Add DPO Contact Field

[smartopian]

In the GDPR - there is a point for for a DPO contact field, - which different from the On behalf contact, could, be a field for a privacy officer, or point of contact/end point for privacy and consent related requests.

This issue was actually something we accounted for prior to the GDPR in the MVCR v.0.9 where we did have a privacy contact field. But this was confused with the Data Controller Contact info and dropped.

Technically, this field would have been usable for this GDPR Article Clause,13-1(b) with the guidance that this is a designated privacy contact.

With a string format for contact information.

In terms of implementations, I know that the on-behalf field and the privacy contact field have been used together to designate a trusted 3rd party as proxy.

As a result I recommend bringing back the privacy point of contact field, with a GDPR friendly reference that this field can be used for DPO where applicable in the GDPR. Where I believe law requires a DPO to be listed for a company of a certain size.

Here is the GDPR Reference - Article 13 - 1 (b) -

Article 13 Information to be provided where personal data are collected from the data subject

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable;** (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

[PrivacyCDN]

I'm of a mind to let simple prevail. If a person has a question or concern about a CR they should have a single point of contact. GDPR implementations would probably put in the DPO contact info, but some organizations could choose a customer contact and depend on their internal routing to get it to the right office.

Thanks, John 4giv spellin errurz from mobile devize

---

From: Mark Lizar notifications@github.com Sent: Wednesday, August 9, 2017 2:44:01 PM To: KantaraInitiative/CISWG Cc: Subscribed Subject: [KantaraInitiative/CISWG] Add DPO Contact Field (#101)

In the GDPR - there is a point for for a DPO contact field, - which different from the On behalf contact, could, be a field for a privacy officer, or point of contact/end point for privacy and consent related requests.

This issue was actually something we accounted for prior to the GDPR in the MVCR v.0.9 where we did have a privacy contact field. But this was confused with the Data Controller Contact info and dropped.

Technically, this field would have been usable for this GDPR Article Clause,13-1(b) with the guidance that this is a designated privacy contact.

With a string format for contact information.

In terms of implementations, I know that the on-behalf field and the privacy contact field have been used together to designate a trusted 3rd party as proxy.

As a result I recommend bringing back the privacy point of contact field, with a GDPR friendly reference that this field can be used for DPO where applicable in the GDPR. Where I believe law requires a DPO to be listed for a company of a certain size.

Here is the GDPR Reference - Article 13 - 1 (b) -

Article 13 Information to be provided where personal data are collected from the data subject

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; ** (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/KantaraInitiative/CISWG/issues/101, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADTJ9mc9lDMBJ63NmtfTvQwlejbPhMbaks5sWf3xgaJpZM4Oye53.

--

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

[smartopian]

I agree with you John, instead of making this specifically a DPO field or even a Privacy field, having a direct contact, or first contact field for all privacy complaints, which can be define by the data controller I think is itself simple and easy. Guidance: We can add this as a May field and not required because a) the data controller is the direct contract, then its not used. If its require for compliance or their is an alternative contact (aKA, agent, service provider, whatever) this can then be listed here. (IMO) this field is needed to be added back in, but, the lesson learned is, it doesn't need to be optimised.