Re: Representation of GDPR rights

Hi Harsh,

Just a comment on your "Summing the above - I think we should at least: a)
provide the concept of rights".

The concept of a legal right is not straight forward.
Please see the paper attached, by Prof. Giovanni Sartor.

Best,
Georg

On Tue, May 26, 2020 at 4:52 PM Harshvardhan J. Pandit <me@harshp.com>
wrote:

> Hello Everyone.
> Beatriz has updated the wiki page with list on GDPR rights (Thanks
> Beatriz) - www.w3.org/community/dpvcg/wiki/Rights
>
> I'm inviting everyone to discuss this, with my views provided through
> the following points:
>
> 1) I think we should have a top-level concept 'Right'
>
> 2) Expand on these within the scope of jurisdiction - similar to
> dpv-gdpr. The ones from GDPR are inherently provisioned within the GDPR
> and therefore need a separate namespace.
>
> 3) What level of details and granularity should be provided?
> - Involved agents and responsbility? e.g. Data Controller is providing
> the right to the subject (cannot assume rights are only for Data
> Subjects as it could be Data Controller has some rights too)
> - Details of involved concepts? e.g. Data Portability involves personal
> data categories and under current interpretation data obtained via
> direct data collection from data subject
>
> 4) How (and if) to associate rights with data processing?
> - Associate it to PersonalDataHandling instance via 'hasRights' property?
> - Getting more detailed goes into specifying policies IMO. e.g. Rights
> only associated with data collection
>
> Summing the above - I think we should at least:
> a) provide the concept of rights
> b) provide list of GDPR rights
> c) associate them with PersonalDataHandling
>
> Regards,
> Harsh
>
> On 30/04/2020 16:41, besteves@delicias.dia.fi.upm.es wrote:
> > Great, didn't know, but if we already have it on the wiki we should
> definitly use it.
> >
> > Thanks, I'll have a look.
> >
> > Best,
> >   Beatriz
> >
> >
> > Harshvardhan J. Pandit – Thu, 30. April 2020 16:36
> >> Hi Beatriz,
> >> IMHO We should have this on the Wiki in its current state given that it
> >> is accessible to everyone and is editable for members.
> >> We already have a Wiki page detailing some existing terms -
> >> www.w3.org/community/dpvcg/wiki/Rights
> >>
> >> If you think there is a lot of (structured) data to record, we can move
> >> over the spreadsheets.
> >>
> >> Best,
> >> Harsh
> >>
> >> On 30/04/2020 16:26, besteves@delicias.dia.fi.upm.es wrote:
> >>> Thank you for your comments!
> >>>
> >>> To start, I'll create a Google Sheets with the rights and we can go
> from
> >> there.
> >>> I'll try to have it for the next call.
> >>> Then latyer we can add it to the wiki once it is more mature.
> >>>
> >>> Thanks,
> >>> Beatriz
> >>>
> >>>
> >>> Info @ OC – Thu, 30. April 2020 15:59
> >>>> Quick Inline Comments ,
> >>>>
> >>>>
> >>>>> On 30 Apr 2020, at 09:52, Harshvardhan J. Pandit <me@harshp.com>
> wrote:
> >>>>>
> >>>>> Rights are definitely of interest and within scope of the work we are
> >>>> looking (IMHO).
> >>>>
> >>>> +1
> >>>>>
> >>>>> On 30/04/2020 13:19, besteves@delicias.dia.fi.upm.es wrote:
> >>>>>> For starters, should we discuss which is the best way to do it?
> >>>>>> Two options could be:
> >>>>>> 1) add a new module (such as the purpose, processing, ... modules)
> to the
> >>>> vocabulary
> >>>>> My intuitive reaction was to have "Rights" as a top-level concept and
> >>>> associated with a Personal Data Handling instance.
> >>>>> However, this would not be the right way to go forward as 'rights'
> are not
> >>>> necessarily associated with personal data handling/processing. For
> example,
> >>>> Right to withdraw consent (GDPR) is associated with legal basis of
> consent.
> >>>>>
> >>>>> So I would propose that as the first exercise we use the Wiki to
> list down
> >>>> the rights and the relevant concepts currently in DPV regarding those
> >> (where
> >>>> possible).
> >>>>> Hopefully after this we would have some indication of where to model
> them
> >> as
> >>>> a concept.
> >>>>
> >>>> +2 - Rights are relative to the legal authority to process and in
> this way
> >> are
> >>>> applied to the context. The operational use of rights, (in my opinion
> is
> >>>> achieved with Notice) Notice requirements are quite clear in the GDPR.
> >>>>
> >>>> For example a data subject has the right to object, a right to
> restrict
> >>>> processing, a right to revoke consent, and right to Notice and privacy
> >>>> information. - these vary according to legal justification, which is
> >> (suppose
> >>>> to be) required to be apart of a Notice .
> >>>>>
> >>>>> Conversely, another interpretation of 'rights' is as a policy - which
> >> means
> >>>> it would go beyond the scope of DPV (currently).
> >>>>> In this case, we should aim to provide the terms required to express
> this
> >>>> policy - which *is* the goal of DPVCG.
> >>>>
> >>>> I would suggest that - it would be first rights - then policy, (in
> terms of
> >>>> order of governance operations.)
> >>>>
> >>>>>
> >>>>>> 2) create a separate vocabulary (such as the one created for the
> legal
> >>>> basis)
> >>>>> Rights are tied to jurisdictional laws/legislations - much in the
> same way
> >>>> as legal basis.
> >>>>> So this makes sense. But instead of a separate vocabulary - we can
> add
> >> them
> >>>> to DPV-GDPR.
> >>>>>
> >>>>> However, do we create a separate module/extension for every
> jurisdiction?
> >>>> (IMO yes)
> >>>>>
> >>>>> P.S. Minutes of meeting for yesterday are at
> >>>> www.w3.org/2020/04/29-dpvcg-minutes.html
> >>>>
> >>>> Thank You !
> >>>>> I had trouble remembering how to use Zakim, RRSAgent.
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> --
> >>>>> ---
> >>>>> Harshvardhan Pandit
> >>>>> PhD Researcher
> >>>>> ADAPT Centre
> >>>>> Trinity College Dublin
> >>>>>
> >>>>>
> >>
> >> --
> >> ---
> >> Harshvardhan Pandit
> >> PhD Researcher
> >> ADAPT Centre
> >> Trinity College Dublin
>
> --
> ---
> Harshvardhan Pandit
> PhD Researcher
> ADAPT Centre
> Trinity College Dublin
>
>

-- 
Georg Philip Krog

signatu <https://signatu.com>