- From: Harald Zwingelberg <uld6@datenschutzzentrum.de>
- Date: Wed, 17 Oct 2018 22:25:48 +0200
- To: public-dpvcg@w3.org
- Cc: uld6@datenschutzzentrum.de
Dear all, thanks to all participants that started the discussion. I am on family vacation and Eva had been in the Tuesday telco on behalf of ULD. I made some first considerations already and like to share them as a contribution to the conversation. We considered definitions for consent, controller and processor. Potential aspects to bear in mind: Potential issues when used beyond EU-understanding of the law. E.g. consent may have different meaning and requirements in other jurisdictions, even when the terminology is very similarly used such as “notice and choice” or “notice and consent” for U.S. federal and state jurisdictions. This concern is valid likewise for all definitions taken directly from legal texts. Further: Some meanings of the definitions may be the result of a legal interpretation of the law. Example: Controller is the main establishment of an entity in the EU. The definition of main establishment, however, is normally the place of the central administration unless the decisions on purposes and means of the processing are met in another establishment (see Art. 4 para 16 GDPR). What this will be in a specific case is an interpretation of the law and may be open to further inspection by DPAs or courts. So any information put into such a field is only the first interpretation done by the data controller him-/her-/itself and not finally binding. Options we may want to consider: - We go directly for GDPR-definitions ensuring that the understanding is equal and the specification developed in DPVCG works for processing in the EU / EEA contexts. (Personally I support this.) - We allow in the definition for different understandings of the same terminology and we include a pointer to the respecive jurisdiction (gdpr, us-federal, us-california,...) - We have own DPVCG-definitions of the terminology and will not stick to GDPR-terminology (but as far as I remember GDPR-compatibility was said to be a requirement for several participants at the kick-off-meeting in Vienna). As for the definitions below: I hope this is correct media-wiki-syntax to allow re-use in our wiki e.g. on this page: https://www.w3.org/community/dpvcg/wiki/index.php?title=Taxonomy&action=edit Best regards Harald == Definitions of Terms and Concepts == GDPR-terminology cited from [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679 EUR-Lex] * [[Consent]] <blockquote> As defined in Art. 4 para. 1 GDPR: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. </blockquote> Potential issues when used beyond EU: consent may have different meaning and requirements in other jurisdictions, even when the terminology is very similarly used such as “notice and choice” or “notice and consent” for U.S. federal and state jurisdictions. Idea to solve this: We will have some space where the text presented to the data subject or a link thereto is stored within the policy. This may be included here as a reference and then a second variable indicating some status of the consent including information as to whether it was an opt-in or opt-out or tacit acceptance (potential values: actively accepted, tacitly accepted, pending, withdrawn, identity-check pending. <nowiki> [ ... ] </nowiki> an identified or identifiable natural person (‘data subject’) <nowiki> [ ... ] </nowiki>). The consent-status has been suggested by someone in Vienna - just don’t want to claim this as my own idea. * [[Data Controller]] <blockquote>As defined in Art, 4 para. 7 GDPR: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. </blockquote> The GDPR foresees some minimum-information for transparency in Art 12 et seq. Maybe a data-set describing an entity could have these contents? * [Entity] ** Name (Name of the entity as a natural person or legal entity) ** contact details *** address *** e-mail *** optional: indication of jurisdiction * [controller] ** => entity(controller) ** => entity(main establishment for processing in country X) ** => entity(data protection official) * [[Data Processor]] <blockquote> As defined in Art. 4 para. 8 GDPR: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.</blockquote> * [[Data Recipient]] <blockquote> As defined in Art. 4 para. 9 GDPR: ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;</blockquote> * [[Data Subject]] <blockquote> As defined in Art. 4 para. 1 GDPR: <nowiki> [ ... ] </nowiki> an identified or identifiable natural person (‘data subject’) <nowiki> [ ... ] </nowiki> Where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</blockquote> Am 16.10.2018 um 17:23 schrieb Harshvardhan J. Pandit: > Dear All, > This is in response to ISSUE-4 and ACTION-28 about describing consent > following today's meeting call. > > Taking the text by Axel as is (from definition of GDPR), consent here is > comprised of > 1. the entity it was given to - data controller > 2. the purposes/actions it was given for - purpose > 3. the entities it governs - personal data (categories) > 4. the duration of its applicability - duration > The other properties are not part of the consent itself, but rather > describe it provenance. These are- > 5. how it was obtained - affirmative action > 6. when it was obtained - timestamp > I feel that #6 is a property of #5 rather than of the consent itself. > That is, the action has a timestamp, a medium (online form, for > example), and therefore the time associated with the consent is actually > the time it was collected/obtained at. > > I am working on a consent ontology to represent these same instances > (that are described above). There are some questions that are already > part of this work, which I will share soon. The ontology itself is a > work-in-progress, and therefore not stable to be added to the working > group list of vocabularies. I'm happy to share it if anyone is > interested in looking at it. > > I will try to formalise these into questions/points as suggested by Rigo > based on experiences with modeling provenance of consent. > > There are a few other things to consider, such as what is the consent > was collected via automated mechanisms or a natural person; or whether > it was given by someone in lieu of the person - i.e. a delegate. > > From Eva's point regarding the status of consent, I agree and propose > the following: > Unknown, Not Given, Implicitly Given, Explicitly Given, Withdrawn, > Expired, Invalidated > > On 16/10/18 7:38 AM, Data Privacy Vocabularies and Controls Community > Group Issue Tracker wrote: >> ISSUE-4: What are the elements of consent? starting from "consent = >> agreement through an [affirmative action] at a specific [time] with a >> [data controller] to specific [processing] and [storage] of specific >> [data categories] for specific [purpose] and [duration]" >> >> https://www.w3.org/community/dpvcg/track/issues/4 > > Best, -- Landesbeauftragte für Datenschutz Schleswig-Holstein Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1222, Fax -1223 mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/ Harald Zwingelberg, uld6@datenschutzzentrum.de Informationen über die Verarbeitung der personenbezogenen Daten durch die Landesbeauftragte für Datenschutz und zur verschlüsselten E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Wednesday, 17 October 2018 21:45:14 UTC