- From: Bud Bruegger <uld613@datenschutzzentrum.de>
- Date: Tue, 26 Feb 2019 14:37:28 +0100
- To: public-dpvcg@w3.org
Hi Harsh, apologies for the delayed reply. Disclaimer: I am not a lawyer but have worked with lawyers for some time now. Also, Eva is on sick leave and so I can't talk with her about it. Art 4(2) GDPR, in my understanding, just tries to give the widest possible definition for "processing" without concerns of orthogonality, completeness, or suitedness to indicate certain cases that need to be treated specifically. Also, the GDPR always speaks of data--while modern processing is goes way beyond the ancent data in, data out paradigm. In particular, what is excluded is (i) the "production" of "physical products" (e.g., a passport or a dental pretesis--both based on personal data but much more than the data) and (ii) effects acting on the physical world (for example, the control of a personal medical device that for examle controls the dispension of medication based on various sensors). The GDPR uses the term "nature of processing" without giving a definition. So I propose that nature of processing could be: [output of data/information product, production of a physical artefact, control of the physical environment/cyber-physical system] It seems that so far, the GDPR and consequently we have focuses on the first of the three. [NB, the GDPR uses other interesting ajectives of processing beyond "nature": scope, context. And the Art29WP speaks of "scale" and " > The specific structuring is problematic because the GDPR definition > contains a lot of words which are difficult to understand e.g. > alteration and transfer. Sometimes it is not clear whether to use the > legal meaning of the term or one more closely aligned to technologies. > Can the legal experts assist with this? As said above, I am not a legal expert. BUT, I don't think that 4(2) is a good basis for the vocabulary. When I think of the GDPR and what kinds of processing triggers certain things, what comes in mind without systematic digging, is "Automated individual decision-making, including profiling" (Art 22) and "produces legal effects concerning him or her or similarly significantly affects him or her" (also Art 22). The Art 29. Working Party (now European Data Protection Board) also has issued an opinion [1] that uses other terms that characterize processing including: * Evaluation or scoring * Automated-decision making with legal or similar significant effect [Bud: financial effects??] * Systematic monitoring * Matching or combining datasets * processing that involves new technological or organisational solutions * processing that “prevents data subjects from exercising a right or using a service or a contract” (Article 22 and recital 91) These more or less seem to fit in the same dimension, although I don't believe they are necessarily mutually exclusive.. What isn't explicitly mentioned by the Art29WP is processing based on machine learning or similar forms of AI. > I've also added profiling and cross-border processing as types from > their definitions in Article-4. Profiling is also mentioned by Art29WP and included above. "Cross-border" in my conceptionalization fits in a different dimension, maybe the same that "scale of processing" fits in (The Art29WP gives a definition of scale, one aspect being geographic extent). BTW, the bullet list above is a subset of things the Art29WP lists as indicators of possible high risk--namely those that in my head fit under "type of processing". Others such as "scale", type of data (sensitive, data of a highly personal nature--eg. location), type of affected data subjects (children, vulnerable data subjects) I left out... Do you all think that we could start with the above sub-list from Art29WP and discuss how to make it orthogonal and complete? best cheers -b [1] https://ec.europa.eu/newsroom/document.cfm?doc_id=47711 see pages 9 and 10 Am 22.02.2019 um 16:11 schrieb Harshvardhan J. Pandit: > Hello. > Here is a rudimentary categorisation of processing types, taken from the > definition of processing in GDPR (A4-2) > https://github.com/dpvcg/processing > > At the broadest level, processing is categorised as obtaining data, > using data, storing data, disclosing data, transfering data, > transforming data, organising data, removing data, and automation (i.e. > automated processing) > > The specific structuring is problematic because the GDPR definition > contains a lot of words which are difficult to understand e.g. > alteration and transfer. Sometimes it is not clear whether to use the > legal meaning of the term or one more closely aligned to technologies. > Can the legal experts assist with this? > > I've also added profiling and cross-border processing as types from > their definitions in Article-4. > > For processing (URI DataProcessing), I've added links to the definition > of processing in Eurovoc. Eurovoc contains definitions for terms such as > data collection and processing as well as links to other vocabularies > such as UN and UNESCO. We should define links to such vocabularies once > we have finalised the terms. > > Best, > Harsh > > On 12/02/19 7:21 PM, Data Privacy Vocabularies and Controls Community > Group Issue Tracker wrote: >> dpvcg-ACTION-66: Look into structuring processing categories, ramisa, >> bud, eva to help/review. >> >> https://www.w3.org/community/dpvcg/track/actions/66 >> >> Assigned to: Harshvardhan Pandit >> >> >> >> >> >> >> >> > -- Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine) ULD613@datenschutzzentrum.de Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223 mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/ Informationen über die Verarbeitung der personenbezogenen Daten durch die Landesbeauftragte für Datenschutz und zur verschlüsselten E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Tuesday, 26 February 2019 13:43:16 UTC