Re: DPV Semantics

Hello. Thank you Georg for providing the data.

This email concerns ACTION-140 Share missing concepts in dpv for privacy 
policy generation
https://www.w3.org/community/dpvcg/track/actions/140

1) Identity (Data Subject Identity, Data Controller Identity, etc.)
- In the semantic web (AFAIK) uses the IRI as the identity of the entity
- In legal terms, however, identity refers to something else e.g. 
company name, number, address, etc. as the fields reflect
- The question for DPVCG, then, is - how do we represent or suggest 
these be represented?
- There are external vocabularies (e.g. FOAF) that define some of the 
semantics required here (e.g. name, address) that we should suggest for 
use. And if there is some specific legal requirement that is not 
captured/provided by existing (well-defined) work then we should provide 
that through DPV
- Pros: flexibility and freedom to define attributes as required e.g. 
address as string or granular street name, post-code, etc.
- Cons: adopters might want a single vocabulary i.e. DPV should provide 
all required concepts

2) Joint Controller
- Should this be a sub-class of Controller given that a Joint Controller 
acts as a Controller? (IMHO - yes)

3) Data Processor
- This is defined in dpv - https://www.w3.org/ns/dpv#dpv:DataProcessor

4) Personal data
- This is defined in dpv - 
https://www.w3.org/ns/dpv#dpv:PersonalDataCategory

5) Source of personal data
- IMO it is unclear whether this is an attribute associated with data 
collection i.e. where was data collected from OR origin i.e. where did 
this data originate from
- We also (probably) need to define what/who the data was collected from
- How to specify this?

We already have a property 'location' within Technical measures that 
concerns storage restriction - to an uinformed mind this property would 
appear to also be suitable for use with source of personal data. But I 
do not think this is appropriate (see below)
IMHO the source of personal data *is* associated with its collection and 
therefore should be defined as an attribute of processing.

Doing something like this -

x a dpv:Collect ;
   dpv:location "phone" .

has inherent problems:
a) it is not clear whether the location specifies location of processing 
or data
b) it does not specify who/what the data was collected from - of course 
one could add another fact using e.g. prov:Agent

Therefore, I would propose having properties for (a) source (b) 
agent/entity.

That being said, there can be multiple sources of data e.g. smartphone, 
web-browser, smartwatch. How they should be represented depends on the 
interpretation whether they are separate instances of processing for 
each device or a single instance of processing with multiple sources. Do 
we support both these interpretations? (IMHO we should)

6) Agents missing in DPV
- Joint Data Controller
- DPO
- Controller representative
- Processor representative (representative should be an abstract category?)
- DPA (data protection authority)

7) GDPR specific items
- There are some (very) GDPR specific items in the list e.g. legal basis 
and obligations for contract
- If these are to be defined, they have to be done within dpv-gdpr

8) Puporse
- this is defined in dpv - https://www.w3.org/ns/dpv#purpose

9) Processing categories
- this is defined in dpv - https://www.w3.org/ns/dpv#processing

10) Automated decision making
- this is defined in dpv - 
https://www.w3.org/ns/dpv#dpv:isAutomatedDecisionMaking
- Logic of automated decision making: DPV does not provide a way to 
describe this currently
- Describing the logic means we should provide a way to describe logic 
of processing in general (same concepts)
- Describing consequences would also be similar to the above
- How to do this?

11) Data Transfer
- dpv currently has transfer as a processing category 
https://www.w3.org/ns/dpv#transfer
- To specify location of transfer, again - we have a location property 
which should be used - which means changing its definition
- And we already have storage as a restriction 
https://www.w3.org/ns/dpv#storage
- The larger question here is what the location specifies - location of 
where the data will end up or location of recipient (this affects how 
the property is defined and used). To me, data transfer location would 
indicate where the data ends up being located in. This should be 
clarified in the definition.
- For location identification, adopters should be able to use their 
preferred method e.g. ISO country codes, plain strings
- Do we provide a list of "third countries" under GDPR? (IMHO this is 
complicated - not my cup of tea!)

