- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Tue, 30 Jun 2020 10:46:24 +0100
- To: Simon Steyskal <simon.steyskal@wu.ac.at>, Georg Philip Krog <georg@signatu.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Hi Simon, all. Within DPV - first we need to make sure the relevant vocabulary is present. So 'Right' and rights provided under GDPR should be added as concepts similar to what we have done with the core/base vocab. Then it would be up to the adopter to express these using ODRL or something else. ODRL can definitely be used for expressing the actual 'contents' of a right e.g. obligation and duties expressed in GDPR. On 30/06/2020 10:38, Simon Steyskal wrote: > fwiw, regarding the rights part -> wouldnt > ODRL https://www.w3.org/TR/odrl-model/ (or a profile derived thereof) be > a good fit for that? > > br simon > > -------- Original message -------- > From: "Harshvardhan J. Pandit" <me@harshp.com> > Date: 6/30/20 11:17 (GMT+01:00) > To: Georg Philip Krog <georg@signatu.com>, Data Privacy Vocabularies and > Controls Community Group <public-dpvcg@w3.org> > Subject: Re: DPV Semantics > > Hello. Thank you Georg for providing the data. > > This email concerns ACTION-140 Share missing concepts in dpv for privacy > policy generation > https://www.w3.org/community/dpvcg/track/actions/140 > > 1) Identity (Data Subject Identity, Data Controller Identity, etc.) > - In the semantic web (AFAIK) uses the IRI as the identity of the entity > - In legal terms, however, identity refers to something else e.g. > company name, number, address, etc. as the fields reflect > - The question for DPVCG, then, is - how do we represent or suggest > these be represented? > - There are external vocabularies (e.g. FOAF) that define some of the > semantics required here (e.g. name, address) that we should suggest for > use. And if there is some specific legal requirement that is not > captured/provided by existing (well-defined) work then we should provide > that through DPV > - Pros: flexibility and freedom to define attributes as required e.g. > address as string or granular street name, post-code, etc. > - Cons: adopters might want a single vocabulary i.e. DPV should provide > all required concepts > > 2) Joint Controller > - Should this be a sub-class of Controller given that a Joint Controller > acts as a Controller? (IMHO - yes) > > 3) Data Processor > - This is defined in dpv - https://www.w3.org/ns/dpv#dpv:DataProcessor > > 4) Personal data > - This is defined in dpv - > https://www.w3.org/ns/dpv#dpv:PersonalDataCategory > > 5) Source of personal data > - IMO it is unclear whether this is an attribute associated with data > collection i.e. where was data collected from OR origin i.e. where did > this data originate from > - We also (probably) need to define what/who the data was collected from > - How to specify this? > > We already have a property 'location' within Technical measures that > concerns storage restriction - to an uinformed mind this property would > appear to also be suitable for use with source of personal data. But I > do not think this is appropriate (see below) > IMHO the source of personal data *is* associated with its collection and > therefore should be defined as an attribute of processing. > > Doing something like this - > > x a dpv:Collect ; > dpv:location "phone" . > > has inherent problems: > a) it is not clear whether the location specifies location of processing > or data > b) it does not specify who/what the data was collected from - of course > one could add another fact using e.g. prov:Agent > > Therefore, I would propose having properties for (a) source (b) > agent/entity. > > That being said, there can be multiple sources of data e.g. smartphone, > web-browser, smartwatch. How they should be represented depends on the > interpretation whether they are separate instances of processing for > each device or a single instance of processing with multiple sources. Do > we support both these interpretations? (IMHO we should) > > 6) Agents missing in DPV > - Joint Data Controller > - DPO > - Controller representative > - Processor representative (representative should be an abstract category?) > - DPA (data protection authority) > > 7) GDPR specific items > - There are some (very) GDPR specific items in the list e.g. legal basis > and obligations for contract > - If these are to be defined, they have to be done within dpv-gdpr > > 8) Puporse > - this is defined in dpv - https://www.w3.org/ns/dpv#purpose > > 9) Processing categories > - this is defined in dpv - https://www.w3.org/ns/dpv#processing > > 10) Automated decision making > - this is defined in dpv - > https://www.w3.org/ns/dpv#dpv:isAutomatedDecisionMaking > - Logic of automated decision making: DPV does not provide a way to > describe this currently > - Describing the logic means we should provide a way to describe logic > of processing in general (same concepts) > - Describing consequences would also be similar to the above > - How to do this? > > 11) Data Transfer > - dpv currently has transfer as a processing category > https://www.w3.org/ns/dpv#transfer > - To specify location of transfer, again - we have a location property > which should be used - which means changing its definition > - And we already have storage as a restriction > https://www.w3.org/ns/dpv#storage > - The larger question here is what the location specifies - location of > where the data will end up or location of recipient (this affects how > the property is defined and used). To me, data transfer location would > indicate where the data ends up being located in. This should be > clarified in the definition. > - For location identification, adopters should be able to use their > preferred method e.g. ISO country codes, plain strings > - Do we provide a list of "third countries" under GDPR? (IMHO this is > complicated - not my cup of tea!) > > 12) Technical organisational measures > - This is defined in dpv - > https://www.w3.org/ns/dpv#dpv:TechnicalOrganisationalMeasure > > 13) Data Storage period > - This is defined in dpv - https://www.w3.org/ns/dpv#storage-duration > - criteria to determined storage period is currently not defined, so how > to associate this with storage duration? > - I see some common semantics in providing explanation of processing, > effects of processing, criteria to determine storage period - can we > leverage this to provide a generic attribute that can be tacked on > anything to provide more information and/or explanations? dpv already > has a "measure implemented by" property which is not directly applicable > but related https://www.w3.org/ns/dpv#measure-implemented-by > > 14) Time limit for data erasure > - Is this defined in DPV? And is this separate from data storage > duration? To my understanding, does data storage indicate time duration > the data will be stored for, whereas time duration for data erasure when > the data will be erased *after* the storage period??? > - We define duration of data storage (see above) > > 15) Recipients > - this is defined in dpv - https://www.w3.org/ns/dpv#recipient > > 16) Legitimate interest > - this is GDPR specific as a legal basis > - we currently do not provide any means to specify the specifics of > legitimate interest e.g. description. To my understanding, a > semantic-web property should be used to indicate this, but which? > rdfs:comment? Should DPV provide a generic property for annotating with > additional information within the context of DPV (as opposed to RDFS > being super-generic)? > - we currently do not provide a way to indicate the legitimate interest > is associated with controller or third party -> how to do this? > > 17) Legal Basis > - this is defined in dpv - https://www.w3.org/ns/dpv#legal-basis > - GDPR specific legal basis are defined in dpv-gdpr > > 18) Rights > - We do not have the concept of rights in DPV - this needs to be added > - Where to define them? PersonalDataHandling? To my understanding, > rights are obligations that are based on context e.g. if data is > collected from data subject then the data subject has the right to > obtain this data (right to data portability) - which means the right is > only valid in the context where a) processing is 'collect' b) source of > data is