DPV-GDPR: GDPR Extension for DPV

version 1

Final Community Group Report

This version:
https://www.w3.org/community/reports/dpvcg/CG-FINAL-dpv-gdpr-20221205/
Latest published version:
https://w3id.org/dpv/dpv-gdpr
Latest editor's draft:
https://w3id.org/dpv/ed/dpv-gdpr
Editor:
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University)
Former editor:
Axel Polleres (Vienna University of Economics and Business) - Until
Authors:
Axel Polleres (Vienna University of Economics and Business)
Beatriz Esteves (Universidad Politécnica de Madrid)
Bert Bos (W3C/ERCIM)
Bud Bruegger (Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein)
Elmar Kiesling (Vienna University of Technology)
Eva Schlehahn (Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein)
David Hickey (Dublin City University)
Fajar J. Ekaputra (Vienna University of Technology)
Georg P. Krog (Signatu AS)
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University)
Javier D. Fernández (Vienna University of Economics and Business)
Julian Flake (University of Koblenz-Landau)
Mark Lizar (OpenConsent/Kantara Initiative)
Paul Ryan (Uniphar PLC)
Piero Bonatti (Università di Napoli Federico II)
Ramisa Gachpaz Hamed (Trinity College Dublin)
Rigo Wenning (W3C/ERCIM)
Rob Brennan (University College Dublin)
Simon Steyskal (Siemens)
Feedback:
GitHub w3c/dpv (pull requests, new issue, open issues)

DPV-GDPR extends the Data Privacy Vocabulary (DPV) Specification to provide taxonomies of concepts such as legal bases, rights, and data transfer tools as defined within the General Data Protection Regulation (GDPR).

The canonical URL for DPV-GDPR is https://w3id.org/dpv/dpv-gdpr which contains (this) specification. The namespace for DPV terms is https://w3id.org/dpv/dpv-gdpr#, the suggested prefix is dpv-gdpr, and this document along with source and releases are available at https://github.com/w3c/dpv.

DPV Family of Documents

Related Links

Status of This Document

This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Final Specification Agreement (FSA) other conditions apply. Learn more about W3C Community and Business Groups.

This document is published by the Data Privacy Vocabularies and Controls Community Group (DPVCG) as a deliverable and report of its work in creating and maintaining the Data Privacy Vocabulary (DPV).

Note

Contributing to the DPV and its extensions The DPVCG welcomes participation regarding the DPV, including expansion or refinement of its terms, addressing open issues, and welcomes suggestions on their resolution or mitigation. For further information, please see the contribution section.

GitHub Issues are preferred for discussion of this specification.

1. Introduction

The Data Privacy Vocabulary (DPV) provides terms to annotate and categorise instances of legally compliant personal data handling. In particular, the vocabulary provides LegalBasis and DataSubjectRight as top-level concepts representing the various legal bases for justifying processing of personal data and rights provided to the data subject respectively. Since these concepts are specifically defined within the scope of jurisdictional laws, their implementation is provided as a separate vocabulary that extends the DPV, thereby permitting continued usage of DPV as a jurisdiction-agnostic and generic vocabulary.

The DPV-GDPR vocabulary extends the concepts within DPV regarding legal bases, data subject rights, data transfer tools, data protection impact assessment (DPIA), and compliance, and provides a compatible extension to be used in combination with the DPV to represent GDPR-specific information.

3. Rights under GDPR

GDPR provides several rights to the data subject, whose applicability depends on the context and nature of processing taking place. DPV lists these rights at an abstract level as concepts along with their origin in specific clauses of the GDPR.

In addition to DPV's concepts regarding exercise of rights, DPV-GDPR provides additional concepts specific to the implementation of its rights. For example, SARNotice refers to the information provided in fulfilment of A15 Right of Access, or using dcat:Resource to represent the dataset provided in fulfilment of A20 Right to Data Portability.

3.1 Classes

dcat:Resource | A13 Right to be Informed | A14 Right to be Informed | A15 Right of Access | A16 Right to Rectification | A17 Right to Erasure | A18 Right to Restrict Processing | A19 Right to Rectification | A20 Right to Data Portability | A21 Right to object | A22 Right to object to automated decision making | A7-3 Right to Withdraw Consent | A77 Right to Complaint | Direct Data Collection Notice | Indirect Data Collection Notice | Rights Recipients Notice | SAR Notice |

3.1.1 dcat:Resource

IRI http://www.w3.org/ns/dcat#Resource
Term: dcat:Resource
Vocabulary:Data Catalog Vocabulary (DCAT) - Version 2
Usage Note:A dataset or catalogue or any other resource provided in fulfilment of a Right Exercise, such as for GDPR's Art.15 regarding Right of Access or Art.20 regarding Right to Data Portability. The associated properties from DCAT and DCMI DCT vocabularies provide convenient means to express metadata such as URL for accessing the data, its temporal validity and acecss restrictions, and specific datasets present along with their schemas.