12) Technical organisational measures
- This is defined in dpv - 
https://www.w3.org/ns/dpv#dpv:TechnicalOrganisationalMeasure

13) Data Storage period
- This is defined in dpv - https://www.w3.org/ns/dpv#storage-duration
- criteria to determined storage period is currently not defined, so how 
to associate this with storage duration?
- I see some common semantics in providing explanation of processing, 
effects of processing, criteria to determine storage period - can we 
leverage this to provide a generic attribute that can be tacked on 
anything to provide more information and/or explanations? dpv already 
has a "measure implemented by" property which is not directly applicable 
but related https://www.w3.org/ns/dpv#measure-implemented-by

14) Time limit for data erasure
- Is this defined in DPV? And is this separate from data storage 
duration? To my understanding, does data storage indicate time duration 
the data will be stored for, whereas time duration for data erasure when 
the data will be erased *after* the storage period???
- We define duration of data storage (see above)

15) Recipients
- this is defined in dpv - https://www.w3.org/ns/dpv#recipient

16) Legitimate interest
- this is GDPR specific as a legal basis
- we currently do not provide any means to specify the specifics of 
legitimate interest e.g. description. To my understanding, a 
semantic-web property should be used to indicate this, but which? 
rdfs:comment? Should DPV provide a generic property for annotating with 
additional information within the context of DPV (as opposed to RDFS 
being super-generic)?
- we currently do not provide a way to indicate the legitimate interest 
is associated with controller or third party -> how to do this?

17) Legal Basis
- this is defined in dpv - https://www.w3.org/ns/dpv#legal-basis
- GDPR specific legal basis are defined in dpv-gdpr

18) Rights
- We do not have the concept of rights in DPV - this needs to be added
- Where to define them? PersonalDataHandling? To my understanding, 
rights are obligations that are based on context e.g. if data is 
collected from data subject then the data subject has the right to 
obtain this data (right to data portability) - which means the right is 
only valid in the context where a) processing is 'collect' b) source of 
data is data subject.
- For now, we should atleast provide the concept of Legal Right, and the 
GDPR specific rights can (should?) be added to dpv-gdpr

@Georg (FYI) the email loses formatting in plain-text on the mailing 
list https://lists.w3.org/Archives/Public/public-dpvcg/2020May/0014.html
We can put these tables in the wiki for better persistence.

