Re: DPV Concepts for T&C, privacy policies, etc. from besteves@delicias.dia.fi.upm.es on 2021-04-06 (public-dpvcg@w3.org from April 2021)

From: <besteves@delicias.dia.fi.upm.es>
Date: Tue, 06 Apr 2021 19:17:51 +0000
To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>, "Harshvardhan J. Pandit" <me@harshp.com>
Cc:
Message-ID: <20210406191751.Horde.mVpl4vF7SkDdlBEUB3fkmeO@delicias.dia.fi.upm.es>

Hi Harsh, everyone,

 

I agree with your proposition so far and I would like to add a few more
points to the discussion:

 

1) We discussed in the last call that the terms of the agreement between
joint controllers are not an obligation in itself, however, according to
GDPR Art.26, the terms of the agreement should be made available to the
data subject. Would it be right if we modeled it as an
JointControllerAgreement (for instance under the ContractAgreement term
proposed by Harsh)?

 

2) We should add DataBreach as a subclass of Risk. With this, if we also
add LegalObligation to the base vocabulary, we have the necessary terms to
represent the obligations related to the notification of the data breach to
the supervisory authority and to the data subject.

 

Regards,

Beatriz

 

"Harshvardhan J. Pandit" me@harshp.com – March 25, 2021 4:00 PM
 

> Hello,
> As we discussed in the last call [1], it would be useful to define T&C, 
> Privacy Policy, ROPA, etc. as concepts as they are relevant in the 
> real-world use-cases.
>
> From what I understand, T&C is essentially a form of contract, privacy 
> policy is a 'policy document' - which is not legally binding but in 
> practice fulfils obligations for information provision (e.g. GDPR
Art.13 
> and Art.14), and ROPA is a document maintained by organisations for 
> meeting legal obligations towards GDPR compliance.
>
> So we have three concepts:
> 1. ContractAgreement --> Contract --> Terms & Conditions or Terms of 
> Service ;; ControllerProcessorContract
> 2. Policies --> privacy-policy
> 3. RecordsDocumentation --> ROPA (specific to GDPR, I'll come to this
> later)
>
> I propose that we have the concepts in DPV for contract, policies, 
> records under OrganisationalMeasure. This does not preclude their use
as 
> legal obligations or artefacts. For example, we talked in the call
about 
> modelling a concept as LegalObligation, and where any organisational 
> measure or activitiy can be defined as an obligation.
>
> For the GDPR-specific concepts, such as ROPA, we extend them in
DPV-GDPR 
> from the base concepts in DPV. In this case, as a subclass of 
> RecordsDocumentation.
>
> Note that the ControllerProcessorContract is a general concept because 
> it is not unique to GDPR, and is widely used in practice. Though I've 
> seen this mentioned as "Controller - Processor Agreement' [2], my 
> limited legal knowledge says that this is a contract (legally 
> enforceable agreement) and in line with GDPR Art.28 regarding
Processors 
> [2].
>
> Please correct me where I'm wrong. Thoughts, opinions, criticisms, 
> suggestions welcome.
>
> [1] www.w3.org/2021/03/24-dpvcg-minutes.html[1]
> [2] gdpr-info.eu/art-28-gdpr/[2] (when writing articles please do 
> not use this as a canonical source of GDPR, use the official
ELI/Eur-Lex 
> citation)
>
> Regards,
> Harsh
>  



Links:
------
[1] https://www.w3.org/2021/03/24-dpvcg-minutes.html
[2] https://gdpr-info.eu/art-28-gdpr/

Received on Tuesday, 6 April 2021 19:18:11 UTC