Discussion on concepts from the DGA extension from beatriz.gesteves on 2023-07-18 (public-dpvcg@w3.org from July 2023)

From: beatriz.gesteves <beatriz.gesteves@upm.es>
Date: Tue, 18 Jul 2023 16:16:52 +0200
To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Cc: Georg <georg@signatu.com>
Message-ID: <f0efcfd767ae21d40198eaf800a43eb7@upm.es>

Hi all,

As discussed in the last meeting, I went over a part of the concepts for 
the DGA extension with Georg and we want to raise some discussion 
points.

--------

Entities

--------

1 - With regards to the labelling of the data intermediation service 
providers, which are currently proposed to be labelled as 
DataIntermediationServiceProviderForDataHolder and 
DataIntermediationServiceProviderForDataSubject, we were wondering if 
the correct phrasing is provider for data holder/subject or if we should 
rephrase it to provider on behalf of data holder/subject, similarly to 
GDPR's terminology where a data processor processes personal data on 
behalf of the controller.

2 - Update the data user's definition from "An entity who has access and 
the right to use personal or non-personal data for commercial or 
non-commercial purposes" to "An entity who receives and/or has access to 
personal or non-personal data for commercial or non-commercial purposes"

3 - We are missing a definition for "privacy sector body". In addition, 
we have the "Sector" concept modelled in DPV, but there are no concepts 
for "Public Sector" and "Private Sector". Is this something that needs 
to be modelled within DPV?

4 - The definition of "SME organisation" needs to be improved, which may 
prove difficult as different sources mention a different number of 
employees for it to be classified as an SME. In addition, 
"micro-enterprise" can also be a concept to be considered to be modelled 
as it mentioned in other acts (DORA,...).

----------

Purposes

----------

1 - @Harsh is there a source for the proposed 
MisusePreventionAndDetection purpose? It would be nice to have an 
example to understand where such a purpose would be properly used.

2 - Regarding the SupportInformedConsentChoices purpose, should we 
modelled it as a more generic concept to cover choices not just related 
with consent? For instance, changing the definition from "Supporting 
individuals in understanding and making choices with respect to informed 
consent" to "Supporting individuals in understanding and making choices 
with respect to e.g. consent"?

------

TOMs

------

1 - In addition to CommercialConfidentialityAgreement and 
StatisticalConfidentialityAgreement, should we have a 
ConfidentialityAgreement concept that can be reused for other types of 
agreements?

2 - How is the DataTransferNotice different from DPV's PrivacyNotice? 
And do we also need a ThirdCountryDataRequestNotice?

3 - Introducing LegalMeasure implies restructuring the 
dpv:OrganisationalMeasure taxonomy e.g. LegalAgreement should go under 
LegalMeasure?

4 - Change PersonalDataReuseNotice to ConsentReuseNotice as this notice 
is specifically related to consent.

More opinions are welcome on these and on the other terms, preferably 
through the mailing list to have a record or directly in DPVCG's 
meetings.

Best regards,

Beatriz

Received on Tuesday, 18 July 2023 14:17:00 UTC