Re: Adding Data Transfer Tools to DPV-GDPR

Hi all,

Please find attached content and structure for a Privacy Policy (GDPR Art
13 and 14).
Looking forward to the discussion on Wednesday.

Best regards,
Georg

On Fri, Sep 24, 2021 at 3:37 PM Harshvardhan J. Pandit <me@harshp.com>
wrote:

> Hi Georg, All. Below is how I envision data transfer tool as being
> distinct from legal basis.
>
> Use-case: Controller A is in EU and wants to transfer data to Org B
> outside EU third country without adequacy decision. The legal basis they
> use is based in A46-2b. A wants to use BCR. However it is not yet approved.
>
> Perspective 1: transfer tools are distinct from legal basis. Here, the
> un-approved BCR is an instance of data transfer tool, but is not a
> (valid) legal basis because it is not approved. Once approved, or found
> valid, the BCR becomes be a legal basis as an instance of A46-2b.
>
> Perspective 2: transfer tools are same as legal basis. Here, the
> un-approved BCR is an instance of A46-2b and Data Tranfer Tool. But now
> there is no distinction between whether it should be a legal basis or
> not because it is defined as a legal basis. And because DPV-GDPR doesn't
> distinguish between 'valid' and 'invalid' legal bases, an adopter will
> need additional implementations to make this distinction.
>
> Which is why I went with the argument that Transfer Tools should not be
> defined in the same list as (valid) legal bases, but explicitly
> annotated as being used to justify a particular legal basis. This is
> similar to the argument that consent and contracts are represented as
> separate instances, and linked to a particular legal basis, i.e. A6-1a
> and A6-1b respectively.
>
> Besides this, I'm also unclear on whether BCRs will *only* be limited to
> A46-2b as the legal basis or they may contain more/other; or conversely
> whether use of A46-2b will *always* be a BCR (IMHO yes).
>
> Regards,
> Harsh
>
> On 24/09/2021 07:42, Georg Philip Krog wrote:
> > Hi Harsh,
> >
> > I would like to discuss the notion "Data Transfer Tool" vs "Data
> > Transfer Legal Basis" before adding it to the DPV.
> >
> > I appreciate that you bring up whether or not there is interest and/or
> > value in indicating the relations you mention within DPV-GDPR.
> >
> > Let's write some use cases.
> >
> > Best,
> > Georg
> >
> > On Fri, Sep 24, 2021 at 8:15 AM Harshvardhan J. Pandit <me@harshp.com
> > <mailto:me@harshp.com>> wrote:
> >
> >     Hi. While wrapping up the DPV-GDPR concepts, I realised that we did
> not
> >     consider David's proposal for representing "Data Transfer Tool" in
> the
> >     vocabulary. Outlined here is my proposal on how we can do this. If
> you
> >     agree, I will include it and publish DPV-GDPR v0.3 over the weekend.
> If
> >     not, it goes on the agenda for the next meeting.
> >
> >     DataTransferTool subclass of TechOrg Measure ; and containing the
> >     following subclasses:
> >
> >     - AdHocContractualClauses (subclass of dpv:Contract)
> >     - BindingCorporateRules
> >     - CertificationMechanismsForDataTransfers (subclass of
> >     dpv:Certification)
> >     - CodesOfConductForDataTransfers (subclass of dpv:CodeOfConduct)
> >     - StandardContractualClauses (subclass of dpv:Contract)
> >
> >     I've taken this list from EDPB recommendations on supplementary
> >     measures
> >     & data transfers 01/2020
> >
> https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
> >     <
> https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
> >
> >
> >     If accepted, I propose these be included in a separate section within
> >     DPV-GDPR titled "Data Transfers".
> >
> >     --- Additional Thoughts ---
> >
> >     Tangentially, there is a strict relation between these concepts and
> A46
> >     sub-clauses by design. For example, BCRs can only be used with
> >     dpv-gdpr:A46-2b as the legal basis. Is there interest and/or value in
> >     indicating this relation within DPV-GDPR?
> >
> >     For example, as: BCR dpv:hasLegalBasis dpv-gdpr:A46-2b. This denotes
> an
> >     instance of BCR should be used with A46-2b as the legal basis (and
> does
> >     NOT intend to say that BCRs existence is justified in A46, which is
> >     actually in A47).
> >
> >     In my head, I can envision different ways this can be useful. Such as
> >     ensuring the correct legal bases are used for a processing instance
> >     (via
> >     constraints), or helping suggest the correct legal bases (via
> >     discovering the relation between concepts and legal bases).
> >
> >     Semantically, this can mess things up, because we're attaching a
> >     property to a class instead of an instance here, and we don't specify
> >     strictly how they are to be used - so another option is to have an
> >     additonal property to indicate suitable legal bases or to declare
> >     something like SHACL shapes to specify applicable legal bases.
> >
> >     This shouldn't be done hastily, and we'd need to write
> >     examples/use-cases to make sure this is correct. So we will revisit
> how
> >     to add this at a later time. But meanwhile it'd be good to have
> >     people's
> >     opinions on this and start a conversation.
> >
> >     --- end ---
> >
> >     Regards,
> >     --
> >     ---
> >     Harshvardhan J. Pandit, Ph.D
> >     Research Fellow
> >     ADAPT Centre, Trinity College Dublin
> >     https://harshp.com/ <https://harshp.com/>
> >
> >
> >
> > --
> > Georg Philip Krog
> >
> > signatu <https://signatu.com>
>
> --
> ---
> Harshvardhan J. Pandit, Ph.D
> Research Fellow
> ADAPT Centre, Trinity College Dublin
> https://harshp.com/
>


-- 
Georg Philip Krog

signatu <https://signatu.com>