Re: Legal basis for transfer of personal data from the EU to outside the EU from Harshvardhan J. Pandit on 2020-03-05 (public-dpvcg@w3.org from March 2020)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Thu, 5 Mar 2020 19:50:16 +0000
To: Georg Philip Krog <georg@signatu.com>, public-dpvcg@w3.org
Message-ID: <fdc22006-6a82-9ea3-2959-a7f374762ca8@harshp.com>
Thank you Signatu and Georg for submitting these.

I encourage members to discuss this on the mailing list - or even 
indicating support for inclusion.

There are two broad questions regarding integrating these:

1) How to represent them within DPV?

- As sub-classes of LegalBasis in the GDPR vocabulary similar to the 
existing instances defined regarding consent

- The signatu references need to be specified using the GDPR IRIs 
(straightforward since the clause identifiers are the same)

- As the data transfer legal basis will only apply when a processing is 
of type 'transfer' should we represent this semantically (i.e. using 
OWL2 axioms or even SHACL constraints)? IMO - no as this will deviate 
from the aims and also would make using DPV more complex than necessary

- Can the legal experts in the group take a look at this before we 
integrate it?

2) More readability and comprehension

- Should there be two top-classes (ConsentLegalBasis and 
DataTransferLegalBasis) under Legal Basis to differentiate bases for 
consent and those for data transfer.

- The existing labels for legal bases reflect the clause identifiers 
(e.g. A6-1-f). These are intentional and correct within the legal 
domain. An adopter (I assume) would tend to prefer common language 
labels such as 'explicit consent' or 'legitimate interest' - so as to 
avoid lookups of what the clause specifies (i.e. A6-1-f is used with the 
intention that the reader knows it means legitimate interests). Can we 
provide a human-readable label to be used? In Signatu's table, these are 
specified as 'Tag'.

- Can this be done using existing property e.g. rdfs:label or custom 
property 'dpv:label'? And will it provide any benefit to an adopter?

