- From: Joss Langford <joss@coelition.org>
- Date: Tue, 30 Jun 2020 14:38:43 +0000
- To: Georg Philip Krog <georg@signatu.com>, "Harshvardhan J. Pandit" <me@harshp.com>
- CC: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
- Message-ID: <bbfc5e5503074644a03a8b67c6b330ee@THHSTE15D5BE2.hs20.net>
I agree that you need to be a bit careful with classifications around joint controllers. When joint controllers take on the role of the controller together: * Either both have all the responsibilities/capabilities of the controller and their ‘arrangement’ just specifies who leads in any area (sometimes called controllers-in-common); or * The neither controller has all the responsibilities/capabilities alone and the ‘arrangement’ specifies exclusive responsibilities/capabilities. The latter case arises in pseudonymised-at-source implementations. A test for “joint-controllers or each controller is a separate controller” under GDPR could the existence of an ‘arrangement’. Joss This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Coelition is a non-for-profit company limited by guarantee registered in England & Wales (8402657) 12th Floor 6 New Street Square, London, England, EC4A 3BF From: Georg Philip Krog <georg@signatu.com> Sent: 30 June 2020 14:35 To: Harshvardhan J. Pandit <me@harshp.com> Cc: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org> Subject: Re: DPV Semantics Thanks Harsh, Here are some comments to your numbered points: 1) Should the Data Controller address be convertible into geographic coordinates? https://www.bing.com/api/maps/sdkrelease/mapcontrol/isdk/searchbyaddress https://developers.google.com/maps/documentation/geocoding/intro 2) If two controllers participate in one and the same data processing action, the two controllers are either joint-controllers or each controller is a separate controller. Hence, Controller has the sub-class Separate Controller or Joint Controller? 5) An example: On Linkedin, (1) a controller collects my personal data, (2) which I on Linkedin made publicly available and which originate from me. The controller can name the source where s/he collected the data (Linkedin), but cannot with certainty state that it was I who made the data publicly available and that the data originated from me (i.e. I wrote the text and made the photo of myself). When the controller does not collect the data directly from the data subject, the GDPR Article 14.2(f) wants specified (1). 11) I do not think it is necessary to provide a list of third countries since an adopter would need to state recipient name and recipient country and then provide a transfer legal basis. If the transfer happens within the EU, then the controller needs legal basis within GDPR Art 6 or 9. Best regards, Georg On Tue, Jun 30, 2020 at 11:17 AM Harshvardhan J. Pandit <me@harshp.com<mailto:me@harshp.com>> wrote: Hello. Thank you Georg for providing the data. This email concerns ACTION-140 Share missing concepts in dpv for privacy policy generation https://www.w3.org/community/dpvcg/track/actions/140 1) Identity (Data Subject Identity, Data Controller Identity, etc.) - In the semantic web (AFAIK) uses the IRI as the identity of the entity - In legal terms, however, identity refers to something else e.g. company name, number, address, etc. as the fields reflect - The question for DPVCG, then, is - how do we represent or suggest these be represented? - There are external vocabularies (e.g. FOAF) that define some of the semantics required here (e.g. name, address) that we should suggest for use. And if there is some specific legal requirement that is not captured/provided by existing (well-defined) work then we should provide that through DPV - Pros: flexibility and freedom to define attributes as required e.g. address as string or granular street name, post-code, etc. - Cons: adopters might want a single vocabulary i.e. DPV should provide all required concepts 2) Joint Controller - Should this be a sub-class of Controller given that a Joint Controller acts as a Controller? (IMHO - yes) 3) Data Processor - This is defined in dpv - https://www.w3.org/ns/dpv#dpv:DataProcessor 4) Personal data - This is defined in dpv - https://www.w3.org/ns/dpv#dpv:PersonalDataCategory 5) Source of personal data - IMO it is unclear whether this is an