- From: Mark Lizar <mark@openconsent.com>
- Date: Sun, 10 Oct 2021 17:12:47 +0000
- To: "Harshvardhan J. Pandit" <me@harshp.com>
- CC: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>, David Hickey <david.hickey26@mail.dcu.ie>, Georg Philip Krog <georg@signatu.com>, Paul Ryan <paul.ryan76@mail.dcu.ie>
This looks good, In terms of Code of Conduct, could we also have a Code of Practice? Proposing that a Code of Conduct is approved/reviewed by Regulators, while Code of practice can a part of a certification mechanism, In this regard we are working on a consent code of practice for data transfer as a data transfer tool. - Best, Mark > On Sep 24, 2021, at 2:15 AM, Harshvardhan J. Pandit <me@harshp.com> wrote: > > Hi. While wrapping up the DPV-GDPR concepts, I realised that we did not consider David's proposal for representing "Data Transfer Tool" in the vocabulary. Outlined here is my proposal on how we can do this. If you agree, I will include it and publish DPV-GDPR v0.3 over the weekend. If not, it goes on the agenda for the next meeting. > > DataTransferTool subclass of TechOrg Measure ; and containing the following subclasses: > > - AdHocContractualClauses (subclass of dpv:Contract) > - BindingCorporateRules > - CertificationMechanismsForDataTransfers (subclass of dpv:Certification) > - CodesOfConductForDataTransfers (subclass of dpv:CodeOfConduct) > - StandardContractualClauses (subclass of dpv:Contract) > > I've taken this list from EDPB recommendations on supplementary measures & data transfers 01/2020 https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf > > If accepted, I propose these be included in a separate section within DPV-GDPR titled "Data Transfers". > > --- Additional Thoughts --- > > Tangentially, there is a strict relation between these concepts and A46 sub-clauses by design. For example, BCRs can only be used with dpv-gdpr:A46-2b as the legal basis. Is there interest and/or value in indicating this relation within DPV-GDPR? > > For example, as: BCR dpv:hasLegalBasis dpv-gdpr:A46-2b. This denotes an instance of BCR should be used with A46-2b as the legal basis (and does NOT intend to say that BCRs existence is justified in A46, which is actually in A47). > > In my head, I can envision different ways this can be useful. Such as ensuring the correct legal bases are used for a processing instance (via constraints), or helping suggest the correct legal bases (via discovering the relation between concepts and legal bases). > > Semantically, this can mess things up, because we're attaching a property to a class instead of an instance here, and we don't specify strictly how they are to be used - so another option is to have an additonal property to indicate suitable legal bases or to declare something like SHACL shapes to specify applicable legal bases. > > This shouldn't be done hastily, and we'd need to write examples/use-cases to make sure this is correct. So we will revisit how to add this at a later time. But meanwhile it'd be good to have people's opinions on this and start a conversation. > > --- end --- > > Regards, > -- > --- > Harshvardhan J. Pandit, Ph.D > Research Fellow > ADAPT Centre, Trinity College Dublin > https://harshp.com/ >
Received on Sunday, 10 October 2021 17:13:03 UTC