Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
GitHub Issues are preferred for
discussion of this specification.
1. DPV and Related Resources
Data Privacy Vocabulary (DPV) Specification: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH], and [AI]. Specific [LEGAL] extensions are also provided which model jurisdiction specific regulations and concepts . To support understanding and applications of [DPV], various guides and resources [GUIDES] are provided, including a [PRIMER]. A Search Index of all concepts from DPV and extensions is available.
[DPV] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [DPVCG], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.
The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article Data Privacy Vocabulary (DPV) - Version 2, accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes the changes made in DPV v2.
2. Introduction
Figure 1GDPR Extension extending DPV core concepts. Blue boxes are placeholders for concepts that are further detailed. See corresponding section in this document for more information. Click here to open diagram in new window.
The [EU-GDPR] extension provides concepts extending the [DPV] to represent information requirements from the [GDPR]. It enables the use of DPV to represent use-cases that are regulated by the GDPR, such as using specific legal bases defined in the GDPR, or to represent the applicability of rights, or requirements for conducting data protection impact assessments. It also enables representing practicalities such as organisations and their 'establishments' in the EU, data breach reporting and impact assessments, and data transfer tools. In particular, the [EU-GDPR] extension provides the following:
Legal Bases for processing personal data as defined in Articles 6 and 9 (special categories of personal data) and 45-49 (data transfer)
Data Protection Impact Assessment (DPIA) information as defined in Article 35, such as necessity to conduct a DPIA, indicating the findings of DPIA in terms of risk levels and impacts, and the outcomes of DPIAs regarding continuation of processing
Data Breach information such as types of breaches, notices, reporting requirements, and risk levels
Establishment & Authorities to indicate aspects such as 'main' etablishment of an organisation, and to indicate role of DPAs as 'lead' supervisory authority
Compliance to express whether the specific process or context is compliant with the GDPR
3. Legal Basis
GDPR Article 6 specifies that it is mandatory for every processing to have one (or more) legal basis that justifies its compliance. These are represented as Core Legal Basis concepts by extending relevant dpv:LegalBasis concepts, such as for consent or contract. Similarly, Article 9 legal basis are represented as Special Category Legal Basis, and those from Articles 45, 46, and 49 are represented as instances of dpv:DataTransferLegalBasis to create Data Transfer Legal Basis.
These concepts represent the Article 6-1 legal bases from GDPR. They are defined by extending dpv:LegalBasis and can be indicated by using dpv:hasLegalBasis.
eu-gdpr:A6-1-a: Legal basis based on data subject's given consent to the processing of his or her personal data for one or more specific purposes
go to full definition
eu-gdpr:A6-1-a-explicit-consent: Legal basis based on data subject's given explicit consent to the processing of his or her personal data for one or more specific purposes
go to full definition
eu-gdpr:A6-1-a-non-explicit-consent: Legal basis based on data subject's given non-explicit express consent to the processing of his or her personal data for one or more specific purposes
go to full definition
eu-gdpr:A6-1-b: Legal basis based on performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
go to full definition
eu-gdpr:A6-1-b-contract-performance: Legal basis based on performance of a contract to which the data subject is party
go to full definition
eu-gdpr:A6-1-b-enter-into-contract: Legal basis based on taking steps at the request of the data subject prior to entering into a contract
go to full definition
eu-gdpr:A6-1-c: Legal basis based on compliance with a legal obligation to which the controller is subject
go to full definition
eu-gdpr:A6-1-d: Legal basis based on protecting the vital interests of the data subject or of another natural person
go to full definition
eu-gdpr:A6-1-d-data-subject: Legal basis based on protecting the vital interests of the data subject
go to full definition
eu-gdpr:A6-1-d-natural-person: Legal basis based on protecting the vital interests of another natural person that is not the data subject
go to full definition
eu-gdpr:A6-1-e: Legal basis based on performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
go to full definition
eu-gdpr:A6-1-e-official-authority: Legal basis based on the exercise of official authority vested in the controller
go to full definition
eu-gdpr:A6-1-e-public-interest: Legal basis based on performance of a task carried out in the public interest
go to full definition
eu-gdpr:A6-1-f: Legal basis based on the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
go to full definition
eu-gdpr:A6-1-f-controller: Legal basis based on the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
go to full definition
eu-gdpr:A6-1-f-third-party: Legal basis based on the purposes of the legitimate interests pursued by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
go to full definition
3.2 Special Category (Art.9)
Figure 3GDPR Legal Bases for processing personal data of special category extending DPV's core concept LegalBasis
These concepts represent the Article 9-2 legal bases from GDPR regarding processing of special category personal data as defined in Article 9-1. They are defined by extending dpv:LegalBasis and can be indicated by using dpv:hasLegalBasis. The Personal Data categories for DPV extension provides an indication of whether its concepts belong to the special categories as defined in GDPR, which may be of interest here.