3.1.2 A13 Right to be Informed

IRI https://w3id.org/dpv/dpv-gdpr#A13
Term: A13
Label: A13 Right to be Informed
Description: information to be provided where personal data is directly collected from data subject
SubType of: dpv:DataSubjectRight
Source: GDPR Art.13
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.3 A14 Right to be Informed

IRI https://w3id.org/dpv/dpv-gdpr#A14
Term: A14
Label: A14 Right to be Informed
Description: information to be provided where personal data is collected from other sources
SubType of: dpv:DataSubjectRight
Source: GDPR Art.14
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.4 A15 Right of Access

IRI https://w3id.org/dpv/dpv-gdpr#A15
Term: A15
Label: A15 Right of Access
Description: Right of access
SubType of: dpv:DataSubjectRight
Source: GDPR Art.15
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.5 A16 Right to Rectification

IRI https://w3id.org/dpv/dpv-gdpr#A16
Term: A16
Label: A16 Right to Rectification
Description: Right to rectification
SubType of: dpv:DataSubjectRight
Source: GDPR Art.16
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.6 A17 Right to Erasure

IRI https://w3id.org/dpv/dpv-gdpr#A17
Term: A17
Label: A17 Right to Erasure
Description: Right to erasure ('Right to be forgotten')
SubType of: dpv:DataSubjectRight
Source: GDPR Art.17
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.7 A18 Right to Restrict Processing

IRI https://w3id.org/dpv/dpv-gdpr#A18
Term: A18
Label: A18 Right to Restrict Processing
Description: Right to restriction of processing
SubType of: dpv:DataSubjectRight
Source: GDPR Art.18
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.8 A19 Right to Rectification

IRI https://w3id.org/dpv/dpv-gdpr#A19
Term: A19
Label: A19 Right to Rectification
Description: Right to be notified in case of rectification or erasure of personal data or restriction of processing
SubType of: dpv:DataSubjectRight
Source: GDPR Art.19
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.9 A20 Right to Data Portability

IRI https://w3id.org/dpv/dpv-gdpr#A20
Term: A20
Label: A20 Right to Data Portability
Description: Right to data portability
SubType of: dpv:DataSubjectRight
Source: GDPR Art.20
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.10 A21 Right to object

IRI https://w3id.org/dpv/dpv-gdpr#A21
Term: A21
Label: A21 Right to object
Description: Right to object to processing of personal data
SubType of: dpv:DataSubjectRight
Source: GDPR Art.21
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.11 A22 Right to object to automated decision making

IRI https://w3id.org/dpv/dpv-gdpr#A22
Term: A22
Label: A22 Right to object to automated decision making
Description: Right not to be subject to a decision based solely on automated processing including profiling
SubType of: dpv:DataSubjectRight
Source: GDPR Art.22
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.13 A77 Right to Complaint

IRI https://w3id.org/dpv/dpv-gdpr#A77
Term: A77
Label: A77 Right to Complaint
Description: Right to lodge a complaint with a supervisory authority
SubType of: dpv:DataSubjectRight
Source: GDPR Art.77
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.14 Direct Data Collection Notice

IRI https://w3id.org/dpv/dpv-gdpr#DirectDataCollectionNotice
Term: DirectDataCollectionNotice
Label: Direct Data Collection Notice
Description: A Notice provided in fulfilment of GDPR's Art.13 regarding information to be provided where personal data are collected from the data subject
SubType of: dpv:RightFulfilmentNotice
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.15 Indirect Data Collection Notice

IRI https://w3id.org/dpv/dpv-gdpr#IndirectDataCollectionNotice
Term: IndirectDataCollectionNotice
Label: Indirect Data Collection Notice
Description: A Notice provided in fulfilment of GDPR's Art.14 regarding information to be provided where personal data are not collected from the data subject
SubType of: dpv:RightFulfilmentNotice
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.16 Rights Recipients Notice

IRI https://w3id.org/dpv/dpv-gdpr#RightsRecipientsNotice
Term: RightsRecipientsNotice
Label: Rights Recipients Notice
Description: A Notice provided in fulfilment of GDPR's Art.19 regarding Recipients to whom a rights exercise has been communicated, such as regarding rectification (A.16) or erasure of personal data (A.17) or restriction of processing (A.18)
SubType of: dpv:RightFulfilmentNotice
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