Regards,
Harsh

On 29/05/2020 13:51, Georg Philip Krog wrote:
> Hi everyone,
>
> I and Signatu contribute with new field values for the DPV taken from 
> the GDPR across Art 13 (Privacy Policy), 14 (Privacy Policy), 15 
> (access right information) and 30 (Records of processing activities).
>
> Please have a look:
>
> Value categories  DPV  GDPR Art 13  GDPR Art 14  GDPR Art 15  GDPR Art 
> 30.1  GDPR Art 30.2
> Data Subject  FALSE  
>  
>  
>  A description of the categories of data subjects and of the 
> categories of personal data, GDPR Article 30.1(c).  
> Data Controller Identity  FALSE  Data Controller Identity, GDPR Art 
> 13.1(a)  Data Controller Identity, GDPR Art 14.1(a)  
>  The name of the Data Controller, GDPR Article 30.1(a)  Data 
> Controller Identity, GDPR Art 30.2(a)
> Data Controller Contact Details  FALSE  Data Controller Contact 
> Details, GDPR Art 13.1(a)  Data Controller Major task for the day:
> - [ ] [[id:34a7168f-0c0b-458e-8241-8983b94b0972][Send email to 
> Cristiana with ideas]]
> - [ ] DPVCG - [[id:a7af1cc8-e004-4409-9570-8b37b351cb17][Future 
> Deliverables and Timeline]]
>
> Minor tasks for the day:
> - [ ] DPVCG - [[id:00839c20-4191-4870-9d32-d63498e1a8f7][Review 
> Signatu's privacy-policy concepts]]
> - [ ] DPVCG - [[id:a1ec628d-dc21-4cb7-9af1-c56bbb59dc4f][Review 
> Signatu's concepts for Art13/14 and ISO29184]]
> - [ ] DPVCG - [[id:3cf2308e-d3ed-4308-80b2-f772de407cb2][Review 
> Signatu's personal data categories concepts]]
> - [ ] DPVCG - [[id:2cc99f78-81db-4df3-95eb-03d15379f23b][Review 
> Signatu's purpose concepts]]
> - [ ] DPVCG - [[id:5e7a8427-f15e-4130-8bce-b65332ece50c][Review 
> SPECIAL's presentation shared by Axel]]
>
> If I'm bored, I should do:
> - [ ] [[id:bc663445-8737-4ba8-a0c2-76b27a74121c][re-organise folders 
> for PhD -> general research]]
> - [ ] [[id:c79106af-a2d8-4b25-8032-1cbabffc2291][Plan upcoming 
> potential publications]]
> Contact Details, GDPR Art 14.1(a)  
>  Data Controller Contact Details, GDPR Article 30.1(a)  Data 
> Controller Contact Details, GDPR Art 30.2(a)
> Data Controller Representative  FALSE  Data Controller Representative, 
> GDPR Art 13.1(a)  Data Controller Representative, GDPR Art 14.1(a)  
>  
>  Data Controller Representative, GDPR Art 30.2(a)
> Data Protection Officer  FALSE  Data Protection Officer of Data 
> Controller, GDPR Art 13.1(b)  Data Protection Officer of Data 
> Controller, GDPR Art 14.1(b)  
>  Data Protection Officer of Data Controller, GDPR Article 30.1(a) 
> Data Protection Officer, GDPR Art 30.2(a)
> Data Protection Office Contact Details  FALSE  Data Protection Officer 
> Contact Details, GDPR Art 13.1(b)  Data Protection Officer Contact 
> Details, GDPR Art 14.1(b)  
>  Data Protection Officer Contact Details, GDPR Article 30.1(a)  
> Joint Controller  FALSE  
>  
>  
>  The joint controller, where applicable, GDPR Article 30.1(a)  
> Data Processor  FALSE  
>  
>  
>  
>  The Data Processor, GDPR Art 30.2(a)
> Data Processor Representative  FALSE  
>  
>  
>  
>  The Data Processor Representative, GDPR Art 30.2(a)
> Personal Data  FALSE  The personal data, GDPR Art 13.1(c)  The 
> categories of personal data, GDPR Art 14.1(d)  The categories of 
> personal data,GDPR Art 15.1(b)  
>  
> Personal Data Source  FALSE  
>  From which source the personal data originate, GDPR Art 14.2(f). 
> Where the personal data are not collected from the data subject, any 
> available information as to their source, GDPR Art 15.1(g).  
>  
> Personal Data Public or Private Source  FALSE  
>  Whether the personal data originate from publicly accessible sources, 
> GDPR Art 14.2(f).  
>  
>  
> Personal Data Provision Legal Basis  FALSE  Whether the provision of 
> personal data is a statutory or contractual requirement, or a 
> requirement necessary to enter into a contract, GDPR Art 13.2(e).  
>  
>  
>  
> Personal Data Provision obligation  FALSE  Whether the data subject is 
