- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Fri, 24 Sep 2021 14:37:14 +0100
- To: Georg Philip Krog <georg@signatu.com>
- Cc: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>, David Hickey <david.hickey26@mail.dcu.ie>, Paul Ryan <paul.ryan76@mail.dcu.ie>
Hi Georg, All. Below is how I envision data transfer tool as being distinct from legal basis. Use-case: Controller A is in EU and wants to transfer data to Org B outside EU third country without adequacy decision. The legal basis they use is based in A46-2b. A wants to use BCR. However it is not yet approved. Perspective 1: transfer tools are distinct from legal basis. Here, the un-approved BCR is an instance of data transfer tool, but is not a (valid) legal basis because it is not approved. Once approved, or found valid, the BCR becomes be a legal basis as an instance of A46-2b. Perspective 2: transfer tools are same as legal basis. Here, the un-approved BCR is an instance of A46-2b and Data Tranfer Tool. But now there is no distinction between whether it should be a legal basis or not because it is defined as a legal basis. And because DPV-GDPR doesn't distinguish between 'valid' and 'invalid' legal bases, an adopter will need additional implementations to make this distinction. Which is why I went with the argument that Transfer Tools should not be defined in the same list as (valid) legal bases, but explicitly annotated as being used to justify a particular legal basis. This is similar to the argument that consent and contracts are represented as separate instances, and linked to a particular legal basis, i.e. A6-1a and A6-1b respectively. Besides this, I'm also unclear on whether BCRs will *only* be limited to A46-2b as the legal basis or they may contain more/other; or conversely whether use of A46-2b will *always* be a BCR (IMHO yes). Regards, Harsh On 24/09/2021 07:42, Georg Philip Krog wrote: > Hi Harsh, > > I would like to discuss the notion "Data Transfer Tool" vs "Data > Transfer Legal Basis" before adding it to the DPV. > > I appreciate that you bring up whether or not there is interest and/or > value in indicating the relations you mention within DPV-GDPR. > > Let's write some use cases. > > Best, > Georg > > On Fri, Sep 24, 2021 at 8:15 AM Harshvardhan J. Pandit <me@harshp.com > <mailto:me@harshp.com>> wrote: > > Hi. While wrapping up the DPV-GDPR concepts, I realised that we did not > consider David's proposal for representing "Data Transfer Tool" in the > vocabulary. Outlined here is my proposal on how we can do this. If you > agree, I will include it and publish DPV-GDPR v0.3 over the weekend. If > not, it goes on the agenda for the next meeting. > > DataTransferTool subclass of TechOrg Measure ; and containing the > following subclasses: > > - AdHocContractualClauses (subclass of dpv:Contract) > - BindingCorporateRules > - CertificationMechanismsForDataTransfers (subclass of > dpv:Certification) > - CodesOfConductForDataTransfers (subclass of dpv:CodeOfConduct) > - StandardContractualClauses (subclass of dpv:Contract) > > I've taken this list from EDPB recommendations on supplementary > measures > & data transfers 01/2020 > https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf > <https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf> > > If accepted, I propose these be included in a separate section within > DPV-GDPR titled "Data Transfers". > > --- Additional Thoughts --- > > Tangentially, there is a strict relation between these concepts and A46 > sub-clauses by design. For example, BCRs can only be used with > dpv-gdpr:A46-2b as the legal basis. Is there interest and/or value in > indicating this relation within DPV-GDPR? > > For example, as: BCR dpv:hasLegalBasis dpv-gdpr:A46-2b. This denotes an > instance of BCR should be used with A46-2b as the legal basis (and does > NOT intend to say that BCRs existence is justified in A46, which is > actually in A47). > > In my head, I can envision different ways this can be useful. Such as > ensuring the correct legal bases are used for a processing instance > (via > constraints), or helping suggest the correct legal bases (via > discovering the relation between concepts and legal bases). > > Semantically, this can mess things up, because we're attaching a > property to a class instead of an instance here, and we don't specify > strictly how they are to be used - so another option is to have an > additonal property to indicate suitable legal bases or to declare > something like SHACL shapes to specify applicable legal bases. > > This shouldn't be done hastily, and we'd need to write > examples/use-cases to make sure this is correct. So we will revisit how > to add this at a later time. But meanwhile it'd be good to have > people's > opinions on this and start a conversation. > > --- end --- > > Regards, > -- > --- > Harshvardhan J. Pandit, Ph.D > Research Fellow > ADAPT Centre, Trinity College Dublin > https://harshp.com/ <https://harshp.com/> > > > > -- > Georg Philip Krog > > signatu <https://signatu.com> -- --- Harshvardhan J. Pandit, Ph.D Research Fellow ADAPT Centre, Trinity College Dublin https://harshp.com/
Received on Friday, 24 September 2021 13:37:30 UTC