Re: Representation of GDPR rights

Hello Everyone.
Beatriz has updated the wiki page with list on GDPR rights (Thanks 
Beatriz) - www.w3.org/community/dpvcg/wiki/Rights

I'm inviting everyone to discuss this, with my views provided through 
the following points:

1) I think we should have a top-level concept 'Right'

2) Expand on these within the scope of jurisdiction - similar to 
dpv-gdpr. The ones from GDPR are inherently provisioned within the GDPR 
and therefore need a separate namespace.

3) What level of details and granularity should be provided?
- Involved agents and responsbility? e.g. Data Controller is providing 
the right to the subject (cannot assume rights are only for Data 
Subjects as it could be Data Controller has some rights too)
- Details of involved concepts? e.g. Data Portability involves personal 
data categories and under current interpretation data obtained via 
direct data collection from data subject

4) How (and if) to associate rights with data processing?
- Associate it to PersonalDataHandling instance via 'hasRights' property?
- Getting more detailed goes into specifying policies IMO. e.g. Rights 
only associated with data collection

Summing the above - I think we should at least:
a) provide the concept of rights
b) provide list of GDPR rights
c) associate them with PersonalDataHandling

Regards,
Harsh

On 30/04/2020 16:41, besteves@delicias.dia.fi.upm.es wrote:
> Great, didn't know, but if we already have it on the wiki we should definitly use it.
> 
> Thanks, I'll have a look.
> 
> Best,
>   Beatriz
> 
> 
> Harshvardhan J. Pandit – Thu, 30. April 2020 16:36
>> Hi Beatriz,
>> IMHO We should have this on the Wiki in its current state given that it
>> is accessible to everyone and is editable for members.
>> We already have a Wiki page detailing some existing terms -
>> www.w3.org/community/dpvcg/wiki/Rights
>>
>> If you think there is a lot of (structured) data to record, we can move
>> over the spreadsheets.
>>
>> Best,
>> Harsh
>>
>> On 30/04/2020 16:26, besteves@delicias.dia.fi.upm.es wrote:
>>> Thank you for your comments!
>>>
>>> To start, I'll create a Google Sheets with the rights and we can go from
>> there.
>>> I'll try to have it for the next call.
>>> Then latyer we can add it to the wiki once it is more mature.
>>>
>>> Thanks,
>>> Beatriz
>>>
>>>
>>> Info @ OC – Thu, 30. April 2020 15:59
>>>> Quick Inline Comments ,
>>>>
>>>>
>>>>> On 30 Apr 2020, at 09:52, Harshvardhan J. Pandit <me@harshp.com> wrote:
>>>>>
>>>>> Rights are definitely of interest and within scope of the work we are
>>>> looking (IMHO).
>>>>
>>>> +1
>>>>>
>>>>> On 30/04/2020 13:19, besteves@delicias.dia.fi.upm.es wrote:
>>>>>> For starters, should we discuss which is the best way to do it?
>>>>>> Two options could be:
>>>>>> 1) add a new module (such as the purpose, processing, ... modules) to the
>>>> vocabulary
>>>>> My intuitive reaction was to have "Rights" as a top-level concept and
>>>> associated with a Personal Data Handling instance.
>>>>> However, this would not be the right way to go forward as 'rights' are not
>>>> necessarily associated with personal data handling/processing. For example,
>>>> Right to withdraw consent (GDPR) is associated with legal basis of consent.
>>>>>
>>>>> So I would propose that as the first exercise we use the Wiki to list down
>>>> the rights and the relevant concepts currently in DPV regarding those
>> (where
>>>> possible).
>>>>> Hopefully after this we would have some indication of where to model them
>> as
>>>> a concept.
>>>>
>>>> +2 - Rights are relative to the legal authority to process and in this way
>> are
>>>> applied to the context. The operational use of rights, (in my opinion is
>>>> achieved with Notice) Notice requirements are quite clear in the GDPR.
>>>>
>>>> For example a data subject has the right to object, a right to restrict
>>>> processing, a right to revoke consent, and right to Notice and privacy
>>>> information. - these vary according to legal justification, which is
>> (suppose
>>>> to be) required to be apart of a Notice .
>>>>>
>>>>> Conversely, another interpretation of 'rights' is as a policy - which
>> means
>>>> it would go beyond the scope of DPV (currently).
>>>>> In this case, we should aim to provide the terms required to express this
>>>> policy - which *is* the goal of DPVCG.
>>>>
>>>> I would suggest that - it would be first rights - then policy, (in terms of
>>>> order of governance operations.)
>>>>
>>>>>
>>>>>> 2) create a separate vocabulary (such as the one created for the legal
>>>> basis)
>>>>> Rights are tied to jurisdictional laws/legislations - much in the same way
>>>> as legal basis.
>>>>> So this makes sense. But instead of a separate vocabulary - we can add
>> them
>>>> to DPV-GDPR.
>>>>>
>>>>> However, do we create a separate module/extension for every jurisdiction?
>>>> (IMO yes)
>>>>>
>>>>> P.S. Minutes of meeting for yesterday are at
>>>> www.w3.org/2020/04/29-dpvcg-minutes.html
>>>>
>>>> Thank You !
>>>>> I had trouble remembering how to use Zakim, RRSAgent.
>>>>>
>>>>> Regards,
>>>>>
>>>>> -- 
>>>>> ---
>>>>> Harshvardhan Pandit
>>>>> PhD Researcher
>>>>> ADAPT Centre
>>>>> Trinity College Dublin
>>>>>
>>>>>
>>
>> -- 
>> ---
>> Harshvardhan Pandit
>> PhD Researcher
>> ADAPT Centre
>> Trinity College Dublin

-- 
---
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin

Received on Tuesday, 26 May 2020 14:52:15 UTC