Re: DPV Semantics from Georg Philip Krog on 2020-06-30 (public-dpvcg@w3.org from June 2020)

From: Georg Philip Krog <georg@signatu.com>
Date: Tue, 30 Jun 2020 15:35:18 +0200
To: "Harshvardhan J. Pandit" <me@harshp.com>
Cc: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <CAPOUEwm4RFdVXWx6j20=QQ1_jrPxCYJJ+ZGTUFb4AdszoZ=HVw@mail.gmail.com>
Thanks Harsh,

Here are some comments to your numbered points:

1)

Should the Data Controller address be convertible into geographic
coordinates?

https://www.bing.com/api/maps/sdkrelease/mapcontrol/isdk/searchbyaddress

https://developers.google.com/maps/documentation/geocoding/intro

2)

If two controllers participate in one and the same data processing action,
the two controllers are either joint-controllers or each controller is a
separate controller. Hence, Controller has the sub-class Separate
Controller or Joint Controller?

5)

An example:

On Linkedin, (1) a controller collects my personal data, (2) which I on
Linkedin made publicly available and which originate from me.

The controller can name the source where s/he collected the data
(Linkedin), but cannot with certainty state that it was I who made the data
publicly available and that the data originated from me (i.e. I wrote the
text and made the photo of myself).

When the controller does not collect the data directly from the data
subject, the GDPR Article 14.2(f) wants specified (1).

11)

I do not think it is necessary to provide a list of third countries since
an adopter would need to state recipient name and recipient country and
then provide a transfer legal basis. If the transfer happens within the EU,
then the controller needs legal basis within GDPR Art 6 or 9.

Best regards,

Georg


On Tue, Jun 30, 2020 at 11:17 AM Harshvardhan J. Pandit <me@harshp.com>
wrote:

> Hello. Thank you Georg for providing the data.
>
> This email concerns ACTION-140 Share missing concepts in dpv for privacy
> policy generation
> https://www.w3.org/community/dpvcg/track/actions/140
>
> 1) Identity (Data Subject Identity, Data Controller Identity, etc.)
> - In the semantic web (AFAIK) uses the IRI as the identity of the entity
> - In legal terms, however, identity refers to something else e.g.
> company name, number, address, etc. as the fields reflect
> - The question for DPVCG, then, is - how do we represent or suggest
> these be represented?
> - There are external vocabularies (e.g. FOAF) that define some of the
> semantics required here (e.g. name, address) that we should suggest for
> use. And if there is some specific legal requirement that is not
> captured/provided by existing (well-defined) work then we should provide
> that through DPV
> - Pros: flexibility and freedom to define attributes as required e.g.
> address as string or granular street name, post-code, etc.
> - Cons: adopters might want a single vocabulary i.e. DPV should provide
> all required concepts
>
> 2) Joint Controller
> - Should this be a sub-class of Controller given that a Joint Controller
> acts as a Controller? (IMHO - yes)
>
> 3) Data Processor
> - This is defined in dpv - https://www.w3.org/ns/dpv#dpv:DataProcessor
>
> 4) Personal data
> - This is defined in dpv -
> https://www.w3.org/ns/dpv#dpv:PersonalDataCategory
>
> 5) Source of personal data
> - IMO it is unclear whether this is an attribute associated with data
> collection i.e. where was data collected from OR origin i.e. where did
> this data originate from
> - We also (probably) need to define what/who the data was collected from
> - How to specify this?
>
> We already have a property 'location' within Technical measures that
> concerns storage restriction - to an uinformed mind this property would
> appear to also be suitable for use with source of personal data. But I
> do not think this is appropriate (see below)
> IMHO the source of personal data *is* associated with its collection and
> therefore should be defined as an attribute of processing.
>
> Doing something like this -
>
> x a dpv:Collect ;
>    dpv:location "phone" .
>
> has inherent problems:
> a) it is not clear whether the location specifies location of processing
> or data
> b) it does not specify who/what the data was collected from - of course
> one could add another fact using e.g. prov:Agent
>
> Therefore, I would propose having properties for (a) source (b)
> agent/entity.
>
> That being said, there can be multiple sources of data e.g. smartphone,
> web-browser, smartwatch. How they should be represented depends on the
> interpretation whether they are separate instances of processing for
> each device or a single instance of processing with multiple sources. Do
> we support both these interpretations? (IMHO we should)
>
> 6) Agents missing in DPV
> - Joint Data Controller
> - DPO
> - Controller representative
> - Processor representative (representative should be an abstract category?)
> - DPA (data protection authority)
>
> 7) GDPR specific items
> - There are some (very) GDPR specific items in the list e.g. legal basis
> and obligations for contract
> - If these are to be defined, they have to be done within dpv-gdpr
>
> 8) Puporse
> - this is defined in dpv - https://www.w3.org/ns/dpv#purpose
>
> 9) Processing categories
> - this is defined in dpv - https://www.w3.org/ns/dpv#processing
>
> 10) Automated decision making
> - this is defined in dpv -
> https://www.w3.org/ns/dpv#dpv:isAutomatedDecisionMaking
> - Logic of automated decision making: DPV does not provide a way to
> describe this currently
> - Describing the logic means we should provide a way to describe logic
> of processing in general (same concepts)
> - Describing consequences would also be similar to the above
> - How to do this?
>
> 11) Data Transfer
> - dpv currently has transfer as a processing category
> https://www.w3.org/ns/dpv#transfer
> - To specify location of transfer, again - we have a location property
> which should be used - which means changing its definition
> - And we already have storage as a restriction
> https://www.w3.org/ns/dpv#storage
> - The larger question here is what the location specifies - location of
> where the data will end up or location of recipient (this affects how
> the property is defined and used). To me, data transfer location would
> indicate where the data ends up being located in. This should be
> clarified in the definition.
> - For location identification, adopters should be able to use their
> preferred method e.g. ISO country codes, plain strings
> - Do we provide a list of "third countries" under GDPR? (IMHO this is
> complicated - not my cup of tea!)
>
> 12) Technical organisational measures
> - This is defined in dpv -
> https://www.w3.org/ns/dpv#dpv:TechnicalOrganisationalMeasure
>
> 13) Data Storage period
> - This is defined in dpv - https://www.w3.org/ns/dpv#storage-duration
