- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Thu, 5 Mar 2020 19:50:16 +0000
- To: Georg Philip Krog <georg@signatu.com>, public-dpvcg@w3.org
- Message-ID: <fdc22006-6a82-9ea3-2959-a7f374762ca8@harshp.com>
Thank you Signatu and Georg for submitting these. I encourage members to discuss this on the mailing list - or even indicating support for inclusion. There are two broad questions regarding integrating these: 1) How to represent them within DPV? - As sub-classes of LegalBasis in the GDPR vocabulary similar to the existing instances defined regarding consent - The signatu references need to be specified using the GDPR IRIs (straightforward since the clause identifiers are the same) - As the data transfer legal basis will only apply when a processing is of type 'transfer' should we represent this semantically (i.e. using OWL2 axioms or even SHACL constraints)? IMO - no as this will deviate from the aims and also would make using DPV more complex than necessary - Can the legal experts in the group take a look at this before we integrate it? 2) More readability and comprehension - Should there be two top-classes (ConsentLegalBasis and DataTransferLegalBasis) under Legal Basis to differentiate bases for consent and those for data transfer. - The existing labels for legal bases reflect the clause identifiers (e.g. A6-1-f). These are intentional and correct within the legal domain. An adopter (I assume) would tend to prefer common language labels such as 'explicit consent' or 'legitimate interest' - so as to avoid lookups of what the clause specifies (i.e. A6-1-f is used with the intention that the reader knows it means legitimate interests). Can we provide a human-readable label to be used? In Signatu's table, these are specified as 'Tag'. - Can this be done using existing property e.g. rdfs:label or custom property 'dpv:label'? And will it provide any benefit to an adopter? Regards, Harsh On 02/03/2020 13:53, Georg Philip Krog wrote: > Hi all, > > Signatu contributes to the dpv with the following: > > *1. Legal basis for transfer of personal data from the EU to outside > the EU:* > > > Category Description Tag Legal Basis for Transfer under GDPR > Transfer inside the EU Personal data can flow freely inside the EU > between EU countries and the three EEA countries Norway, Lichtenstein > and Iceland Transfer_EU_EEA signatu-gdpr: > Transfer from EU to a third country. Third country has Adequacy > Decision. Personal data can flow freely from the EUto a certified > company in the US under the EU-US Privacy Shield EU_US_Privacy_Shield > signatu-gdpr: 45-3 > Transfer from EU to a third country. Third country has Adequacy > Decision. Personal data can flow freely from the EU to a third > country with an Adequacy Decision without any further safeguard being > necessary (name countries) Adequacy_Decision signatu-gdpr: 45-3 > Transfer from EU to a third country. Third country has no Adequacy > Decision. Third country has appropriate safeguards. Transfer does not > require specific authorisation from a Supervisor Authority. A legally > binding and enforceable instrument between public authorities or > bodies Instrument_Between_Public_Authorities signatu-gdpr: 46-2-a > Transfer from EU to a third country. Third country has no Adequacy > Decision. Third country has appropriate safeguards. Transfer does not > require specific authorisation from a Supervisor Authority. Binding > corporate rules Binding_Corporate_Rules signatu-gdpr: 46-2-b > Transfer from EU to a third country. Third country has no Adequacy > Decision. Third country has appropriate safeguards. Transfer does not > require specific authorisation from a Supervisor Authority. Standard > data protection clauses adopted by the Commission > Standard_Clauses_Commission signatu-gdpr: 46-2-c > Transfer from EU to a third country. Third country has no Adequacy > Decision. Third country has appropriate safeguards. Transfer does not > require specific authorisation from a Supervisor Authority. Standard > data protection clauses adopted by a Supervisory Authority > Standard_Clauses_Authority signatu-gdpr: 46-2-d > Transfer from EU to a third country. Third country has no Adequacy > Decision. Third country has appropriate safeguards. Transfer does not > require specific authorisation from a Supervisor Authority. An > approved code of conduct pursuant to GDPR Article 40 together with > binding and enforceable commitments of the controller or processor in > the third country to apply the appropriate safeguards, including as > regards individuals´ rights Approved_Code_Conduct