Re: DPV Semantics

Hello. See replies inline.

On 30/06/2020 14:35, Georg Philip Krog wrote:
> 1)
> Should the Data Controller address be convertible into geographic 
> coordinates?

No, I do not believe that addresses should be limited to co-ordinate 
systems because this is not required for all use-cases.
A string/text address is an acceptable form.
Further, given a generic concept 'Address' it is possible to annotate it 
to specify a) single-line text address e.g. b) specific 
components of address like street and post-code e.g. c) 
co-ordinates e.g. dbpedia latd/longd

> 2)
> If two controllers participate in one and the same data processing 
> action, the two controllers are either joint-controllers or each 
> controller is a separate controller. Hence, Controller has the sub-class 
> Separate Controller or Joint Controller?

I don't know how to resolve this legally.
To my understanding, a joint controller is a combined legal entity 
comprised of two or more controllers where the joint controller acts as 
a (single) controller for the purposes of interpreting GDPR obligations.
Therefore, a joint controller *is a* controller.

Now GDPR Art 4-7 defines 'controller' as "the natural or legal person, 
public authority, agency or other body which, alone or jointly with 

I do not agree with separate controller as a good title, maybe 
independent controller is more appropriate?

a) So we either have a concept called 'independent controller' and 
'joint controller' as subclasses of 'controller'; OR
b) We only have 'joint controller' and instance of (only) 'controller' 
means independent controller.

If we go with (a), then it means there can be no instances of 
'Controller', and most adopters would have to use 
'IndependentController' - which is not what I would be happy with in 
general usage - which is actually (b).

But this is my limited notion from the pov of technicalities. A legal 
expert should resolve this IMO.

> 5)
> An example:
> On Linkedin, (1) a controller collects my personal data, (2) which I on 
> Linkedin made publicly available and which originate from me.
> The controller can name the source where s/he collected the data 
> (Linkedin), but cannot with certainty state that it was I who made the 
> data publicly available and that the data originated from me (i.e. I 
> wrote the text and made the photo of myself).
> When the controller does not collect the data directly from the data 
> subject, the GDPR Article 14.2(f) wants specified (1).

What are you proposing the DPV should provide?

Harshvardhan Pandit, Ph.D
Researcher at ADAPT Centre, Trinity College Dublin

Received on Tuesday, 30 June 2020 14:04:18 UTC