> - criteria to determined storage period is currently not defined, so how
> to associate this with storage duration?
> - I see some common semantics in providing explanation of processing,
> effects of processing, criteria to determine storage period - can we
> leverage this to provide a generic attribute that can be tacked on
> anything to provide more information and/or explanations? dpv already
> has a "measure implemented by" property which is not directly applicable
> but related https://www.w3.org/ns/dpv#measure-implemented-by
>
> 14) Time limit for data erasure
> - Is this defined in DPV? And is this separate from data storage
> duration? To my understanding, does data storage indicate time duration
> the data will be stored for, whereas time duration for data erasure when
> the data will be erased *after* the storage period???
> - We define duration of data storage (see above)
>
> 15) Recipients
> - this is defined in dpv - https://www.w3.org/ns/dpv#recipient
>
> 16) Legitimate interest
> - this is GDPR specific as a legal basis
> - we currently do not provide any means to specify the specifics of
> legitimate interest e.g. description. To my understanding, a
> semantic-web property should be used to indicate this, but which?
> rdfs:comment? Should DPV provide a generic property for annotating with
> additional information within the context of DPV (as opposed to RDFS
> being super-generic)?
> - we currently do not provide a way to indicate the legitimate interest
> is associated with controller or third party -> how to do this?
>
> 17) Legal Basis
> - this is defined in dpv - https://www.w3.org/ns/dpv#legal-basis
> - GDPR specific legal basis are defined in dpv-gdpr
>
> 18) Rights
> - We do not have the concept of rights in DPV - this needs to be added
> - Where to define them? PersonalDataHandling? To my understanding,
> rights are obligations that are based on context e.g. if data is
> collected from data subject then the data subject has the right to
> obtain this data (right to data portability) - which means the right is
> only valid in the context where a) processing is 'collect' b) source of
> data is data subject.
> - For now, we should atleast provide the concept of Legal Right, and the
> GDPR specific rights can (should?) be added to dpv-gdpr
>
> @Georg (FYI) the email loses formatting in plain-text on the mailing
> list https://lists.w3.org/Archives/Public/public-dpvcg/2020May/0014.html
> We can put these tables in the wiki for better persistence.
>
> Regards,
> Harsh
>
> On 29/05/2020 13:51, Georg Philip Krog wrote:
> > Hi everyone,
> >
> > I and Signatu contribute with new field values for the DPV taken from
> > the GDPR across Art 13 (Privacy Policy), 14 (Privacy Policy), 15
> > (access right information) and 30 (Records of processing activities).
> >
> > Please have a look:
> >
> > Value categories      DPV     GDPR Art 13     GDPR Art 14     GDPR Art
> 15     GDPR Art
> > 30.1  GDPR Art 30.2
> > Data Subject  FALSE
> >
> >
> >       A description of the categories of data subjects and of the
> > categories of personal data, GDPR Article 30.1(c).
> > Data Controller Identity      FALSE   Data Controller Identity, GDPR Art
> > 13.1(a)       Data Controller Identity, GDPR Art 14.1(a)
> >       The name of the Data Controller, GDPR Article 30.1(a)   Data
> > Controller Identity, GDPR Art 30.2(a)
> > Data Controller Contact Details       FALSE   Data Controller Contact
> > Details, GDPR Art 13.1(a)     Data Controller Major task for the day:
> > - [ ] [[id:34a7168f-0c0b-458e-8241-8983b94b0972][Send email to
> > Cristiana with ideas]]
> > - [ ] DPVCG - [[id:a7af1cc8-e004-4409-9570-8b37b351cb17][Future
> > Deliverables and Timeline]]
> >
> > Minor tasks for the day:
> > - [ ] DPVCG - [[id:00839c20-4191-4870-9d32-d63498e1a8f7][Review
> > Signatu's privacy-policy concepts]]
> > - [ ] DPVCG - [[id:a1ec628d-dc21-4cb7-9af1-c56bbb59dc4f][Review
> > Signatu's concepts for Art13/14 and ISO29184]]
> > - [ ] DPVCG - [[id:3cf2308e-d3ed-4308-80b2-f772de407cb2][Review
> > Signatu's personal data categories concepts]]
> > - [ ] DPVCG - [[id:2cc99f78-81db-4df3-95eb-03d15379f23b][Review
> > Signatu's purpose concepts]]
> > - [ ] DPVCG - [[id:5e7a8427-f15e-4130-8bce-b65332ece50c][Review
> > SPECIAL's presentation shared by Axel]]
> >
> > If I'm bored, I should do:
> > - [ ] [[id:bc663445-8737-4ba8-a0c2-76b27a74121c][re-organise folders
> > for PhD -> general research]]
> > - [ ] [[id:c79106af-a2d8-4b25-8032-1cbabffc2291][Plan upcoming
> > potential publications]]
> > Contact Details, GDPR Art 14.1(a)
> >       Data Controller Contact Details, GDPR Article 30.1(a)   Data
> > Controller Contact Details, GDPR Art 30.2(a)
> > Data Controller Representative        FALSE   Data Controller
> Representative,
> > GDPR Art 13.1(a)      Data Controller Representative, GDPR Art 14.1(a)
>
> >
> >       Data Controller Representative, GDPR Art 30.2(a)
> > Data Protection Officer       FALSE   Data Protection Officer of Data
> > Controller, GDPR Art 13.1(b)  Data Protection Officer of Data