Regards,

Harsh

On 02/03/2020 13:53, Georg Philip Krog wrote:
> Hi all,
>
> Signatu contributes to the dpv with the following:
>
> *1. Legal basis for transfer of personal data from the EU to outside 
> the EU:*
>
>
> Category  Description  Tag  Legal Basis for Transfer under GDPR
> Transfer inside the EU  Personal data can flow freely inside the EU 
> between EU countries and the three EEA countries Norway, Lichtenstein 
> and Iceland  Transfer_EU_EEA  signatu-gdpr:
> Transfer from EU to a third country. Third country has Adequacy 
> Decision.  Personal data can flow freely from the EUto a certified 
> company in the US under the EU-US Privacy Shield  EU_US_Privacy_Shield 
>  signatu-gdpr: 45-3
> Transfer from EU to a third country. Third country has Adequacy 
> Decision.  Personal data can flow freely from the EU to a third 
> country with an Adequacy Decision without any further safeguard being 
> necessary (name countries)  Adequacy_Decision  signatu-gdpr: 45-3
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Third country has appropriate safeguards. Transfer does not 
> require specific authorisation from a Supervisor Authority.  A legally 
> binding and enforceable instrument between public authorities or 
> bodies  Instrument_Between_Public_Authorities  signatu-gdpr: 46-2-a
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Third country has appropriate safeguards. Transfer does not 
> require specific authorisation from a Supervisor Authority.  Binding 
> corporate rules  Binding_Corporate_Rules  signatu-gdpr: 46-2-b
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Third country has appropriate safeguards. Transfer does not 
> require specific authorisation from a Supervisor Authority.  Standard 
> data protection clauses adopted by the Commission 
> Standard_Clauses_Commission  signatu-gdpr: 46-2-c
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Third country has appropriate safeguards. Transfer does not 
> require specific authorisation from a Supervisor Authority.  Standard 
> data protection clauses adopted by a Supervisory Authority 
> Standard_Clauses_Authority  signatu-gdpr: 46-2-d
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Third country has appropriate safeguards. Transfer does not 
> require specific authorisation from a Supervisor Authority.  An 
> approved code of conduct pursuant to GDPR Article 40 together with 
> binding and enforceable commitments of the controller or processor in 
> the third country to apply the appropriate safeguards, including as 
> regards individuals´ rights  Approved_Code_Conduct  signatu-gdpr: 46-2-e
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Third country has appropriate safeguards. Transfer does not 
> require specific authorisation from a Supervisor Authority.  An 
> approved certification mechanism pursuant to GDPR Article 42 together 
> with binding and enforceable commitments of the controller or 
> processor in the third country to appy the appropriate safeguards, 
> including as regards individuals` rights  Certification  signatu-gdpr: 
> 46-2-f
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards exist. Transfer does requires 
> specific authorisation from a Supervisor Authority.  Contractual 
> clauses with controller, processor or recipient of the personal data 
> in the third country or the international organisation. 
> Contractual_Clauses  signatu-gdpr: 46-3-a
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards exist. Transfer does requires 
> specific authorisation from a Supervisor Authority.  Provisions to be 
> inserted into administrative arrangements between public authorities 
> or bodies which include enforceable and effective data subject rights 
> Administrative_Agreement  signatu-gdpr: 46-3-b
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards do not exist.  The data subject has 
> explicitly consented to the proposed transfer, after having been 
> informed of the possible risks of such transfers for the data subject 
> due to the absence of an adequacy decision and appropriate safeguards. 
>  Explicit_Consent  signatu-gdpr: 49-1-a
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards do not exist.  The transfer is 
> necessary for the performance of a contract between the data subject 
> and controller or the implementation of pre-contractual measures taken 
> at the data subject´s request.  Contract_Subject  signatu-gdpr: 49-1-b
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards do not exist.  The transfer is 
> necessary for the conclusion or performance of a contract concluded in 
> the interest of the data subject and controller and another natural or 
> legal person.  Contract_Not_Subject  signatu-gdpr: 49-1-c
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards do not exist.  The transfer is 
> necessary for important reasons of public interest.  Public_Interest 
> signatu-gdpr: 49-1-d
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards do not exist.  The transfer is 
> necessary for the establishment, exercise or defence of legal claims. 
> Legal_Claims  signatu-gdpr: 49-1-e
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards do not exist.  The transfer is 
> necessary in order to protect the vital interests of the data subject 
> or of other persons, where the person is physically or legally 
> incapable of giving consent.  Vital_Interests  signatu-gdpr: 49-1-f
> Transfer from EU to a third country. Third country has not Adequacy 
> Decision. Appropriate safeguards do not exist.  The transfer is made 
> from a registerwhich according to Union or Member State law is 
> intended to provide information to the publicin general or by any 
> person who can demonstrate a legitimate interest, but only to the 
> extent that the conditions laid down by Union or Member State law for 
> consultation are fulfilled in the particular case. 
> From_Public_Register  signatu-gdpr: 49-1-g
> Transfer from EU to a third country. Third country has no Adequacy 
> Decision. Appropriate safeguards do not exist and no other options 
> apply.  The transfer is not repetetive, concerns only a limited number 
> of data subjects, is necessary for the purposes of compelling 
> legitimate interests pursued by controller which are not overridden by 
> the interests or rights and freedoms of the data subject, and 
> controller has assessed all the circumstances surrounding the data 
> transfer and have on the basis of that assessment provided suitable 
> safeguards with regard to the protection of personal data. 
> Legitimate_Interest  signatu-gdpr: 49-1-second-paragraph
>
>  The transfer is exempt - e.g. a transfer within the same company. 
> Exempt  
>
>  The legal basis for the transfer is unknown.  Unkown  
>
>
> *2. A suggestion to make a dpv that is global/universal*
>
> Currently, the dpv is specific for the EU/GDPR.
>
> A universal dpv should have a structure that allows for meta mapping 
> of the same concepts that are named differently in different 
> jurisdictions/law regimes.
>
> Kind regards,
> Georg
> -- 
> Georg Philip Krog
>
> signatu <https://signatu.com>

-- 
---
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Thursday, 5 March 2020 19:50:33 UTC