attribute associated with data collection i.e. where was data collected from OR origin i.e. where did this data originate from - We also (probably) need to define what/who the data was collected from - How to specify this? We already have a property 'location' within Technical measures that concerns storage restriction - to an uinformed mind this property would appear to also be suitable for use with source of personal data. But I do not think this is appropriate (see below) IMHO the source of personal data *is* associated with its collection and therefore should be defined as an attribute of processing. Doing something like this - x a dpv:Collect ; dpv:location "phone" . has inherent problems: a) it is not clear whether the location specifies location of processing or data b) it does not specify who/what the data was collected from - of course one could add another fact using e.g. prov:Agent Therefore, I would propose having properties for (a) source (b) agent/entity. That being said, there can be multiple sources of data e.g. smartphone, web-browser, smartwatch. How they should be represented depends on the interpretation whether they are separate instances of processing for each device or a single instance of processing with multiple sources. Do we support both these interpretations? (IMHO we should) 6) Agents missing in DPV - Joint Data Controller - DPO - Controller representative - Processor representative (representative should be an abstract category?) - DPA (data protection authority) 7) GDPR specific items - There are some (very) GDPR specific items in the list e.g. legal basis and obligations for contract - If these are to be defined, they have to be done within dpv-gdpr 8) Puporse - this is defined in dpv - https://www.w3.org/ns/dpv#purpose 9) Processing categories - this is defined in dpv - https://www.w3.org/ns/dpv#processing 10) Automated decision making - this is defined in dpv - https://www.w3.org/ns/dpv#dpv:isAutomatedDecisionMaking - Logic of automated decision making: DPV does not provide a way to describe this currently - Describing the logic means we should provide a way to describe logic of processing in general (same concepts) - Describing consequences would also be similar to the above - How to do this? 11) Data Transfer - dpv currently has transfer as a processing category https://www.w3.org/ns/dpv#transfer - To specify location of transfer, again - we have a location property which should be used - which means changing its definition - And we already have storage as a restriction https://www.w3.org/ns/dpv#storage - The larger question here is what the location specifies - location of where the data will end up or location of recipient (this affects how the property is defined and used). To me, data transfer location would indicate where the data ends up being located in. This should be clarified in the definition. - For location identification, adopters should be able to use their preferred method e.g. ISO country codes, plain strings - Do we provide a list of "third countries" under GDPR? (IMHO this is complicated - not my cup of tea!) 12) Technical organisational measures - This is defined in dpv - https://www.w3.org/ns/dpv#dpv:TechnicalOrganisationalMeasure 13) Data Storage period - This is defined in dpv - https://www.w3.org/ns/dpv#storage-duration - criteria to determined storage period is currently not defined, so how to associate this with storage duration? - I see some common semantics in providing explanation of processing, effects of processing, criteria to determine storage period - can we leverage this to provide a generic attribute that can be tacked on anything to provide more information and/or explanations? dpv already has a "measure implemented by" property which is not directly applicable but related https://www.w3.org/ns/dpv#measure-implemented-by 14) Time limit for data erasure - Is this defined in DPV? And is this separate from data storage duration? To my understanding, does data storage indicate time duration the data will be stored for, whereas time duration for data erasure when the data will be erased *after* the storage period??? - We define duration of data storage (see above) 15) Recipients - this is defined in dpv - https://www.w3.org/ns/dpv#recipient 16) Legitimate interest - this is GDPR specific as a legal basis - we currently do not provide any means to specify the specifics of legitimate interest e.g. description. To my understanding, a semantic-web property should be used to indicate this, but which? rdfs:comment? Should DPV provide a generic property for annotating with additional information within the context of DPV (as opposed to RDFS being super-generic)? - we currently do not provide a way to indicate the legitimate interest is associated with controller or third party -> how to do this? 17) Legal Basis - this is defined in dpv - https://www.w3.org/ns/dpv#legal-basis - GDPR specific legal basis are defined in dpv-gdpr 18) Rights - We do not have the concept of rights in DPV - this needs to be added - Where to define them? PersonalDataHandling? To my understanding, rights are obligations that are based on context e.g. if data is collected from data subject then the data subject has the right to obtain this data (right to data portability) - which means the right is only valid in the context where a) processing is 'collect' b) source of data is data subject. - For now, we should atleast provide the concept of Legal Right, and the GDPR specific rights can (should?) be added to dpv-gdpr @Georg (FYI) the email loses formatting in plain-text on the mailing list https://lists.w3.org/Archives/Public/public-dpvcg/2020May/0014.html We can put these tables in the wiki for better persistence. Regards, Harsh On 29/05/2020 13:51, Georg Philip Krog wrote: > Hi everyone, > > I and Signatu contribute with new field values for the DPV taken from > the GDPR across Art 13 (Privacy Policy), 14 (Privacy Policy), 15 > (access right information) and 30 (Records of processing activities). > > Please have a look: > > Value categories DPV GDPR Art 13 GDPR Art 14 GDPR Art 15 GDPR Art > 30.1 GDPR Art 30.2 > Data Subject FALSE > > > A description of the categories of data subjects and of the > categories of personal data, GDPR Article 30.1(c). > Data Controller Identity FALSE Data Controller Identity, GDPR Art > 13.1(a) Data Controller Identity, GDPR Art 14.1(a) > The name of the Data Controller, GDPR Article 30.1(a) Data > Controller Identity, GDPR Art 30.2(a) > Data Controller Contact Details FALSE Data Controller Contact > Details, GDPR Art 13.1(a) Data Controller Major task for the day: > - [ ] [[id:34a7168f-0c0b-458e-8241-8983b94b0972][Send email to > Cristiana with ideas]] > - [ ] DPVCG - [[id:a7af1cc8-e004-4409-9570-8b37b351cb17][Future > Deliverables and Timeline]] > > Minor tasks for the day: > - [ ] DPVCG - [[id:00839c20-4191-4870-9d32-d63498e1a8f7][Review > Signatu's privacy-policy concepts]] > - [ ] DPVCG - [[id:a1ec628d-dc21-4cb7-9af1-c56bbb59dc4f][Review > Signatu's concepts for Art13/14 and ISO29184]] > - [ ] DPVCG - [[id:3cf2308e-d3ed-4308-80b2-f772de407cb2][Review > Signatu's personal data categories concepts]] > - [ ] DPVCG - [[id:2cc99f78-81db-4df3-95eb-03d15379f23b][Review > Signatu's purpose concepts]] > - [ ] DPVCG - [[id:5e7a8427-f15e-4130-8bce-b65332ece50c][Review > SPECIAL's presentation shared by Axel]] > > If I'm bored, I should do: > - [ ] [[id:bc663445-8737-4ba8-a0c2-76b27a74121c][re-organise folders > for PhD -> general research]] > - [ ] [[id:c79106af-a2d8-4b25-8032-1cbabffc2291][Plan upcoming > potential publications]] > Contact Details, GDPR Art 14.1(a) > Data Controller Contact Details, GDPR Article 30.1(a) Data > Controller Contact Details, GDPR Art 30.2(a) > Data Controller Representative FALSE Data Controller Representative, > GDPR Art 13.1(a) Data Controller Representative, GDPR Art 14.1(a) > > Data Controller Representative, GDPR Art 30.2(a) > Data Protection Officer FALSE Data Protection Officer of Data > Controller, GDPR Art 13.1(b) Data Protection Officer of Data > Controller, GDPR Art 14.1(b) > Data Protection Officer of Data Controller, GDPR Article 30.1(a) > Data Protection Officer, GDPR Art 30.2(a) > Data Protection Office Contact Details FALSE Data Protection Officer > Contact Details, GDPR Art 13.1(b) Data Protection Officer Contact > Details, GDPR Art 14.1(b) > Data Protection Officer Contact Details, GDPR Article 30.1(a) > Joint Controller FALSE > > > The joint controller, where applicable, GDPR Article 30.1(a) > Data Processor FALSE > > > > The Data Processor, GDPR