eu-gdpr:A9-2-a: explicit consent with special categories of data
go to full definition
eu-gdpr:A9-2-b: employment and social security and social protection law
go to full definition
eu-gdpr:A9-2-d: legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
go to full definition
eu-gdpr:A9-2-e: data manifestly made public by the data subject
go to full definition
eu-gdpr:A9-2-f: establishment, exercise or defence of legal claims / courts acting in their judicial capacity
go to full definition
eu-gdpr:A9-2-g: substantial public interest, on the basis of Union or Member State law
go to full definition
eu-gdpr:A9-2-h: preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
go to full definition
eu-gdpr:A9-2-j: public interest, scientific or historical research purposes or statistical purposes based on Union or Member State law
go to full definition
3.3 Data Transfer (Art.45-49)
Figure 4GDPR Legal Bases for data transfer to third countries extending DPV's core concept LegalBasis
These concepts represent the legal bases from GDPR Articles 45 (adequacy decisions), 46 (data transfer tools), and 49 (consent, contract, etc.). They are defined by extending dpv:DataTransferLegalBasis and can be indicated by using dpv:hasLegalBasis. The Article 45 adequacy decisions between EU and other jurisdictions are provided as concepts for use with DPV in Location and Geo-Political Membership concepts for DPV.
eu-gdpr:A45-3: Personal data can flow freely from the EU to a third country with an Adequacy Decision without any further safeguard being necessary.
go to full definition
eu-gdpr:AdequacyDecision: An adequacy decision as per GDPR Art.45(3) for the transfer of data to a third country or an international organisation
go to full definition
eu-gdpr:A46-2-a: A legally binding and enforceable instrument between public authorities or bodies
go to full definition
eu-gdpr:A46-2-c: Standard data protection clauses adopted by the Commission
go to full definition
eu-gdpr:A46-2-d: Standard data protection clauses adopted by a Supervisory Authority
go to full definition
eu-gdpr:A46-2-e: An approved code of conduct pursuant to GDPR Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals´ rights
go to full definition
eu-gdpr:A46-2-f: An approved certification mechanism pursuant to GDPR Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals` rights
go to full definition
eu-gdpr:A46-3-a: Contractual clauses with controller, processor or recipient of the personal data in the third country or the international organisation.
go to full definition
eu-gdpr:A46-3-b: Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights
go to full definition
eu-gdpr:A49-1-a: The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
go to full definition
eu-gdpr:A49-1-b: The transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject´s request.
go to full definition
eu-gdpr:A49-1-c: The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject and controller and another natural or legal person.
go to full definition
eu-gdpr:A49-1-d: The transfer is necessary for important reasons of public interest.
go to full definition
eu-gdpr:A49-1-e: The transfer is necessary for the establishment, exercise or defence of legal claims.
go to full definition
eu-gdpr:A49-1-f: The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the person is physically or legally incapable of giving consent.