3.1.17 SAR Notice

IRI https://w3id.org/dpv/dpv-gdpr#SARNotice
Term: SARNotice
Label: SAR Notice
Description: A Notice provided in fulfilment of GDPR's Art.15 regarding information to be provided for Right of Access or Subject Access Request (SAR)
SubType of: dpv:RightFulfilmentNotice
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

4. Data Transfer Tools

GDPR regulates data transfers outside the EU/EEA based on jurisdictions the transfer is occurring within and the guarantees available regarding the protection of personal data and fundamental rights. To indicate the sufficiency of a data transfer being compatible and adherent to these requirements, the European Commission provides various 'data transfer tools' based on the legal bases provided within the GDPR. DPV-GDPR models these as follows.

Note: Providing implementations of Data Transfer Tools

The DPV-GDPR's concepts for transfer tools are currently symbolic, and do not provide a way to actually implement those tools. For example, to represent the information contained within a SCC or BCR. The DPVCG is interested in providing such implementations, and welcomes discussions and contributions for the same.

4.1 Classes

AdHoc Contractual Clauses | Binding Corporate Rules (BCR) | Certification Mechanisms for Data Transfers | Codes of Conduct for Data Transfers | Data Transfer Tool | SCCs adopted by Commission | SCCs adopted by Supervisory Authority | Standard Contractual Clauses (SCC) | Supplementary Measure |

4.1.1 AdHoc Contractual Clauses

IRI https://w3id.org/dpv/dpv-gdpr#AdHocContractualClauses
Term: AdHocContractualClauses
Label: AdHoc Contractual Clauses
Description: Contractual Clauses not drafted by the EU Commission, e.g. by the Controller
SubType of: dpv:Contract, dpv-gdpr:DataTransferTool
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
Created:
Contributor(s): Harshvardhan J. Pandit

4.1.2 Binding Corporate Rules (BCR)

IRI https://w3id.org/dpv/dpv-gdpr#BindingCorporateRules
Term: BindingCorporateRules
Label: Binding Corporate Rules (BCR)
Description: Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises.
SubType of: dpv-gdpr:DataTransferTool
Source: GDPR Art.4-20
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit, Paul Ryan

4.1.3 Certification Mechanisms for Data Transfers

IRI https://w3id.org/dpv/dpv-gdpr#CertificationMechanismsForDataTransfers
Term: CertificationMechanismsForDataTransfers
Label: Certification Mechanisms for Data Transfers
Description: Certification and its binding or specified mechanisms intended to provide sufficient safeguards for data transfers
SubType of: dpv-gdpr:DataTransferTool
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
Created:
Contributor(s): Harshvardhan J. Pandit

4.1.4 Codes of Conduct for Data Transfers

IRI https://w3id.org/dpv/dpv-gdpr#CodesOfConductForDataTransfers
Term: CodesOfConductForDataTransfers
Label: Codes of Conduct for Data Transfers
Description: Codes of Conduct that outline sufficient safeguards for carrying out data transfers
SubType of: dpv-gdpr:DataTransferTool
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
Created:
Contributor(s): Harshvardhan J. Pandit

4.1.5 Data Transfer Tool

IRI https://w3id.org/dpv/dpv-gdpr#DataTransferTool
Term: DataTransferTool
Label: Data Transfer Tool
Description: A legal instrument or tool intended to assist or justify data transfers
SubType of: dpv:TechnicalOrganisationalMeasure
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools, GDPR Art.46
Created:
Contributor(s): David Hickey, Harshvardhan J. Pandit

4.1.6 SCCs adopted by Commission

IRI https://w3id.org/dpv/dpv-gdpr#SCCByCommission
Term: SCCByCommission
Label: SCCs adopted by Commission
Description: Standard contractual clauses adopted by the Commission in accordance with the examination procedure referred to in GDPR Article 93(2)
SubType of: dpv-gdpr:DataTransferTool, dpv-gdpr:StandardContractualClauses
Source: GDPR Art.46-2c
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit, Paul Ryan

4.1.7 SCCs adopted by Supervisory Authority

IRI https://w3id.org/dpv/dpv-gdpr#SCCBySupervisoryAuthority
Term: SCCBySupervisoryAuthority
Label: SCCs adopted by Supervisory Authority
Description: Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in GDPR Article 93(2)
SubType of: dpv-gdpr:DataTransferTool, dpv-gdpr:StandardContractualClauses
Source: GDPR Art.46-2d
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit, Paul Ryan

