DPV Concepts for T&C, privacy policies, etc. from Harshvardhan J. Pandit on 2021-03-25 (public-dpvcg@w3.org from March 2021)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Thu, 25 Mar 2021 14:56:18 +0000
To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <7ac76c83-5550-6d4e-b781-4804018617a0@harshp.com>

Hello,
As we discussed in the last call [1], it would be useful to define T&C, 
Privacy Policy, ROPA, etc. as concepts as they are relevant in the 
real-world use-cases.

 From what I understand, T&C is essentially a form of contract, privacy 
policy is a 'policy document' - which is not legally binding but in 
practice fulfils obligations for information provision (e.g. GDPR Art.13 
and Art.14), and ROPA is a document maintained by organisations for 
meeting legal obligations towards GDPR compliance.

So we have three concepts:
1. ContractAgreement --> Contract --> Terms & Conditions or Terms of 
Service ;; ControllerProcessorContract
2. Policies --> privacy-policy
3. RecordsDocumentation --> ROPA (specific to GDPR, I'll come to this later)

I propose that we have the concepts in DPV for contract, policies, 
records under OrganisationalMeasure. This does not preclude their use as 
legal obligations or artefacts. For example, we talked in the call about 
modelling a concept as LegalObligation, and where any organisational 
measure or activitiy can be defined as an obligation.

For the GDPR-specific concepts, such as ROPA, we extend them in DPV-GDPR 
from the base concepts in DPV. In this case, as a subclass of 
RecordsDocumentation.

Note that the ControllerProcessorContract is a general concept because 
it is not unique to GDPR, and is widely used in practice. Though I've 
seen this mentioned as "Controller - Processor Agreement' [2], my 
limited legal knowledge says that this is a contract (legally 
enforceable agreement) and in line with GDPR Art.28 regarding Processors 
[2].

Please correct me where I'm wrong. Thoughts, opinions, criticisms, 
suggestions welcome.

[1] https://www.w3.org/2021/03/24-dpvcg-minutes.html
[2] https://gdpr-info.eu/art-28-gdpr/ (when writing articles please do 
not use this as a canonical source of GDPR, use the official ELI/Eur-Lex 
citation)

Regards,
Harsh
-- 
--
Harshvardhan J. Pandit, PhD
ADAPT Research Centre @ Trinity College Dublin
https://harshp.com/research/

Received on Thursday, 25 March 2021 14:59:34 UTC