go to full definition
eu-gdpr:A49-1-g: The transfer is made from a register which according to Union or Member State law is intended to provide information to the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
go to full definition
eu-gdpr:A49-2: The transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by controller which are not overridden by the interests or rights and freedoms of the data subject, and controller has assessed all the circumstances surrounding the data transfer and have on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
go to full definition
Principles, as defined in GDPR Article 5, are represented as concepts by extending the concept dpv:Principle, which is a type of organisational measure in [DPV]. How these principles are used or applied or evaluated is not defined in this extension. These concepts can be used as part of compliance assessments, for example with dpv:ComplianceStatus or dpv:Lawfulness, to indicate whether the principle has been fulfilled or violated.
Note: Extending GDPR Principles information in DPV
eu-gdpr:AccountabilityPrinciple: Principle stating the controller shall be responsible for, and be able to demonstrate compliance with the other principles (from Art.5-1)
go to full definition
eu-gdpr:AccuracyPrinciple: Principle stating personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay used for
go to full definition
eu-gdpr:DataMinimisationPrinciple: Principle stating personal data must be processed adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
go to full definition
eu-gdpr:FairnessPrinciple: Principle stating personal data must be processed processed fairly in relation to the data subject
go to full definition
eu-gdpr:IntegrityConfidentialityPrinciple: Principle stating personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
go to full definition
eu-gdpr:LawfulnessPrinciple: Principle stating personal data must be processed processed in a lawful manner in relation to the data subject
go to full definition
eu-gdpr:PurposeLimitationPrinciple: Principle stating personal data collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
go to full definition
eu-gdpr:StorageLimitationPrinciple: Principle stating personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject
go to full definition
eu-gdpr:TransparencyPrinciple: Principle stating personal data must be processed processed in a transparent manner in relation to the data subject
go to full definition
5. Data Subject Rights
Figure 6Data Subject Rights as defined by GDPR extending DPV's core concept "Right"
GDPR provides several rights to the data subject, whose applicability depends on the context and nature of processing taking place. DPV lists these rights at an abstract level as concepts along with their origin in specific clauses of the GDPR.
In addition to DPV's concepts regarding exercise of rights, EU-GDPR provides additional concepts specific to the implementation of its rights. For example, SARNotice refers to the information provided in fulfilment of A15 Right of Access, or using dcat:Resource to represent the dataset provided in fulfilment of A20 Right to Data Portability.
Note: Forthcoming guidance on implementation of rights
eu-gdpr:A13: information to be provided where personal data is directly collected from data subject
go to full definition
eu-gdpr:A14: information to be provided where personal data is collected from other sources
go to full definition
eu-gdpr:A77: Right to lodge a complaint with a supervisory authority
go to full definition
eu-gdpr:DirectDataCollectionNotice: A Notice provided in fulfilment of GDPR's Art.13 regarding information to be provided where personal data are collected from the data subject
go to full definition
eu-gdpr:IndirectDataCollectionNotice: A Notice provided in fulfilment of GDPR's Art.14 regarding information to be provided where personal data are not collected from the data subject
go to full definition
eu-gdpr:RightsRecipientsNotice: A Notice provided in fulfilment of GDPR's Art.19 regarding Recipients to whom a rights exercise has been communicated, such as regarding rectification (A.16) or erasure of personal data (A.17) or restriction of processing (A.18)
go to full definition
eu-gdpr:SARNotice: A Notice provided in fulfilment of GDPR's Art.15 regarding information to be provided for Right of Access or Subject Access Request (SAR)
go to full definition
6. Mapping: Legal Basis × Rights
To support the effective implementation of GDPR, the [EU-GDPR] extension provides a mapping between legal bases and data subject rights to indicate which right should be provided based on the selected legal basis. This information is represented in machine-readable form within the [EU-GDPR] extension by using the relation dpv:hasRight between instances of GDPR legal basis and rights.