> > Controller, GDPR Art 14.1(b)
> >       Data Protection Officer of Data Controller, GDPR Article 30.1(a)
> > Data Protection Officer, GDPR Art 30.2(a)
> > Data Protection Office Contact Details        FALSE   Data Protection
> Officer
> > Contact Details, GDPR Art 13.1(b)     Data Protection Officer Contact
> > Details, GDPR Art 14.1(b)
> >       Data Protection Officer Contact Details, GDPR Article 30.1(a)
> > Joint Controller      FALSE
> >
> >
> >       The joint controller, where applicable, GDPR Article 30.1(a)
> > Data Processor        FALSE
> >
> >
> >
> >       The Data Processor, GDPR Art 30.2(a)
> > Data Processor Representative         FALSE
> >
> >
> >
> >       The Data Processor Representative, GDPR Art 30.2(a)
> > Personal Data         FALSE   The personal data, GDPR Art 13.1(c)
>  The
> > categories of personal data, GDPR Art 14.1(d)         The categories of
> > personal data,GDPR Art 15.1(b)
> >
> > Personal Data Source  FALSE
> >       From which source the personal data originate, GDPR Art 14.2(f).
> > Where the personal data are not collected from the data subject, any
> > available information as to their source, GDPR Art 15.1(g).
> >
> > Personal Data Public or Private Source        FALSE
> >       Whether the personal data originate from publicly accessible
> sources,
> > GDPR Art 14.2(f).
> >
> >
> > Personal Data Provision Legal Basis   FALSE   Whether the provision of
> > personal data is a statutory or contractual requirement, or a
> > requirement necessary to enter into a contract, GDPR Art 13.2(e).
> >
> >
> >
> > Personal Data Provision obligation    FALSE   Whether the data subject
> is
> > obliged to provide the personal data, GDPR Art 13.2(e).
> >
> >
> >
> > Consequence of data provision failure to provide personal data
> FALSE
> > The possible consequences of failure to provide personal data, GDPR
> > Art 13.2(e).
> >
> >
> >
> > Purposes      FALSE   Purposes of the Processing, GDPR Art 13.1(c)
> Data
> > Controller Identity, GDPR Art 14.1(c)         The purposes of the
> processing,
> > GDPR Art 15.1(a)      The purposes of the processing, GDPR Article
> 30.1(b)
> > Processing Categories Classes         FALSE   GDPR Art 4.2
> >
> >
> >       The categories of processing carried out on behalf of each
> > controller, GDPR Art 30.2(b)
> > Processing Categories Classes         FALSE
> >
> >
> >
> >
> > Automated decision-making and profiling       FALSE   The existence of
> > automated decision-making, including profiling, referred to in Article
> > 22(1) and (4), GDPR Art 13.2(f).      The existence of automated
> > decision-making, including profiling, referred to in Article 22(1) and
> > (4), GDPR Art 14.2(g).        The existence of automated
> decision-making,
> > including profiling, referred to in Article 22(1) and (4), GDPR Art
> > 15.1(h).
> >
> > Logic of automated decision-making and profiling      FALSE   Meaningful
> > information about the logic involved in automated decision-making,
> > including profiling, referred to in Article 22(1) and (4), GDPR Art
> > 13.2(f).      Meaningful information about the logic involved in
> automated
> > decision-making, including profiling, referred to in Article 22(1) and
> > (4), GDPR Art 14.2(g).        Meaningful information about the logic
> > involved in automated decision-making, including profiling, referred
> > to in Article 22(1) and (4), GDPR Art 15.1(h).
> >
> > Consequences of automated decision-making and profiling       FALSE
>  The
> > significance and the envisaged consequences of automated
> > decision-making, including profiling, referred to in Article 22(1) and
> > (4) for the data subject, GDPR Art 13.2(f).   The significance and the
> > envisaged consequences of automated decision-making, including
> > profiling, referred to in Article 22(1) and (4) for the data subject,
> > GDPR Art 14.2(g).
> >
> >
> > Data transfer to third country        FALSE   Transfer of personal data
> to a
> > third country or to an international organisation, GDPR Art 13.1(f)
> > Transfer of personal data to a third country or to an international
> > organisation, GDPR Art 14.1(f).       Transfer of personal data to a
> third
> > country or to an international organisation, GDPR Art 15.2.   Transfers
> > of personal data to a third country or an international organisation,
> > GDPR Article 30.1(e).         Transfers of personal data to a third
> country
> > or an international organisation, GDPR Art 30.2(c)
> > Third country name    FALSE
> >
> >
> >       Identification of the third country or international organisation,
> > GDPR Article 30.1(e).         Identification of the third country or
> > international organisation, GDPR Art 30.2(c)
> > Data transfer legal basis     FALSE   Legal Basis for transfer to a
> third
> > country, GDPR Art 13.1(f)     Legal Basis for transfer to a third
> > country, GDPR Art 14.1(f).
> >       Legal Basis for transfer to a third country, GDPR Article 30.1(e).
> > Legal Basis for transfer to a third country, GDPR Art 30.2(c)