> obliged to provide the personal data, GDPR Art 13.2(e).  
>  
>  
>  
> Consequence of data provision failure to provide personal data  FALSE 
> The possible consequences of failure to provide personal data, GDPR 
> Art 13.2(e).  
>  
>  
>  
> Purposes  FALSE  Purposes of the Processing, GDPR Art 13.1(c)  Data 
> Controller Identity, GDPR Art 14.1(c)  The purposes of the processing, 
> GDPR Art 15.1(a)  The purposes of the processing, GDPR Article 30.1(b)  
> Processing Categories Classes  FALSE  GDPR Art 4.2  
>  
>  
>  The categories of processing carried out on behalf of each 
> controller, GDPR Art 30.2(b)
> Processing Categories Classes  FALSE  
>  
>  
>  
>  
> Automated decision-making and profiling  FALSE  The existence of 
> automated decision-making, including profiling, referred to in Article 
> 22(1) and (4), GDPR Art 13.2(f).  The existence of automated 
> decision-making, including profiling, referred to in Article 22(1) and 
> (4), GDPR Art 14.2(g).  The existence of automated decision-making, 
> including profiling, referred to in Article 22(1) and (4), GDPR Art 
> 15.1(h).  
>  
> Logic of automated decision-making and profiling  FALSE  Meaningful 
> information about the logic involved in automated decision-making, 
> including profiling, referred to in Article 22(1) and (4), GDPR Art 
> 13.2(f).  Meaningful information about the logic involved in automated 
> decision-making, including profiling, referred to in Article 22(1) and 
> (4), GDPR Art 14.2(g).  Meaningful information about the logic 
> involved in automated decision-making, including profiling, referred 
> to in Article 22(1) and (4), GDPR Art 15.1(h).  
>  
> Consequences of automated decision-making and profiling  FALSE  The 
> significance and the envisaged consequences of automated 
> decision-making, including profiling, referred to in Article 22(1) and 
> (4) for the data subject, GDPR Art 13.2(f).  The significance and the 
> envisaged consequences of automated decision-making, including 
> profiling, referred to in Article 22(1) and (4) for the data subject, 
> GDPR Art 14.2(g).  
>  
>  
> Data transfer to third country  FALSE  Transfer of personal data to a 
> third country or to an international organisation, GDPR Art 13.1(f) 
> Transfer of personal data to a third country or to an international 
> organisation, GDPR Art 14.1(f).  Transfer of personal data to a third 
> country or to an international organisation, GDPR Art 15.2.  Transfers 
> of personal data to a third country or an international organisation, 
> GDPR Article 30.1(e).  Transfers of personal data to a third country 
> or an international organisation, GDPR Art 30.2(c)
> Third country name  FALSE  
>  
>  
>  Identification of the third country or international organisation, 
> GDPR Article 30.1(e).  Identification of the third country or 
> international organisation, GDPR Art 30.2(c)
> Data transfer legal basis  FALSE  Legal Basis for transfer to a third 
> country, GDPR Art 13.1(f)  Legal Basis for transfer to a third 
> country, GDPR Art 14.1(f).  
>  Legal Basis for transfer to a third country, GDPR Article 30.1(e). 
> Legal Basis for transfer to a third country, GDPR Art 30.2(c)
> Technical and Organisational Measures  FALSE  
>  
>  
>  Where possible, a general description of the technical and 
> organisational security measures referred to in Article 32(1), GDPR 
> Art 30.1(g).  Where possible, a general description of the technical 
> and organisational security measures referred to in Article 32(1), 
> GDPR Art 30.2.
> Data storage period  FALSE  The period for which the personal data 
> will be stored, GDPR Art 13.2(a).  The period for which the personal 
> data will be stored, GDPR Art 14.2(a).  The envisaged period for which 
> the personal data will be stored, GDPR Art 15.1(d).  
>  
> Criteria to determine data storage period  FALSE  The criteria used to 
> determine the period for which the personal data will be stored, GDPR 