4.1.8 Standard Contractual Clauses (SCC)

IRI https://w3id.org/dpv/dpv-gdpr#StandardContractualClauses
Term: StandardContractualClauses
Label: Standard Contractual Clauses (SCC)
Description: Standard Contractual Clauses (SCCs) are pre-approved clauses by the EU for ensuring appropriate data protection safeguards intended for data transfers from the EU to third countries
SubType of: dpv:Contract, dpv-gdpr:DataTransferTool
Source: Implementing Decision on SCC for Data Transfers
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit, Paul Ryan

4.1.9 Supplementary Measure

IRI https://w3id.org/dpv/dpv-gdpr#SupplementaryMeasure
Term: SupplementaryMeasure
Label: Supplementary Measure
Description: Supplementary measures are intended to additionally provide safeguards or guarentees to bring the resulting protection in line with EU requirements
SubType of: dpv:TechnicalOrganisationalMeasure, dpv-gdpr:DataTransferTool
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit

5. DPIA

[GDPR] Article 35 specifies the conditions and requirements associated with Data Protection Impact Assessments. DPV-GDPR expands on the DPIA concept defined as an Organisational Measure within DPV by considering a DPIA as consisting of the following iterative process, and providing statuses for documenting their progression and outputs:

  1. Identifying activities for which a DPIA is to be undertaken (represented using DPV and DPV-GDPR)
  2. Checking whether a DPIA is needed as per GDPR Art.35 and other jurisdictional requirements: the activitiy is DPIANecessityAssessment and its output is denoted using DPIANecessityStatus
  3. Conducting the DPIA to identify risks and impacts: the activity is DPIAProcedure and its output is denoted using DPIARiskStatus
  4. Determining the outcome based on risk mitigation: the activity is DPIAOutcome and its output is denoted using DPIAOutcomeStatus
  5. Determining whether processing should be permitted to continue or be carried out, with the outcome being denote using DPIAProcessingRecommendation
  6. Assessing whether processing is carried out in conformance with the DPIA, with the outcome being denoted using [=DPIAConformity]

In addition to DPV's concepts for representing information about processing of personal data, DPV-GDPR also recommends using DCMI Metadata Terms (DCT) concepts to represent relevant metadata, such as dates, identifiers, validity, etc.

Note: Guidance on documenting DPIAs using DPV and DPV-GDPR

The DPVCG is working on updating the Guide for GDPR DPIA's using DPV based on recent updates in DPV and DPV-GDPR. In addition to these, we are also working on providing concepts for expressing impacts and risk management within Risk Extension for DPV.

5.1 Classes

DPIA Conformant | DPIA Conformity | DPIA Indicates High Risk | DPIA Indicates Low Risk | DPIA Indicates No Risk | DPIA Necessity Assessment | DPIA Necessity Status | DPIA Non-Conformant | DPIA Not Required | DPIA Outcome | DPIA Outcome DPA Consultation | DPIA Outcome High Residual Risk | DPIA Outcome Risks Mitigated | DPIA Outcome Status | DPIA Procedure | DPIA Processing Recommendation | DPIA Recommends Processing Continue | DPIA Recommends Processing Not Continue | DPIA Required | DPIA Risk Status |

5.1.1 DPIA Conformant

IRI https://w3id.org/dpv/dpv-gdpr#DPIAConformant
Term: DPIAConformant
Label: DPIA Conformant
Description: Expressing the specified process is conformant with a DPIA
Instance of: dpv-gdpr:DPIAConformity
Created:
Contributor(s): Georg P Krog, Harshvardhan J. Pandit

5.1.2 DPIA Conformity

IRI https://w3id.org/dpv/dpv-gdpr#DPIAConformity
Term: DPIAConformity
Label: DPIA Conformity
Description: Conformity of a process with a DPIA
SubType of: dpv:ConformanceStatus
Created:
Contributor(s): Georg P Krog, Harshvardhan J. Pandit

5.1.3 DPIA Indicates High Risk

IRI https://w3id.org/dpv/dpv-gdpr#DPIAIndicatesHighRisk
Term: DPIAIndicatesHighRisk
Label: DPIA Indicates High Risk
Description: DPIA identifying high risk levels
Instance of: dpv-gdpr:DPIARiskStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.4 DPIA Indicates Low Risk

IRI https://w3id.org/dpv/dpv-gdpr#DPIAIndicatesLowRisk
Term: DPIAIndicatesLowRisk
Label: DPIA Indicates Low Risk
Description: DPIA identifying low risk levels
Instance of: dpv-gdpr:DPIARiskStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.5 DPIA Indicates No Risk