Art 30.2(a) > Data Processor Representative FALSE > > > > The Data Processor Representative, GDPR Art 30.2(a) > Personal Data FALSE The personal data, GDPR Art 13.1(c) The > categories of personal data, GDPR Art 14.1(d) The categories of > personal data,GDPR Art 15.1(b) > > Personal Data Source FALSE > From which source the personal data originate, GDPR Art 14.2(f). > Where the personal data are not collected from the data subject, any > available information as to their source, GDPR Art 15.1(g). > > Personal Data Public or Private Source FALSE > Whether the personal data originate from publicly accessible sources, > GDPR Art 14.2(f). > > > Personal Data Provision Legal Basis FALSE Whether the provision of > personal data is a statutory or contractual requirement, or a > requirement necessary to enter into a contract, GDPR Art 13.2(e). > > > > Personal Data Provision obligation FALSE Whether the data subject is > obliged to provide the personal data, GDPR Art 13.2(e). > > > > Consequence of data provision failure to provide personal data FALSE > The possible consequences of failure to provide personal data, GDPR > Art 13.2(e). > > > > Purposes FALSE Purposes of the Processing, GDPR Art 13.1(c) Data > Controller Identity, GDPR Art 14.1(c) The purposes of the processing, > GDPR Art 15.1(a) The purposes of the processing, GDPR Article 30.1(b) > Processing Categories Classes FALSE GDPR Art 4.2 > > > The categories of processing carried out on behalf of each > controller, GDPR Art 30.2(b) > Processing Categories Classes FALSE > > > > > Automated decision-making and profiling FALSE The existence of > automated decision-making, including profiling, referred to in Article > 22(1) and (4), GDPR Art 13.2(f). The existence of automated > decision-making, including profiling, referred to in Article 22(1) and > (4), GDPR Art 14.2(g). The existence of automated decision-making, > including profiling, referred to in Article 22(1) and (4), GDPR Art > 15.1(h). > > Logic of automated decision-making and profiling FALSE Meaningful > information about the logic involved in automated decision-making, > including profiling, referred to in Article 22(1) and (4), GDPR Art > 13.2(f). Meaningful information about the logic involved in automated > decision-making, including profiling, referred to in Article 22(1) and > (4), GDPR Art 14.2(g). Meaningful information about the logic > involved in automated decision-making, including profiling, referred > to in Article 22(1) and (4), GDPR Art 15.1(h). > > Consequences of automated decision-making and profiling FALSE The > significance and the envisaged consequences of automated > decision-making, including profiling, referred to in Article 22(1) and > (4) for the data subject, GDPR Art 13.2(f). The significance and the > envisaged consequences of automated decision-making, including > profiling, referred to in Article 22(1) and (4) for the data subject, > GDPR Art 14.2(g). > > > Data transfer to third country FALSE Transfer of personal data to a > third country or to an international organisation, GDPR Art 13.1(f) > Transfer of personal data to a third country or to an international > organisation, GDPR Art 14.1(f). Transfer of personal data to a third > country or to an international organisation, GDPR Art 15.2. Transfers > of personal data to a third country or an international organisation, > GDPR Article 30.1(e). Transfers of personal data to a third country > or an international organisation, GDPR Art 30.2(c) > Third country name FALSE > > > Identification of the third country or international organisation, > GDPR Article 30.1(e). Identification of the third country or > international organisation, GDPR Art 30.2(c) > Data transfer legal basis FALSE Legal Basis for transfer to a third > country, GDPR Art 13.1(f) Legal Basis for transfer to a third > country, GDPR Art 14.1(f). > Legal Basis for transfer to a third country, GDPR Article 30.1(e). > Legal Basis for transfer to a third country, GDPR Art 30.2(c) > Technical and Organisational Measures FALSE > > > Where possible, a general description of the technical and > organisational security measures referred to in Article 32(1), GDPR > Art 30.1(g). Where possible, a general description of the technical > and organisational security measures referred