> Art 13.2(a).  The criteria used to determine the period for which the 
> personal data will be stored, GDPR Art 14.2(a).  The criteria used to 
> determine period for which the personal data will be stored, GDPR Art 
> 15.1(d).  
>  
> Time limit for data erasure  FALSE  
>  
>  
>  Where possible, the envisaged time limits for erasure of the 
> different categories of data, GDPR Art 30.1(f).  
> Recipients  FALSE  Recipients of categories of recipients of the 
> personal data (if any), GDPR Art 13.1(e)  The recipients or categories 
> of recipients of the personal data, if any, GDPR Art 14.1(e).  The 
> recipients or categories of recipient to whom the personal data have 
> been or will be disclosed, in particular recipients in third countries 
> or international organisations, GDPR Art 15.1(c)  The categories of 
> recipients to whom the personal data have been or will be disclosed 
> including recipients in third countries or international 
> organisations, GDPR Article 30.1(d).  
> Legitimate interest of Data Controller  FALSE  Legitimate Interest (if 
> the processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d) 
> Legitimate Interest (if the processing is based on GDPR Art 6.1(f)), 
> GDPR Art 14.2(b)  
>  
>  
> Legitimate interest of Third Party  FALSE  Legitimate Interest (if the 
> processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d)  Legitimate 
> Interest (if the processing is based on GDPR Art 6.1(f)), GDPR Art 
> 14.2(b)  
>  
>  
> Legal Basis  FALSE  Legal Basis for the Processing, GDPR Art 13.1(c) 
> Legal Basis for the Processing, GDPR Art 14.1(c)  
>  
>  
> Right to access  FALSE  The right to access to personal data, GDPR Art 
> 13.2(b).  The right to access to personal data, GDPR Art 14.2(c).  
>  
>  
> Right to rectification  FALSE  The right to rectification of personal 
> data, GDPR Art 13.2(b).  The right to rectification of personal data, 
> GDPR Art 14.2(c).  The right to rectification of personal data, GDPR 
> Art 15.1(e).  
>  
> Right to erasure  FALSE  The right to erasure of personal data, GDPR 
> Art 13.2(b).  The right to erasure of personal data, GDPR Art 14.2(c). 
>  The right to erasure of personal data, GDPR Art 15.1(e).  
>  
> Right to restriction  FALSE  The right to restriction of processing 
> concerning the data subject, GDPR Art 13.2(b).  The right to 
> restriction of processing concerning the data subject, GDPR Art 
> 14.2(c).  The right to restriction of processing concerning the data 
> subject, GDPR Art 15.1(e).  
>  
> Right to object to processing  FALSE  The right to object to 
> processing, GDPR Art 13.2(b).  The right to object to processing, GDPR 
> Art 14.2(c).  The right to object to processing, GDPR Art 15.1(e).  
>  
> Right to data portability  FALSE  The right to data portability, GDPR 
> Art 13.2(b).  The right to data portability, GDPR Art 14.2(c).  
>  
>  
> Right to withdraw consent  FALSE  The right to withdraw consent at any 
> time, without affecting the lawfulness of processing based on consent 
> before its withdrawal (where the processing is based on point (a) of 
> Article 6(1) or point (a) of Article 9(2)), GDPR Art 13.2(c).  The 
> right to withdraw consent at any time, without affecting the 
> lawfulness of processing based on consent before its withdrawal (where 
> the processing is based on point (a) of Article 6(1) or point (a) of 
> Article 9(2)), GDPR Art 14.2(d).  
>  
>  
> Right to lodge a complaint  FALSE  The right to lodge a complaint with 
> a supervisory authority, GDPR Art 13.2(d).  The right to lodge a 
> complaint with a supervisory authority, GDPR Art 14.2(e).  The right 
> to lodge a complaint with a supervisory authority, GDPR Art 15.1(f).  
>  
>
>
> Best regards,
> -- 
> Georg Philip Krog
>
> signatu <https://signatu.com>

-- 
---
Harshvardhan Pandit, Ph.D
Researcher at ADAPT Centre, Trinity College Dublin
https://harshp.com/research/

Received on Tuesday, 30 June 2020 09:17:26 UTC