IRI https://w3id.org/dpv/dpv-gdpr#DPIAIndicatesNoRisk
Term: DPIAIndicatesNoRisk
Label: DPIA Indicates No Risk
Description: DPIA identifying no risk is present
Instance of: dpv-gdpr:DPIARiskStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.6 DPIA Necessity Assessment

IRI https://w3id.org/dpv/dpv-gdpr#DPIANecessityAssessment
Term: DPIANecessityAssessment
Label: DPIA Necessity Assessment
Description: Process that determines whether a DPIA is necessary
SubType of: dpv:DPIA
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.7 DPIA Necessity Status

IRI https://w3id.org/dpv/dpv-gdpr#DPIANecessityStatus
Term: DPIANecessityStatus
Label: DPIA Necessity Status
Description: Status reflecting whether a DPIA is necessary
SubType of: dpv:AuditStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.8 DPIA Non-Conformant

IRI https://w3id.org/dpv/dpv-gdpr#DPIANonConformant
Term: DPIANonConformant
Label: DPIA Non-Conformant
Description: Expressing the specified process is not conformant with a DPIA
Instance of: dpv-gdpr:DPIAConformity
Created:
Contributor(s): Georg P Krog, Harshvardhan J. Pandit

5.1.9 DPIA Not Required

IRI https://w3id.org/dpv/dpv-gdpr#DPIANotRequired
Term: DPIANotRequired
Label: DPIA Not Required
Description: Condition where a DPIA is not required
Instance of: dpv-gdpr:DPIANecessityStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.10 DPIA Outcome

IRI https://w3id.org/dpv/dpv-gdpr#DPIAOutcome
Term: DPIAOutcome
Label: DPIA Outcome
Description: Process representing determining outcome of a DPIA
SubType of: dpv:DPIA
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.11 DPIA Outcome DPA Consultation

IRI https://w3id.org/dpv/dpv-gdpr#DPIAOutcomeDPAConsultation
Term: DPIAOutcomeDPAConsultation
Label: DPIA Outcome DPA Consultation
Description: DPIA outcome status indicating a DPA consultation is required
Instance of: dpv-gdpr:DPIAOutcomeStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.12 DPIA Outcome High Residual Risk

IRI https://w3id.org/dpv/dpv-gdpr#DPIAOutcomeHighResidualRisk
Term: DPIAOutcomeHighResidualRisk
Label: DPIA Outcome High Residual Risk
Description: DPIA outcome status indicating high residual risk which are not acceptable for continuation
Instance of: dpv-gdpr:DPIAOutcomeStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.13 DPIA Outcome Risks Mitigated

IRI https://w3id.org/dpv/dpv-gdpr#DPIAOutcomeRisksMitigated
Term: DPIAOutcomeRisksMitigated
Label: DPIA Outcome Risks Mitigated
Description: DPIA outcome status indicating (all) risks have been mitigated
Instance of: dpv-gdpr:DPIAOutcomeStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.14 DPIA Outcome Status

IRI https://w3id.org/dpv/dpv-gdpr#DPIAOutcomeStatus
Term: DPIAOutcomeStatus
Label: DPIA Outcome Status
Description: Status reflecting the outcomes of a DPIA
SubType of: dpv:AuditStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.15 DPIA Procedure

IRI https://w3id.org/dpv/dpv-gdpr#DPIAProcedure
Term: DPIAProcedure
Label: DPIA Procedure
Description: Process representing carrying out a DPIA
SubType of: dpv:DPIA
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.16 DPIA Processing Recommendation

IRI https://w3id.org/dpv/dpv-gdpr#DPIAProcessingRecommendation
Term: DPIAProcessingRecommendation
Label: DPIA Processing Recommendation
Description: Recommendation from the DPIA regarding processing
SubType of: dpv:AuditStatus
Created:
Contributor(s): Georg P Krog, Harshvardhan J. Pandit

5.1.17 DPIA Recommends Processing Continue

IRI https://w3id.org/dpv/dpv-gdpr#DPIARecommendsProcessingContinue
Term: DPIARecommendsProcessingContinue
Label: DPIA Recommends Processing Continue
Description: Recommendation from a DPIA that the processing may continue
Instance of: dpv-gdpr:DPIAProcessingRecommendation
Created:
Contributor(s): Georg P Krog, Harshvardhan J. Pandit

5.1.18 DPIA Recommends Processing Not Continue

IRI https://w3id.org/dpv/dpv-gdpr#DPIARecommendsProcessingNotContinue
Term: DPIARecommendsProcessingNotContinue
Label: DPIA Recommends Processing Not Continue
Description: Recommendation from a DPIA that the processing should not continue
Instance of: dpv-gdpr:DPIAProcessingRecommendation
Created:
Contributor(s): Georg P Krog, Harshvardhan J. Pandit

