DPV Concepts for T&C, privacy policies, etc.

As we discussed in the last call [1], it would be useful to define T&C, 
Privacy Policy, ROPA, etc. as concepts as they are relevant in the 
real-world use-cases.

 From what I understand, T&C is essentially a form of contract, privacy 
policy is a 'policy document' - which is not legally binding but in 
practice fulfils obligations for information provision (e.g. GDPR Art.13 
and Art.14), and ROPA is a document maintained by organisations for 
meeting legal obligations towards GDPR compliance.

So we have three concepts:
1. ContractAgreement --> Contract --> Terms & Conditions or Terms of 
Service ;; ControllerProcessorContract
2. Policies --> privacy-policy
3. RecordsDocumentation --> ROPA (specific to GDPR, I'll come to this later)

I propose that we have the concepts in DPV for contract, policies, 
records under OrganisationalMeasure. This does not preclude their use as 
legal obligations or artefacts. For example, we talked in the call about 
modelling a concept as LegalObligation, and where any organisational 
measure or activitiy can be defined as an obligation.

For the GDPR-specific concepts, such as ROPA, we extend them in DPV-GDPR 
from the base concepts in DPV. In this case, as a subclass of 

Note that the ControllerProcessorContract is a general concept because 
it is not unique to GDPR, and is widely used in practice. Though I've 
seen this mentioned as "Controller - Processor Agreement' [2], my 
limited legal knowledge says that this is a contract (legally 
enforceable agreement) and in line with GDPR Art.28 regarding Processors 

Please correct me where I'm wrong. Thoughts, opinions, criticisms, 
suggestions welcome.

[1] https://www.w3.org/2021/03/24-dpvcg-minutes.html
[2] https://gdpr-info.eu/art-28-gdpr/ (when writing articles please do 
not use this as a canonical source of GDPR, use the official ELI/Eur-Lex 

Harshvardhan J. Pandit, PhD
ADAPT Research Centre @ Trinity College Dublin

Received on Thursday, 25 March 2021 14:59:34 UTC