > >> > >> > >> > Automated decision-making and profiling FALSE The existence of >> > automated decision-making, including profiling, referred to in Article >> > 22(1) and (4), GDPR Art 13.2(f). The existence of automated >> > decision-making, including profiling, referred to in Article 22(1) and >> > (4), GDPR Art 14.2(g). The existence of automated >> decision-making, >> > including profiling, referred to in Article 22(1) and (4), GDPR Art >> > 15.1(h). >> > >> > Logic of automated decision-making and profiling FALSE >> Meaningful >> > information about the logic involved in automated decision-making, >> > including profiling, referred to in Article 22(1) and (4), GDPR Art >> > 13.2(f). Meaningful information about the logic involved in >> automated >> > decision-making, including profiling, referred to in Article 22(1) and >> > (4), GDPR Art 14.2(g). Meaningful information about the logic >> > involved in automated decision-making, including profiling, referred >> > to in Article 22(1) and (4), GDPR Art 15.1(h). >> > >> > Consequences of automated decision-making and profiling FALSE >> The >> > significance and the envisaged consequences of automated >> > decision-making, including profiling, referred to in Article 22(1) and >> > (4) for the data subject, GDPR Art 13.2(f). The significance and the >> > envisaged consequences of automated decision-making, including >> > profiling, referred to in Article 22(1) and (4) for the data subject, >> > GDPR Art 14.2(g). >> > >> > >> > Data transfer to third country FALSE Transfer of personal data >> to a >> > third country or to an international organisation, GDPR Art 13.1(f) >> > Transfer of personal data to a third country or to an international >> > organisation, GDPR Art 14.1(f). Transfer of personal data to a >> third >> > country or to an international organisation, GDPR Art 15.2. Transfers >> > of personal data to a third country or an international organisation, >> > GDPR Article 30.1(e). Transfers of personal data to a third >> country >> > or an international organisation, GDPR Art 30.2(c) >> > Third country name FALSE >> > >> > >> > Identification of the third country or international >> organisation, >> > GDPR Article 30.1(e). Identification of the third country or >> > international organisation, GDPR Art 30.2(c) >> > Data transfer legal basis FALSE Legal Basis for transfer to a >> third >> > country, GDPR Art 13.1(f) Legal Basis for transfer to a third >> > country, GDPR Art 14.1(f). >> > Legal Basis for transfer to a third country, GDPR Article >> 30.1(e). >> > Legal Basis for transfer to a third country, GDPR Art 30.2(c) >> > Technical and Organisational Measures FALSE >> > >> > >> > Where possible, a general description of the technical and >> > organisational security measures referred to in Article 32(1), GDPR >> > Art 30.1(g). Where possible, a general description of the technical >> > and organisational security measures referred to in Article 32(1), >> > GDPR Art 30.2. >> > Data storage period FALSE The period for which the personal data >> > will be stored, GDPR Art 13.2(a). The period for which the personal >> > data will be stored, GDPR Art 14.2(a). The envisaged period for >> which >> > the personal data will be stored, GDPR Art 15.1(d). >> > >> > Criteria to determine data storage period FALSE The criteria used >> to >> > determine the period for which the personal data will be stored, GDPR >> > Art 13.2(a). The criteria used to determine the period for which the >> > personal data will be stored, GDPR Art 14.2(a). The criteria used >> to >> > determine period for which the personal data will be stored, GDPR Art >> > 15.1(d). >> > >> > Time limit for data erasure FALSE >> > >> > >> > Where possible, the envisaged time limits for erasure of the >> > different categories of data, GDPR Art 30.1(f). >> > Recipients FALSE Recipients of categories of recipients of the >> > personal data (if any), GDPR Art 13.1(e) The recipients or >> categories >> > of recipients of the personal data, if any, GDPR Art 14.1(e). >> The >> > recipients or categories of recipient to whom the personal data have >> > been or will be disclosed, in particular recipients in third countries >> > or international organisations, GDPR Art 15.1(c) The categories of >> > recipients to whom the personal data have been or will be disclosed >> > including recipients in third countries or international >> > organisations, GDPR Article 30.1(d). >> > Legitimate interest of Data Controller FALSE Legitimate >> Interest (if >> > the processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d) >> > Legitimate Interest (if the processing is based on GDPR Art 6.1(f)), >> > GDPR Art 14.2(b) >> > >> > >> > Legitimate interest of Third Party FALSE Legitimate Interest (if >> the >> > processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d) >> Legitimate >> > Interest (if the processing is based on GDPR Art 6.1(f)), GDPR Art >> > 14.2(b) >> > >> > >> > Legal Basis FALSE Legal Basis for the Processing, GDPR Art 13.1(c) >> > Legal Basis for the Processing, GDPR Art 14.1(c) >> > >> > >> > Right to access FALSE The right to access to personal data, >> GDPR Art >> > 13.2(b). The right to access to personal data, GDPR Art 14.2(c). >> >> > >> > >> > Right to rectification FALSE The right to rectification of >> personal >> > data, GDPR Art 13.2(b). The right to rectification of personal >> data, >> > GDPR Art 14.2(c). The right to rectification of personal data, GDPR >> > Art 15.1(e). >> > >> > Right to erasure FALSE The right to erasure of personal data, >> GDPR >> > Art 13.2(b). The right to erasure of personal data, GDPR Art 14.2(c). >> > The right to erasure of personal data, GDPR Art 15.1(e). >> > >> > Right to restriction FALSE The right to restriction of processing >> > concerning the data subject, GDPR Art 13.2(b). The right to >> > restriction of processing concerning the data subject, GDPR Art >> > 14.2(c). The right to restriction of processing concerning the >> data >> > subject, GDPR Art 15.1(e). >> > >> > Right to object to processing FALSE The right to object to >> > processing, GDPR Art 13.2(b). The right to object to >> processing, GDPR >> > Art 14.2(c). The right to object to processing, GDPR Art 15.1(e). >> > >> > Right to data portability FALSE The right to data portability, >> GDPR >> > Art 13.2(b). The right to data portability, GDPR Art 14.2(c). >> > >> > >> > Right to withdraw consent FALSE The right to withdraw consent at >> any >> > time, without affecting the lawfulness of processing based on consent >> > before its withdrawal (where the processing is based on point (a) of >> > Article 6(1) or point (a) of Article 9(2)), GDPR Art 13.2(c). >> The >> > right to withdraw consent at any time, without affecting the >> > lawfulness of processing based on consent before its withdrawal (where >> > the processing is based on point (a) of Article 6(1) or point (a) of >> > Article 9(2)), GDPR Art 14.2(d). >> > >> > >> > Right to lodge a complaint FALSE The right to lodge a complaint >> with >> > a supervisory authority, GDPR Art 13.2(d). The right to lodge a >> > complaint with a supervisory authority, GDPR Art 14.2(e). The right >> > to lodge a complaint with a supervisory authority, GDPR Art 15.1(f). >> > >> > >> > >> > Best regards, >> > -- >> > Georg Philip Krog >> > >> > signatu <https://signatu.com> >> >> -- >> --- >> Harshvardhan Pandit, Ph.D >> Researcher at ADAPT Centre, Trinity College Dublin >> https://harshp.com/research/ >> >> > > -- > Georg Philip Krog > > signatu <https://signatu.com> > -- Georg Philip Krog signatu <https://signatu.com>
Received on Thursday, 2 July 2020 10:16:45 UTC