> > Technical and Organisational Measures         FALSE
> >
> >
> >       Where possible, a general description of the technical and
> > organisational security measures referred to in Article 32(1), GDPR
> > Art 30.1(g).  Where possible, a general description of the technical
> > and organisational security measures referred to in Article 32(1),
> > GDPR Art 30.2.
> > Data storage period   FALSE   The period for which the personal data
> > will be stored, GDPR Art 13.2(a).     The period for which the personal
> > data will be stored, GDPR Art 14.2(a).        The envisaged period for
> which
> > the personal data will be stored, GDPR Art 15.1(d).
> >
> > Criteria to determine data storage period     FALSE   The criteria used
> to
> > determine the period for which the personal data will be stored, GDPR
> > Art 13.2(a).  The criteria used to determine the period for which the
> > personal data will be stored, GDPR Art 14.2(a).       The criteria used
> to
> > determine period for which the personal data will be stored, GDPR Art
> > 15.1(d).
> >
> > Time limit for data erasure   FALSE
> >
> >
> >       Where possible, the envisaged time limits for erasure of the
> > different categories of data, GDPR Art 30.1(f).
> > Recipients    FALSE   Recipients of categories of recipients of the
> > personal data (if any), GDPR Art 13.1(e)      The recipients or
> categories
> > of recipients of the personal data, if any, GDPR Art 14.1(e).
>  The
> > recipients or categories of recipient to whom the personal data have
> > been or will be disclosed, in particular recipients in third countries
> > or international organisations, GDPR Art 15.1(c)      The categories of
> > recipients to whom the personal data have been or will be disclosed
> > including recipients in third countries or international
> > organisations, GDPR Article 30.1(d).
> > Legitimate interest of Data Controller        FALSE   Legitimate
> Interest (if
> > the processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d)
> > Legitimate Interest (if the processing is based on GDPR Art 6.1(f)),
> > GDPR Art 14.2(b)
> >
> >
> > Legitimate interest of Third Party    FALSE   Legitimate Interest (if
> the
> > processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d)     Legitimate
> > Interest (if the processing is based on GDPR Art 6.1(f)), GDPR Art
> > 14.2(b)
> >
> >
> > Legal Basis   FALSE   Legal Basis for the Processing, GDPR Art 13.1(c)
> > Legal Basis for the Processing, GDPR Art 14.1(c)
> >
> >
> > Right to access       FALSE   The right to access to personal data, GDPR
> Art
> > 13.2(b).      The right to access to personal data, GDPR Art 14.2(c).
>
> >
> >
> > Right to rectification        FALSE   The right to rectification of
> personal
> > data, GDPR Art 13.2(b).       The right to rectification of personal
> data,
> > GDPR Art 14.2(c).     The right to rectification of personal data, GDPR
> > Art 15.1(e).
> >
> > Right to erasure      FALSE   The right to erasure of personal data,
> GDPR
> > Art 13.2(b).  The right to erasure of personal data, GDPR Art 14.2(c).
> >       The right to erasure of personal data, GDPR Art 15.1(e).
> >
> > Right to restriction  FALSE   The right to restriction of processing
> > concerning the data subject, GDPR Art 13.2(b).        The right to
> > restriction of processing concerning the data subject, GDPR Art
> > 14.2(c).      The right to restriction of processing concerning the data
> > subject, GDPR Art 15.1(e).
> >
> > Right to object to processing         FALSE   The right to object to
> > processing, GDPR Art 13.2(b).         The right to object to processing,
> GDPR
> > Art 14.2(c).  The right to object to processing, GDPR Art 15.1(e).
> >
> > Right to data portability     FALSE   The right to data portability,
> GDPR
> > Art 13.2(b).  The right to data portability, GDPR Art 14.2(c).
> >
> >
> > Right to withdraw consent     FALSE   The right to withdraw consent at
> any
> > time, without affecting the lawfulness of processing based on consent
> > before its withdrawal (where the processing is based on point (a) of
> > Article 6(1) or point (a) of Article 9(2)), GDPR Art 13.2(c).
>  The
> > right to withdraw consent at any time, without affecting the
> > lawfulness of processing based on consent before its withdrawal (where
> > the processing is based on point (a) of Article 6(1) or point (a) of
> > Article 9(2)), GDPR Art 14.2(d).
> >
> >
> > Right to lodge a complaint    FALSE   The right to lodge a complaint
> with
> > a supervisory authority, GDPR Art 13.2(d).    The right to lodge a
> > complaint with a supervisory authority, GDPR Art 14.2(e).     The right
> > to lodge a complaint with a supervisory authority, GDPR Art 15.1(f).
> >
> >
> >
> > Best regards,
> > --
> > Georg Philip Krog
> >
> > signatu <https://signatu.com>
>
> --
> ---
> Harshvardhan Pandit, Ph.D
> Researcher at ADAPT Centre, Trinity College Dublin
> https://harshp.com/research/
>
>

-- 
Georg Philip Krog

signatu <https://signatu.com>
Received on Tuesday, 30 June 2020 14:27:00 UTC