Figure 7GDPR's tools for data transfers to third countries extending DPV's core concept "OrganisationalMeasure"
GDPR regulates data transfers outside the EU/EEA based on jurisdictions the transfer is occurring within and the guarantees available regarding the protection of personal data and fundamental rights. To indicate the sufficiency of a data transfer being compatible and adherent to these requirements, the European Commission provides various 'data transfer tools' based on the legal bases provided within the GDPR. EU-GDPR models these as follows.
Note: Providing implementations of Data Transfer Tools
The EU-GDPR's concepts for transfer tools are currently symbolic, and do not provide a way to actually implement those tools. For example, to represent the information contained within a SCC or BCR. The DPVCG is interested in providing such implementations, and welcomes discussions and contributions for the same.
eu-gdpr:DataTransferTool: A legal instrument or tool intended to assist or justify data transfers
go to full definition
eu-gdpr:AdHocContractualClauses: Contractual Clauses not drafted by the EU Commission, e.g. by the Controller
go to full definition
eu-gdpr:BindingCorporateRules: Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises.
go to full definition
eu-gdpr:CertificationMechanismsForDataTransfers: Certification and its binding or specified mechanisms intended to provide sufficient safeguards for data transfers
go to full definition
eu-gdpr:CodesOfConductForDataTransfers: Codes of Conduct that outline sufficient safeguards for carrying out data transfers
go to full definition
eu-gdpr:SCCByCommission: Standard contractual clauses adopted by the Commission in accordance with the examination procedure referred to in GDPR Article 93(2)
go to full definition
eu-gdpr:SCCBySupervisoryAuthority: Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in GDPR Article 93(2)
go to full definition
eu-gdpr:StandardContractualClauses: Standard Contractual Clauses (SCCs) are pre-approved clauses by the EU for ensuring appropriate data protection safeguards intended for data transfers from the EU to third countries
go to full definition
eu-gdpr:SCCByCommission: Standard contractual clauses adopted by the Commission in accordance with the examination procedure referred to in GDPR Article 93(2)
go to full definition
eu-gdpr:SCCBySupervisoryAuthority: Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in GDPR Article 93(2)
go to full definition
eu-gdpr:SupplementaryMeasure: Supplementary measures are intended to additionally provide safeguards or guarantees to bring the resulting protection in line with EU requirements
go to full definition
8. DPIA
[GDPR] Article 35 specifies the conditions and requirements associated with Data Protection Impact Assessments. EU-GDPR expands on the DPIA concept defined as an Organisational Measure within DPV by considering a DPIA as consisting of the following iterative process, and providing statuses for documenting their progression and outputs:
Identifying activities for which a DPIA is to be undertaken (represented using DPV and EU-GDPR)
Checking whether a DPIA is needed as per GDPR Art.35 and other jurisdictional requirements: the activitiy is DPIANecessityAssessment and its output is denoted using DPIANecessityStatus
Conducting the DPIA to identify risks and impacts: the activity is DPIAProcedure and its output is denoted using DPIARiskStatus
Determining the outcome based on risk mitigation: the activity is DPIAOutcome and its output is denoted using DPIAOutcomeStatus
Determining whether processing should be permitted to continue or be carried out, with the outcome being denote using DPIAProcessingRecommendation
Assessing whether processing is carried out in conformance with the DPIA, with the outcome being denoted using DPIAConformity
In addition to DPV's concepts for representing information about processing of personal data, EU-GDPR also recommends using DCMI Metadata Terms (DCT) concepts to represent relevant metadata, such as dates, identifiers, validity, etc.