5.1.19 DPIA Required

IRI https://w3id.org/dpv/dpv-gdpr#DPIARequired
Term: DPIARequired
Label: DPIA Required
Description: Condition where a DPIA is required
Instance of: dpv-gdpr:DPIANecessityStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.1.20 DPIA Risk Status

IRI https://w3id.org/dpv/dpv-gdpr#DPIARiskStatus
Term: DPIARiskStatus
Label: DPIA Risk Status
Description: Status reflecting the status of risk associated with a DPIA
SubType of: dpv:AuditStatus
Created:
Contributor(s): Harshvardhan J. Pandit

5.2 Properties

dct:conformsTo | dct:coverage | dct:created | dct:dateAccepted | dct:dateSubmitted | dct:description | dct:hasPart | dct:identifier | dct:isPartOf | dct:isVersionOf | dct:modified | dct:subject | dct:temporal | dct:title | dct:valid | dpv:hasStatus |

5.2.1 dct:conformsTo

IRI http://purl.org/dc/terms/conformsTo
Term: dct:conformsTo
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing an existing standard, guideline, or requirements to which the DPIA document or process will be conforming to. This could be external guidelines published by an Authority, or internal guidelines established by the organisation
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.2 dct:coverage

IRI http://purl.org/dc/terms/coverage
Term: dct:coverage
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing coverage (e.g. jurisdictions, products, services) of the DPIA document or process. For temporal coverage, please see dct:temporal. The coverage can be expressed using dpv:PersonalDataHandling, or using another concept, or even be a link or reference to a document, or a textual description
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.3 dct:created

IRI http://purl.org/dc/terms/created
Term: dct:created
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing when the documentation (e.g. DPIA Necessity Assessment, or DPIA Procedure, or DPIA outcome) was created
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.4 dct:dateAccepted

IRI http://purl.org/dc/terms/dateAccepted
Term: dct:dateAccepted
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing when the documentation (e.g. DPIA Necessity Assessment, or DPIA Procedure, or DPIA outcome) was accepted through audit or approval
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.5 dct:dateSubmitted

IRI http://purl.org/dc/terms/dateSubmitted
Term: dct:dateSubmitted
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing when the documentation (e.g. DPIA Necessity Assessment, or DPIA Procedure, or DPIA outcome) was submitted for audit or approval
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.6 dct:description

IRI http://purl.org/dc/terms/description
Term: dct:description
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:Indicates a description of the DPIA for human comprehension
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.7 dct:hasPart

IRI http://purl.org/dc/terms/hasPart
Term: dct:hasPart
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing something contains a DPIA document or process contains as a part. For example, as some dpv:DPIA dct:hasPart DPIANecessityAssessment
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.8 dct:identifier

IRI http://purl.org/dc/terms/identifier
Term: dct:identifier
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:Indicates an identifier associated with the DPIA documentation or process. Identifiers may be reused from existing systems, or created for the purposes of record management
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.9 dct:isPartOf

IRI http://purl.org/dc/terms/isPartOf
Term: dct:isPartOf
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing a DPIA document or process is part of another. For example, as some DPIANecessityAssessment dct:isPartOf some dpv:DPIA
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.10 dct:isVersionOf

IRI http://purl.org/dc/terms/isVersionOf
Term: dct:isVersionOf
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing prior versions or iterations of the DPIA document or process
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.11 dct:modified

IRI http://purl.org/dc/terms/modified
Term: dct:modified
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing when the documentation (e.g. DPIA Necessity Assessment, or DPIA Procedure, or DPIA outcome) was last modified
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.12 dct:subject

IRI http://purl.org/dc/terms/subject
Term: dct:subject
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing the subject of the DPIA document or process, where subject refers to the point of focus. For expressing what is affected or included within the DPIA, please see dct:coverage
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.13 dct:temporal

IRI http://purl.org/dc/terms/temporal
Term: dct:temporal
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing the temporal coverage of the DPIA document or process
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.14 dct:title

IRI http://purl.org/dc/terms/title
Term: dct:title
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:Indicates a title of the DPIA for human comprehension
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.15 dct:valid

IRI http://purl.org/dc/terms/valid
Term: dct:valid
Vocabulary:DCMI Metadata Terms (DCT)
Usage Note:For expressing the temporal date or range of validity of the DPIA document or process. This refers to the time period for which the DPIA is considered valid, and does not refer to the temporal period associated with processing (see dct:temporal instead). The assumption is that after this period, the DPIA should be re-evaluated or some process should be triggered
Domain: left blank / unspecified
Range: left blank / unspecified