data subject. > - For now, we should atleast provide the concept of Legal Right, and the > GDPR specific rights can (should?) be added to dpv-gdpr > > @Georg (FYI) the email loses formatting in plain-text on the mailing > list https://lists.w3.org/Archives/Public/public-dpvcg/2020May/0014.html > We can put these tables in the wiki for better persistence. > > Regards, > Harsh > > On 29/05/2020 13:51, Georg Philip Krog wrote: > > Hi everyone, > > > > I and Signatu contribute with new field values for the DPV taken from > > the GDPR across Art 13 (Privacy Policy), 14 (Privacy Policy), 15 > > (access right information) and 30 (Records of processing activities). > > > > Please have a look: > > > > Value categories DPV GDPR Art 13 GDPR Art 14 GDPR Art 15 GDPR Art > > 30.1 GDPR Art 30.2 > > Data Subject FALSE > > > > > > A description of the categories of data subjects and of the > > categories of personal data, GDPR Article 30.1(c). > > Data Controller Identity FALSE Data Controller Identity, GDPR Art > > 13.1(a) Data Controller Identity, GDPR Art 14.1(a) > > The name of the Data Controller, GDPR Article 30.1(a) Data > > Controller Identity, GDPR Art 30.2(a) > > Data Controller Contact Details FALSE Data Controller Contact > > Details, GDPR Art 13.1(a) Data Controller Major task for the day: > > - [ ] [[id:34a7168f-0c0b-458e-8241-8983b94b0972][Send email to > > Cristiana with ideas]] > > - [ ] DPVCG - [[id:a7af1cc8-e004-4409-9570-8b37b351cb17][Future > > Deliverables and Timeline]] > > > > Minor tasks for the day: > > - [ ] DPVCG - [[id:00839c20-4191-4870-9d32-d63498e1a8f7][Review > > Signatu's privacy-policy concepts]] > > - [ ] DPVCG - [[id:a1ec628d-dc21-4cb7-9af1-c56bbb59dc4f][Review > > Signatu's concepts for Art13/14 and ISO29184]] > > - [ ] DPVCG - [[id:3cf2308e-d3ed-4308-80b2-f772de407cb2][Review > > Signatu's personal data categories concepts]] > > - [ ] DPVCG - [[id:2cc99f78-81db-4df3-95eb-03d15379f23b][Review > > Signatu's purpose concepts]] > > - [ ] DPVCG - [[id:5e7a8427-f15e-4130-8bce-b65332ece50c][Review > > SPECIAL's presentation shared by Axel]] > > > > If I'm bored, I should do: > > - [ ] [[id:bc663445-8737-4ba8-a0c2-76b27a74121c][re-organise folders > > for PhD -> general research]] > > - [ ] [[id:c79106af-a2d8-4b25-8032-1cbabffc2291][Plan upcoming > > potential publications]] > > Contact Details, GDPR Art 14.1(a) > > Data Controller Contact Details, GDPR Article 30.1(a) Data > > Controller Contact Details, GDPR Art 30.2(a) > > Data Controller Representative FALSE Data Controller Representative, > > GDPR Art 13.1(a) Data Controller Representative, GDPR Art 14.1(a) > > > > Data Controller Representative, GDPR Art 30.2(a) > > Data Protection Officer FALSE Data Protection Officer of Data > > Controller, GDPR Art 13.1(b) Data Protection Officer of Data > > Controller, GDPR Art 14.1(b) > > Data Protection Officer of Data Controller, GDPR Article 30.1(a) > > Data Protection Officer, GDPR Art 30.2(a) > > Data Protection Office Contact Details FALSE Data Protection Officer > > Contact Details, GDPR Art 13.1(b) Data Protection Officer Contact > > Details, GDPR Art 14.1(b) > > Data Protection Officer Contact Details, GDPR Article 30.1(a) > > Joint Controller FALSE > > > > > > The joint controller, where applicable, GDPR Article 30.1(a) > > Data Processor FALSE > > > > > > > > The Data Processor, GDPR Art 30.2(a) > > Data Processor Representative FALSE > > > > > > > > The Data Processor Representative, GDPR Art 30.2(a) > > Personal Data FALSE The personal data, GDPR Art 13.1(c) The > > categories of personal data, GDPR Art 14.1(d) The categories of > > personal data,GDPR Art 15.1(b) > > > > Personal Data Source FALSE > > From which source the personal data originate, GDPR Art 14.2(f). > > Where the personal data are not collected from the data subject, any > > available information as to their source, GDPR Art 15.1(g). > > > > Personal Data Public or Private Source FALSE > > Whether the personal data originate from publicly accessible sources, > > GDPR Art 14.2(f). > > > > > > Personal Data Provision Legal Basis FALSE Whether the provision of > > personal data is a