signatu-gdpr: 46-2-e > Transfer from EU to a third country. Third country has no Adequacy > Decision. Third country has appropriate safeguards. Transfer does not > require specific authorisation from a Supervisor Authority. An > approved certification mechanism pursuant to GDPR Article 42 together > with binding and enforceable commitments of the controller or > processor in the third country to appy the appropriate safeguards, > including as regards individuals` rights Certification signatu-gdpr: > 46-2-f > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards exist. Transfer does requires > specific authorisation from a Supervisor Authority. Contractual > clauses with controller, processor or recipient of the personal data > in the third country or the international organisation. > Contractual_Clauses signatu-gdpr: 46-3-a > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards exist. Transfer does requires > specific authorisation from a Supervisor Authority. Provisions to be > inserted into administrative arrangements between public authorities > or bodies which include enforceable and effective data subject rights > Administrative_Agreement signatu-gdpr: 46-3-b > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards do not exist. The data subject has > explicitly consented to the proposed transfer, after having been > informed of the possible risks of such transfers for the data subject > due to the absence of an adequacy decision and appropriate safeguards. > Explicit_Consent signatu-gdpr: 49-1-a > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards do not exist. The transfer is > necessary for the performance of a contract between the data subject > and controller or the implementation of pre-contractual measures taken > at the data subject´s request. Contract_Subject signatu-gdpr: 49-1-b > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards do not exist. The transfer is > necessary for the conclusion or performance of a contract concluded in > the interest of the data subject and controller and another natural or > legal person. Contract_Not_Subject signatu-gdpr: 49-1-c > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards do not exist. The transfer is > necessary for important reasons of public interest. Public_Interest > signatu-gdpr: 49-1-d > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards do not exist. The transfer is > necessary for the establishment, exercise or defence of legal claims. > Legal_Claims signatu-gdpr: 49-1-e > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards do not exist. The transfer is > necessary in order to protect the vital interests of the data subject > or of other persons, where the person is physically or legally > incapable of giving consent. Vital_Interests signatu-gdpr: 49-1-f > Transfer from EU to a third country. Third country has not Adequacy > Decision. Appropriate safeguards do not exist. The transfer is made > from a registerwhich according to Union or Member State law is > intended to provide information to the publicin general or by any > person who can demonstrate a legitimate interest, but only to the > extent that the conditions laid down by Union or Member State law for > consultation are fulfilled in the particular case. > From_Public_Register signatu-gdpr: 49-1-g > Transfer from EU to a third country. Third country has no Adequacy > Decision. Appropriate safeguards do not exist and no other options > apply. The transfer is not repetetive, concerns only a limited number > of data subjects, is necessary for the purposes of compelling > legitimate interests pursued by controller which are not overridden by > the interests or rights and freedoms of the data subject, and > controller has assessed all the circumstances surrounding the data > transfer and have on the basis of that assessment provided suitable > safeguards with regard to the protection of personal data. > Legitimate_Interest signatu-gdpr: 49-1-second-paragraph > > The transfer is exempt - e.g. a transfer within the same company. > Exempt > > The legal basis for the transfer is unknown. Unkown > > > *2. A suggestion to make a dpv that is global/universal* > > Currently, the dpv is specific for the EU/GDPR. > > A universal dpv should have a structure that allows for meta mapping > of the same concepts that are named differently in different > jurisdictions/law regimes. > > Kind regards, > Georg > -- > Georg Philip Krog > > signatu <https://signatu.com> -- --- Harshvardhan Pandit PhD Researcher ADAPT Centre Trinity College Dublin
Received on Thursday, 5 March 2020 19:50:33 UTC