5.2.16 dpv:hasStatus

IRI https://w3id.org/dpv#hasStatus
Term: dpv:hasStatus
Vocabulary:Data Privacy Vocabulary (DPV) Specification
Usage Note:For expressing the status of the DPIA document or process. Here different statuses are used to convey different contextual meanings. For example, dpv:ActivityStatus expresses the state of the activity in terms of whether it is ongoing or completed, and dpv:AuditStatus expresses the state of the audit process in terms of being required, approved, or rejected. These are applied over each step of the DPIA i.e. DPIANecessityAssessment, DPIAProcedure, and DPIAOutcome. Similarly, a process also uses hasStatus with DPIAConformity to indicate adherence to the results of the DPIA process.
Domain: left blank / unspecified
Range: left blank / unspecified

6. Compliance

The concepts in this section reflect the status of processing operations being in compliance with GDPR, by extending the ComplianceStatus from DPV for GDPR. It does not define the requirements for compliance itself.

6.1 Classes

GDPR Compliance Unknown | GDPR Compliant | GDPR Lawfulness | GDPR Non-compliant |

6.1.1 GDPR Compliance Unknown

IRI https://w3id.org/dpv/dpv-gdpr#GDPRComplianceUnknown
Term: GDPRComplianceUnknown
Label: GDPR Compliance Unknown
Description: State where lawfulness or compliance with GDPR is unknown
Instance of: dpv-gdpr:GDPRLawulness
Created:
Contributor(s): Harshvardhan J. Pandit

6.1.2 GDPR Compliant

IRI https://w3id.org/dpv/dpv-gdpr#GDPRCompliant
Term: GDPRCompliant
Label: GDPR Compliant
Description: State of being lawful or legally compliant for GDPR
Instance of: dpv-gdpr:GDPRLawulness
Created:
Contributor(s): Harshvardhan J. Pandit

6.1.3 GDPR Lawfulness

IRI https://w3id.org/dpv/dpv-gdpr#GDPRLawfulness
Term: GDPRLawfulness
Label: GDPR Lawfulness
Description: Status or state associated with being lawful or legally compliant regarding GDPR
SubType of: dpv:Lawfulness
Created:
Contributor(s): Harshvardhan J. Pandit

6.1.4 GDPR Non-compliant

IRI https://w3id.org/dpv/dpv-gdpr#GDPRNonCompliant
Term: GDPRNonCompliant
Label: GDPR Non-compliant
Description: State of being unlawful or legally non-compliant for GDPR
Instance of: dpv-gdpr:GDPRLawulness
Created:
Contributor(s): Harshvardhan J. Pandit

Funding Acknowledgements

Funding Sponsors

The DPVCG and DPV were initiated as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601. The SPECIAL project ran over a 3-year period from 2017 to 2019.

Harshvardhan J. Pandit was funded by the Irish Research Council Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790 for working within the DPVCG and contributing to the DPV. The fellowship lasted from 2020 to 2022.

Funding Acknowledgements for Contributors

The contributions of Piero Bonatti and Luigi Sauro to the DPVCG have been funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement N. 731601 (project SPECIAL) until 2019, and under grant agreement N. 883464 (project TRAPEZE) from 2020 until 2023.

The contributions of Beatriz Esteves have received funding through the PROTECT ITN Project from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813497.

The contributions of Harshvardhan J. Pandit have received funding from the ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards)

A. Proposed Terms

The following terms have been proposed for inclusion, and are under discussion. They are provided here for illustrative purposes and should not be considered as part of DPV.

legal_basis dpia compliance

B. Issue summary

There are no issues listed in this specification.