statutory or contractual requirement, or a > > requirement necessary to enter into a contract, GDPR Art 13.2(e). > > > > > > > > Personal Data Provision obligation FALSE Whether the data subject is > > obliged to provide the personal data, GDPR Art 13.2(e). > > > > > > > > Consequence of data provision failure to provide personal data FALSE > > The possible consequences of failure to provide personal data, GDPR > > Art 13.2(e). > > > > > > > > Purposes FALSE Purposes of the Processing, GDPR Art 13.1(c) Data > > Controller Identity, GDPR Art 14.1(c) The purposes of the processing, > > GDPR Art 15.1(a) The purposes of the processing, GDPR Article 30.1(b) > > Processing Categories Classes FALSE GDPR Art 4.2 > > > > > > The categories of processing carried out on behalf of each > > controller, GDPR Art 30.2(b) > > Processing Categories Classes FALSE > > > > > > > > > > Automated decision-making and profiling FALSE The existence of > > automated decision-making, including profiling, referred to in Article > > 22(1) and (4), GDPR Art 13.2(f). The existence of automated > > decision-making, including profiling, referred to in Article 22(1) and > > (4), GDPR Art 14.2(g). The existence of automated decision-making, > > including profiling, referred to in Article 22(1) and (4), GDPR Art > > 15.1(h). > > > > Logic of automated decision-making and profiling FALSE Meaningful > > information about the logic involved in automated decision-making, > > including profiling, referred to in Article 22(1) and (4), GDPR Art > > 13.2(f). Meaningful information about the logic involved in automated > > decision-making, including profiling, referred to in Article 22(1) and > > (4), GDPR Art 14.2(g). Meaningful information about the logic > > involved in automated decision-making, including profiling, referred > > to in Article 22(1) and (4), GDPR Art 15.1(h). > > > > Consequences of automated decision-making and profiling FALSE The > > significance and the envisaged consequences of automated > > decision-making, including profiling, referred to in Article 22(1) and > > (4) for the data subject, GDPR Art 13.2(f). The significance and the > > envisaged consequences of automated decision-making, including > > profiling, referred to in Article 22(1) and (4) for the data subject, > > GDPR Art 14.2(g). > > > > > > Data transfer to third country FALSE Transfer of personal data to a > > third country or to an international organisation, GDPR Art 13.1(f) > > Transfer of personal data to a third country or to an international > > organisation, GDPR Art 14.1(f). Transfer of personal data to a third > > country or to an international organisation, GDPR Art 15.2. Transfers > > of personal data to a third country or an international organisation, > > GDPR Article 30.1(e). Transfers of personal data to a third country > > or an international organisation, GDPR Art 30.2(c) > > Third country name FALSE > > > > > > Identification of the third country or international organisation, > > GDPR Article 30.1(e). Identification of the third country or > > international organisation, GDPR Art 30.2(c) > > Data transfer legal basis FALSE Legal Basis for transfer to a third > > country, GDPR Art 13.1(f) Legal Basis for transfer to a third > > country, GDPR Art 14.1(f). > > Legal Basis for transfer to a third country, GDPR Article 30.1(e). > > Legal Basis for transfer to a third country, GDPR Art 30.2(c) > > Technical and Organisational Measures FALSE > > > > > > Where possible, a general description of the technical and > > organisational security measures referred to in Article 32(1), GDPR > > Art 30.1(g). Where possible, a general description of the technical > > and organisational security measures referred to in Article 32(1), > > GDPR Art 30.2. > > Data storage period FALSE The period for which the personal data > > will be stored, GDPR Art 13.2(a). The period for which the personal > > data will be stored, GDPR Art 14.2(a). The envisaged period for which > > the personal data will be stored, GDPR Art 15.1(d). > > > > Criteria to determine data storage period FALSE The criteria used to > > determine the period for which