Data Privacy Vocabulary (DPV)

DPV's terms are defined using abstract semantic notions Concept and Relation derived from SKOS concepts and semantic relations respectively. The use of relations is bounded using hasDomain and hasRange. These enable representing DPV's concepts as a thesauri, i.e. a list of concepts using SKOS, and to serialise them for different semantic models. For a summary of how these are mapped to [RDFS] & [SKOS] in [DPV-SKOS], and [OWL] in [DPV-OWL] - see Appendix.

The interpretation of DPV's concept can be done through serialisation. DPV provides two such serialisations: [DPV-OWL] that uses OWL2 and [DPV-SKOS] that uses RDFS+SKOS. The DPV Family of Documents provides an overview of all serialisations related to the DPV.

DPV consists of certain 'core concept' that are intended to be independent representations of specific information, and are distinct from other core concepts. For example, the Purpose (e.g. Optimisation) refers only to the purpose of why personal data is processed and is independent as a concept from the PersonalData (e.g. Location) or the Processing activities (e.g. collect, store) involved to carry out that purpose.

The structuring of DPV is based on providing rich and comprehensive taxonomies that group concepts together based on each core concept, e.g. taxonomy of purposes, which is reflected in the serialisation and documentation (e.g. this document). Other extentions provide additional concepts that expand DPV's concept or complement them with separation and optionality through namespaces. For a list of all DPV related documents, see document family section.

DPV can be viewed as a hierarchical taxonomy of concepts where each core concept represents the top-most abstract concept in a tree and each of its children provide a lesser abstract or more concrete concept. For example, consider the concept of PersonalData which is the abstract representation of personal data. It can be further refined or extended as SensitivePersonalData, and further as SpecialCategoryPersonalData and then as GeneticData and so on.

From this perspective, the top-most abstract concepts are collectively referred to as the core vocabulary within DPV. The goal of the DPV is to provide a rich collection of concepts for each of top concepts so as to enable their application within real-world use-cases. The identification of what constitutes a core concept is based on the need to represent information about it in a modular and independent form, such as that required for legal compliance.

The 'Base' or 'Core' concepts in DPV represent the most relevant concepts for representing information regarding the what, how, where, who, why of personal data and its processing. Each of these concepts is further elaborated as a taxonomy of concepts in a hierarchical fashion. The DPV provides the following as 'top-level' concepts and relations to associate them with other concepts:

DPV provides taxonomies for all core concepts except for PersonalDataHandling which represents an abstract concept to aid in 'grouping' the concepts with one another. The relation hasPersonalDataHandling associates a PersonalDataHandling with other concepts including itself.

The rest of the document expands on the core concepts through the following taxonomies.

• Entities - different kinds of entities, the specific Legal Roles they can take, and categories of Organisations, Authorities, and Data Subjects.
• Purposes that justify the need or goal for which personal data is processd.
• Processing operations over personal data.
• Personal Data that is relevant for processing.
• Technical & Organisational Measures with dedicated sections for technical and organisational measures.
• Legal Bases that justify the processing, with a dedicated section for Consent.
• Contextual information about Processing such as storage conditions and automation, as well as Scale of Processing.
• Contextual information in general such as frequency and duration, and Statuses associated with activities.
• Locations & Jurisdictions providing relevance to laws, authorities, and location contexts.
• Risk & Impacts for risk assessment, management, and expression of consequences and impacts associated with processing.
• Rights and Rights Exercise for specifying what rights are applicable, how they can be exercised, and how to provide information associated with rights.
• Rules for expressing constraints, requirements, and other forms of rules that can specify or assist in interpreting what is permitted, prohibited, mandatory, etc.

Further to these, there are separate extensions that provide additional concepts. These are:

• DPV-PD: Extension providing Personal Data Categories
• DPV-GDPR: Extension providing GDPR concepts
• DPV-TECH: Extension providing Technology-relevant concepts
• DPV-LEGAL: Extension providing Jurisdiction-relevant concepts
• Risk Extension for DPV
• Rights Extension for Data Privacy Vocabulary

Entity | Legal Entity | Natural Person | Representative |

has address | has contact | has entity | has name | has representative | has responsible entity | is representative for |

Legal Role is the role taken on by a legal entity based on definitions or criterias from laws, regulations, or other such normative sources. Legal roles assist in representing the role and responsibility of an entity within the context of processing, and from this to determine the requirements and obligations that should apply, and their compliance or conformance.

The concept Authority is a specific Governmental Organisation authorised to enforce a law or regulation. Authorities can be associated with a specific domain, topic, or jurisdiction. DPV currently defines regional authorities for NationalAuthority, RegionalAuthority, and SupraNationalAuthority, and DataProtectionAuthority represents authorities associated with data protection and privacy. To associate authorities with concepts, the relations hasAuthority and isAuthorityFor are provided.

DPV provides a taxonomy of data subject types to assist with describing what kind of individuals or groups are associated with an use-case. Some examples of such types are agency-based roles: Adult and Child, ParentOfDataSubject, GuardianOfDataSubject; those associated with vulnerability: VulnerableDataSubject, ElderlyDataSubject, AsylumSeeker; domain-specific roles such as Patient, Employee, Student, jurisdictional roles such as Citizen, NonCitizen, Immigrant; and general roles such as User, Member, Participant, and Client.

Academic Research | Account Management | Advertising | Anti-Terrorism Operations | Commercial Research | Communication for Customer Care | Communication Management | Counter Money Laundering | Credit Checking | Customer Care | Customer Claims Management | Customer Management | Customer Order Management | Customer Relationship Management | Customer Solvency Monitoring | Delivery of Goods | Direct Marketing | Dispute Management | Enforce Access Control | Enforce Security | Establish Contractual Agreement | Fraud Prevention and Detection | Fulfilment of Contractual Obligation | Fulfilment of Obligation | Human Resource Management | Identity Verification | Improve Existing Products and Services | Improve Internal CRM Processes | Increase Service Robustness | Internal Resource Optimisation | Legal Compliance | Maintain Credit Checking Database | Maintain Credit Rating Database | MaintainFraudDatabase | Marketing | Members and Partners Management | Non-Commercial Research | Optimisation for Consumer | Optimisation for Controller | Optimise User Interface | Organisation Compliance Management | Organisation Governance | Organisation Risk Management | Payment Management | Personalisation | Personalised Advertising | Personalised Benefits | Personnel Hiring | Personnel Management | Personnel Payment | Provide Event Recommendations | Provide Personalised Recommendations | Provide Product Recommendations | Public Relations | Purpose | Record Management | Repair Impairments | Requested Service Provision | Research and Development | Search Functionalities | Sector | Sell Data to Third Parties | Sell Insights from Data | Sell Products | Sell Products to Data Subject | Service Optimisation | Service Personalisation | Service Provision | Service Registration | Service Usage Analytics | Social Media Marketing | Targeted Advertising | Technical Service Provision | User Interface Personalisation | Vendor Management | Vendor Payment | Vendor Records Management | Vendor Selection Assessment |

has purpose | has sector |

Access | Acquire | Adapt | Align | Alter | Analyse | Anonymise | Assess | Collect | Combine | Consult | Copy | Derive | Destruct | Disclose | Disclose by Transmission | Disseminate | Erase | Filter | Generate | Infer | Make Available | Match | Modify | Monitor | Move | Observe | Obtain | Organise | Processing | Profiling | Pseudonymise | Query | Record | Remove | Restrict | Retrieve | Screen | Share | Store | Structure | Transfer | Transform | Transmit | Use |

has processing |