to in Article 32(1), > GDPR Art 30.2. > Data storage period FALSE The period for which the personal data > will be stored, GDPR Art 13.2(a). The period for which the personal > data will be stored, GDPR Art 14.2(a). The envisaged period for which > the personal data will be stored, GDPR Art 15.1(d). > > Criteria to determine data storage period FALSE The criteria used to > determine the period for which the personal data will be stored, GDPR > Art 13.2(a). The criteria used to determine the period for which the > personal data will be stored, GDPR Art 14.2(a). The criteria used to > determine period for which the personal data will be stored, GDPR Art > 15.1(d). > > Time limit for data erasure FALSE > > > Where possible, the envisaged time limits for erasure of the > different categories of data, GDPR Art 30.1(f). > Recipients FALSE Recipients of categories of recipients of the > personal data (if any), GDPR Art 13.1(e) The recipients or categories > of recipients of the personal data, if any, GDPR Art 14.1(e). The > recipients or categories of recipient to whom the personal data have > been or will be disclosed, in particular recipients in third countries > or international organisations, GDPR Art 15.1(c) The categories of > recipients to whom the personal data have been or will be disclosed > including recipients in third countries or international > organisations, GDPR Article 30.1(d). > Legitimate interest of Data Controller FALSE Legitimate Interest (if > the processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d) > Legitimate Interest (if the processing is based on GDPR Art 6.1(f)), > GDPR Art 14.2(b) > > > Legitimate interest of Third Party FALSE Legitimate Interest (if the > processing is based on GDPR Art 6.1(f)), GDPR Art 13.1(d) Legitimate > Interest (if the processing is based on GDPR Art 6.1(f)), GDPR Art > 14.2(b) > > > Legal Basis FALSE Legal Basis for the Processing, GDPR Art 13.1(c) > Legal Basis for the Processing, GDPR Art 14.1(c) > > > Right to access FALSE The right to access to personal data, GDPR Art > 13.2(b). The right to access to personal data, GDPR Art 14.2(c). > > > Right to rectification FALSE The right to rectification of personal > data, GDPR Art 13.2(b). The right to rectification of personal data, > GDPR Art 14.2(c). The right to rectification of personal data, GDPR > Art 15.1(e). > > Right to erasure FALSE The right to erasure of personal data, GDPR > Art 13.2(b). The right to erasure of personal data, GDPR Art 14.2(c). > The right to erasure of personal data, GDPR Art 15.1(e). > > Right to restriction FALSE The right to restriction of processing > concerning the data subject, GDPR Art 13.2(b). The right to > restriction of processing concerning the data subject, GDPR Art > 14.2(c). The right to restriction of processing concerning the data > subject, GDPR Art 15.1(e). > > Right to object to processing FALSE The right to object to > processing, GDPR Art 13.2(b). The right to object to processing, GDPR > Art 14.2(c). The right to object to processing, GDPR Art 15.1(e).. > > Right to data portability FALSE The right to data portability, GDPR > Art 13.2(b). The right to data portability, GDPR Art 14.2(c). > > > Right to withdraw consent FALSE The right to withdraw consent at any > time, without affecting the lawfulness of processing based on consent > before its withdrawal (where the processing is based on point (a) of > Article 6(1) or point (a) of Article 9(2)), GDPR Art 13.2(c). The > right to withdraw consent at any time, without affecting the > lawfulness of processing based on consent before its withdrawal (where > the processing is based on point (a) of Article 6(1) or point (a) of > Article 9(2)), GDPR Art 14.2(d). > > > Right to lodge a complaint FALSE The right to lodge a complaint with > a supervisory authority, GDPR Art 13.2(d). The right to lodge a > complaint with a supervisory authority, GDPR Art 14.2(e). The right > to lodge a complaint with a supervisory authority, GDPR Art 15.1(f). > > > > Best regards, > -- > Georg Philip Krog > > signatu <https://signatu.com> -- --- Harshvardhan Pandit, Ph.D Researcher at ADAPT Centre, Trinity College Dublin https://harshp.com/research/ -- Georg Philip Krog signatu<https://signatu.com>
Received on Tuesday, 30 June 2020 14:39:04 UTC