C. Deprecated Terms

D. References

D.1 Informative references

[DCAT]
Data Catalog Vocabulary (DCAT) - Version 2. URL: http://www.w3.org/ns/dcat
[DCT]
DCMI Metadata Terms (DCT). URL: https://www.dublincore.org/specifications/dublin-core/dcmi-terms/
[DPV]
Data Privacy Vocabulary (DPV) Specification. URL: https://www.w3id.org/dpv
[DPV-GDPR]
DPV-GDPR: Extension providing GDPR concepts. URL: https://www.w3id.org/dpv/dpv-gdpr
Guide for Consent Records using DPV. URL: https://w3id.org/dpv/guides/consent
[DPV-GUIDE-GDPR-DPIA]
Guide for GDPR DPIA's using DPV. URL: https://w3id.org/dpv/dpv-gdpr/dpia
[DPV-GUIDE-GDPR-ROPA]
Guide for GDPR ROPA's using DPV. URL: https://w3id.org/dpv/dpv-gdpr/ropa
[DPV-GUIDE-Notice]
Guide for Privacy Notices using DPV. URL: https://w3id.org/dpv/guides/notice
[DPV-GUIDE-OWL2]
Guide for using DPV in OWL2. URL: https://w3id.org/dpv/guides/dpv-owl
[DPV-GUIDE-Serialisations]
Guide on DPV's serialisations and semantics. URL: https://w3id.org/dpv/guides/serialisations
[DPV-GUIDE-SKOS]
Guide for using DPV with RDFS and SKOS. URL: https://w3id.org/dpv/guides/dpv-skos
[DPV-GUIDES]
Guidelines for Adoption and Use of DPV. URL: https://w3id.org/dpv/guides
DPV-LEGAL: Extension providing Jurisdiction-relevant concepts. URL: https://www.w3id.org/dpv/dpv-legal
[DPV-NACE]
NACE Taxonomy serialised in RDFS. URL: https://www.w3id.org/dpv/dpv-nace
[DPV-OWL]
DPV-OWL: Data Privacy Vocabulary serialised in OWL2. URL: https://www.w3id.org/dpv/dpv-owl
[DPV-OWL-GDPR]
DPV-OWL-GDPR: Extension providing GDPR concepts. URL: https://www.w3id.org/dpv/dpv-owl/dpv-gdpr
DPV-OWL-LEGAL: Extension providing Jurisdiction-relevant concepts. URL: https://www.w3id.org/dpv/dpv-owl/dpv-legal
[DPV-OWL-PD]
DPV-OWL-PD: Extension providing Personal Data Categories. URL: https://www.w3id.org/dpv/dpv-owl/dpv-pd
[DPV-OWL-TECH]
DPV-OWL-TECH: Extension providing Technology-relevant concepts. URL: https://www.w3id.org/dpv/dpv-owl/dpv-tech
[DPV-PD]
DPV-PD: Extension providing Personal Data Categories. URL: https://www.w3id.org/dpv/dpv-pd
[DPV-Primer]
Primer for Data Privacy Vocabulary. URL: https://www.w3id.org/dpv/primer
[DPV-SKOS]
DPV-SKOS: Data Privacy Vocabulary serialised in RDFS & SKOS. URL: https://www.w3id.org/dpv/dpv-skos
[DPV-SKOS-GDPR]
DPV-SKOS-GDPR: Extension providing GDPR concepts. URL: https://www.w3id.org/dpv/dpv-skos/dpv-gdpr
DPV-SKOS-LEGAL: Extension providing Jurisdiction-relevant concepts. URL: https://www.w3id.org/dpv/dpv-skos/dpv-legal
[DPV-SKOS-PD]
DPV-SKOS-PD: Extension providing Personal Data Categories. URL: https://www.w3id.org/dpv/dpv-skos/dpv-pd
[DPV-SKOS-TECH]
DPV-SKOS-TECH: Extension providing Technology-relevant concepts. URL: https://www.w3id.org/dpv/dpv-skos/dpv-tech
[DPV-TECH]
DPV-TECH: Extension providing Technology-relevant concepts. URL: https://www.w3id.org/dpv/dpv-tech
[DPVCG]
W3C Data Privacy Vocabularies and Controls Community Group (DPVCG). URL: https://www.w3.org/community/dpvcg/
[Examples]
DPV Examples. URL: https://w3id.org/dpv/examples
[GDPR]
General Data Protection Regulation (GDPR). URL: https://eur-lex.europa.eu/eli/reg/2016/679/oj
[RIGHTS-EU]
Extension providing EU Rights. URL: https://www.w3id.org/dpv/rights/eu
[RIGHTS-EU-OWL]
Extension providing EU Rights. URL: https://www.w3id.org/dpv/dpv-owl/rights/eu
[RIGHTS-EU-SKOS]
Extension providing EU Rights. URL: https://www.w3id.org/dpv/dpv-skos/rights/eu
[RISK]
Risk Extension for DPV. URL: https://www.w3id.org/dpv/risk
[RISK-OWL]
Risk Extension for DPV. URL: https://www.w3id.org/dpv/dpv-owl/risk
[RISK-SKOS]
Risk Extension for DPV. URL: https://www.w3id.org/dpv/dpv-skos/risk
[UseCases-Requirements]
DPV Use-Cases and Requirements. URL: https://w3id.org/dpv/use-cases