the personal data will be stored, GDPR > > Art 13.2(a). The criteria used to determine the period for which the > > personal data will be stored, GDPR Art 14.2(a). The criteria used to > > determine period for which the personal data will be stored, GDPR Art > > 15.1(d). > > > > Time limit for data erasure FALSE > > > > > > Where possible, the envisaged time limits for erasure of the > > different categories of data, GDPR Art 30.1(f). > > Recipients FALSE Recipients of categories of recipients of the > > personal data (if any), GDPR Art 13.1(e) The recipients or categories > > of recipients of the personal data, if any, GDPR Art 14.1(e). The > > recipients or categories of recipient to whom the personal data have > > been or will be disclosed, in particular recipients in third countries > > or international organisations, GDPR Art 15.1(c) The categories of > > recipients to whom the personal data have been or will be disclosed > > including recipients in third countries or international > > organisations, GDPR Article 30.1(d). > > Legitimate interest of Data Controller FALSE Legitimate Interest (if > > the processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d) > > Legitimate Interest (if the processing is based on GDPR Art 6.1(f)), > > GDPR Art 14.2(b) > > > > > > Legitimate interest of Third Party FALSE Legitimate Interest (if the > > processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d) Legitimate > > Interest (if the processing is based on GDPR Art 6.1(f)), GDPR Art > > 14.2(b) > > > > > > Legal Basis FALSE Legal Basis for the Processing, GDPR Art 13.1(c) > > Legal Basis for the Processing, GDPR Art 14.1(c) > > > > > > Right to access FALSE The right to access to personal data, GDPR Art > > 13.2(b). The right to access to personal data, GDPR Art 14.2(c). > > > > > > Right to rectification FALSE The right to rectification of personal > > data, GDPR Art 13.2(b). The right to rectification of personal data, > > GDPR Art 14.2(c). The right to rectification of personal data, GDPR > > Art 15.1(e). > > > > Right to erasure FALSE The right to erasure of personal data, GDPR > > Art 13.2(b). The right to erasure of personal data, GDPR Art 14.2(c). > > The right to erasure of personal data, GDPR Art 15.1(e). > > > > Right to restriction FALSE The right to restriction of processing > > concerning the data subject, GDPR Art 13.2(b). The right to > > restriction of processing concerning the data subject, GDPR Art > > 14.2(c). The right to restriction of processing concerning the data > > subject, GDPR Art 15.1(e). > > > > Right to object to processing FALSE The right to object to > > processing, GDPR Art 13.2(b). The right to object to processing, GDPR > > Art 14.2(c). The right to object to processing, GDPR Art 15.1(e). > > > > Right to data portability FALSE The right to data portability, GDPR > > Art 13.2(b). The right to data portability, GDPR Art 14.2(c). > > > > > > Right to withdraw consent FALSE The right to withdraw consent at any > > time, without affecting the lawfulness of processing based on consent > > before its withdrawal (where the processing is based on point (a) of > > Article 6(1) or point (a) of Article 9(2)), GDPR Art 13.2(c). The > > right to withdraw consent at any time, without affecting the > > lawfulness of processing based on consent before its withdrawal (where > > the processing is based on point (a) of Article 6(1) or point (a) of > > Article 9(2)), GDPR Art 14.2(d). > > > > > > Right to lodge a complaint FALSE The right to lodge a complaint with > > a supervisory authority, GDPR Art 13.2(d). The right to lodge a > > complaint with a supervisory authority, GDPR Art 14.2(e). The right > > to lodge a complaint with a supervisory authority, GDPR Art 15.1(f). > > > > > > > > Best regards, > > -- > > Georg Philip Krog > > > > signatu <https://signatu.com> > > -- > --- > Harshvardhan Pandit, Ph.D > Researcher at ADAPT Centre, Trinity College Dublin > https://harshp.com/research/ > > -- --- Harshvardhan Pandit, Ph.D Researcher at ADAPT Centre, Trinity College Dublin https://harshp.com/research/
Received on Tuesday, 30 June 2020 09:46:42 UTC