GDPR Extension for the Consent Receipt, (note this updates issue #110)
We reviewed some key elements and these have feedback provided in this document attached.
Key is updating from the On-Behalf Field to delegation,
Add sub-processor for delegation by a processor
As ‘a party acting on, or consenting on the behalf of; a PII Principle, controller, processor or regulator. And should be used as such.
Adding fields for specifying who the -on-behalf- party is-
name, address, contact, role and authority
The On Behalf field was first written in as Consent on behalf of the PII Principle, which covered explicit consent by a parent or guardian for children, but how to do this was unclear at the time - so we decided to wait until an explicit example could be made for completing the specification of the on behalf field.
it is currently in the spec as an optional field for acting on behalf of- but, in the spec earlier it refers to - acting on behalf of the data controller as a data representative, with 3 contravening references in the specification that should be fixed.
On-Behalf field in the CR v1.1 shows an example that defines a sub-rpocess and processor – which is already defined as a 3rd party in the spec – which meand this field is redundant in the CRv1.1 – once a sub-processor field is defined.
The aforementioned - consent on behalf of PII Principle
Line 212 - in the spec referring to PII Controller having someone (or a 3rd party org) act on their behalf as a data representative - which arguably could also be required of a Data Processor
Then as a delegated processor -
Line 264 — Use - includes in its description to processing on behalf of a processor on be-half of a
Line 331 - OPTIONAL: A PII Processor acting on behalf of a PII Controller or PII Processor. For example, a third-party analytics service would be a PII Processor on behalf of the PII Controller, or a site operator acting on behalf of the PII Controller.
The way it is currently referred to in Line264 and 331 is no longer correct since the GDPR as what was termed ‘on behalf’ in the UK Privacy Act, (the original reference) now is directly referred to as a Processor. The term processor now encompasses that personal data is being processed on behalf of a controller. should not refer to processing - which, in the CR v1.1 spec is also defined as USE (line 263) and should correctly be termed in the context of delegated role field e.g. to be acting on behalf of
This reviewed definition still leaves outstanding the example that is now defined in the current spec in Line 331 - as outlined by the use case of a ‘third-party analytics service’ which is a different but closely related field issue and reveals the gap in the CR v1.1 specification, where there is a missing term - ’sub-processor’,
PrivacyCDN
commented
5 years ago
GDPR Extension for the Consent Receipt, (note this updates issue #110) We reviewed some key elements and these have feedback provided in this document attached.
Key is updating from the On-Behalf Field to delegation, Add sub-processor for delegation by a processor
As ‘a party acting on, or consenting on the behalf of; a PII Principle, controller, processor or regulator. And should be used as such.
The On Behalf field was first written in as Consent on behalf of the PII Principle, which covered explicit consent by a parent or guardian for children, but how to do this was unclear at the time - so we decided to wait until an explicit example could be made for completing the specification of the on behalf field.
it is currently in the spec as an optional field for acting on behalf of- but, in the spec earlier it refers to - acting on behalf of the data controller as a data representative, with 3 contravening references in the specification that should be fixed.
The way it is currently referred to in Line264 and 331 is no longer correct since the GDPR as what was termed ‘on behalf’ in the UK Privacy Act, (the original reference) now is directly referred to as a Processor. The term processor now encompasses that personal data is being processed on behalf of a controller. should not refer to processing - which, in the CR v1.1 spec is also defined as USE (line 263) and should correctly be termed in the context of delegated role field e.g. to be acting on behalf of
This reviewed definition still leaves outstanding the example that is now defined in the current spec in Line 331 - as outlined by the use case of a ‘third-party analytics service’ which is a different but closely related field issue and reveals the gap in the CR v1.1 specification, where there is a missing term - ’sub-processor’,