The underlying issue here is whether this field is mandatory or optional - because administrative information is probably in the published privacy policy
Should the receipt be usable 'offline'? If yes, then there should be an email and phone number contact
In most jurisdictions the Notice requirements will require statement of name and address of the data controller
Proposed: make reference to jurisdiction regulations for mandatory; since there is no field validation, it could be null
Proposed: make conditions based on degree of functionality of the receipt e.g. 'must include URI in order to be machine processable'
These fields are the place where the information required for in the Privacy Notice goes
David: these fields should be 'SHOULD' - and the guidance should describe how these fields relate to the requirements of the Privacy notice in the Jurisdiction. Note that the Specification describes WHAT is required, not HOW to implement it.
Issue #65: "Support for multiple data controllers"
There is no higher level structure around 'data controller' fields (there is a data structure for "Purposes")
Should there be a single contact point and refer to a separate list of controllers?
This is related to the Notice requirements
GDPR: "Name and contact details of the Controller, and where applicable, the Joint Controller, Controller's representative and DPO"
Q: Is there ever a situation where a Privacy Notice contains more than one Data Controller contact information?
David to create a new structure ("PII Controllers") to hold one or more Controller (including the existing fields)
10 min
Draft of publication synopsis for new WG
Not discussed
The purpose of the Consent Management Solutions – Best Current Practices publication is to establish an open standard of good practice for the management of an individual’s consent to process their personal data in electronic systems.
The publication describes the practices used by leading organizations to manage the full lifecycle of an individual’s consent to process their personal data. The lifecycle stages include privacy notice, prompt for acceptance of terms, collection of consent, production and storage of consent receipt, and, management of the record of consent.
The practices and requirements derived from them described in the publication can be used as the basis for a conformity assessment scheme which may include product and services certification.
Proposed Table of Contents
Introduction
Scope
Notations and Abbreviations
Terms and Definitions
Best Current Practices – Consent management solutions
General
Regulations
Privacy Notice
Collection of consent
Management of consent records (creation, updates, expiry, change of scope)