Note: Guidance on documenting DPIAs using DPV and EU-GDPR
eu-gdpr:DPIAOutcome: Process representing determining outcome of a DPIA
go to full definition
eu-gdpr:DPIAOutcomeStatus: Status reflecting the outcomes of a DPIA
go to full definition
eu-gdpr:DPIAOutcomeDPAConsultation: DPIA outcome status indicating a DPA consultation is required
go to full definition
eu-gdpr:DPIAOutcomeHighResidualRisk: DPIA outcome status indicating high residual risk which are not acceptable for continuation
go to full definition
eu-gdpr:DPIAOutcomeRisksAcceptable: DPIA outcome status indicating residual risks remain and are acceptable for continuation
go to full definition
eu-gdpr:DPIAOutcomeRisksMitigated: DPIA outcome status indicating (all) risks have been mitigated
go to full definition
eu-gdpr:DPIAProcedure: Process representing carrying out a DPIA
go to full definition
eu-gdpr:DPIAProcessingRecommendation: Recommendation from the DPIA regarding processing
go to full definition
eu-gdpr:DPIARecommendsProcessingContinue: Recommendation from a DPIA that the processing may continue
go to full definition
eu-gdpr:DPIARecommendsProcessingNotContinue: Recommendation from a DPIA that the processing should not continue
go to full definition
eu-gdpr:DPIARiskStatus: Status reflecting the status of risk associated with a DPIA
go to full definition
eu-gdpr:DPIAIndicatesHighRisk: DPIA identifying high risk levels
go to full definition
eu-gdpr:DPIAIndicatesLowRisk: DPIA identifying low risk levels
go to full definition
eu-gdpr:DPIAIndicatesNoRisk: DPIA identifying no risk is present
go to full definition
9. Data Breach
[GDPR] defines several obligations regarding the handling of data breach incidents, and authoritative guidance establishes the categories of data breach based on how it affects data. To support implementation of these, the [EU-GDPR] extension provides concepts that extend the [DPV] to define GDPR specific requirements.
DataBreach is a specific concept that reflects the GDPR's definition of data breaches, and is separate from a general data breach incident (such as that defined within the [RISK] extension) in terms of its involvement of personal data as well the use of GDPR 'processing' definition. Under GDPR, data breaches are categorised based on the CIA information security model as ConfidentialityBreach for disclosures e.g. accidentally sharing data, IntegrityBreach for alterations e.g. maliciously overwriting data, and AvailabilityBreach for loss or destruction e.g. erasing all data on disk. In addition to these, GDPR also requires awareness of when a breach affects multiple jurisdictions either due to involvement of data subjects from multiple EU countries or because the processing of personal data involves multiple locations spread across EU. Such breaches are categorised as CrossBorderDataBreach.
Note: Guidance on documenting data breaches
DataBreachNotice represents the communication of information regarding a data breach to another entity, such as reporting it to the authority or sending communications to data subjects. Specific notice concepts are defined to reflect the recipients, for example ControllerBreachNotice is a notice sent to the controller and DataSubjectBreachNotice is a notice sent to the data subject. For reporting data breaches to authorities, there are multiple types of notifications at various stages of investigations - these are represented by DPABreachNotice with additional concepts for initial notice sent within 72 hours, as well as 'phased' notices which are sent as information becomes available.
To represent status of GDPR obligations regarding data breach notifications, the concept DataBreachNoticeRequirement provides specific outcomes which can be documented. For example, BreachNotificationNotNeeded indicates that notifications are not needed, and DPABreachNotificationNeeded represents a notification to the authority is needed.
To support the documentation of data breaches, the concept DataBreachReport represents a report associated with the breach, which can contain information on how the breach was discovered, the duration and coverage of the breach, what measures were taken to handle it, and what notifications were sent as part of the data breach handling processes. Specific concepts are provided to represent different reports required for fulfilling GDPR requirements, for example DataBreachDetectionReport as a report regarding the detection of a data breach and DataBreachPreliminaryReport as a preliminary report (e.g. within 72 hours) when an investigation is underway.
GDPR also requires carrying out an impact assessment to determine the level of risk associated with the data breach, in particular on the processing of personal data and on the rights and freedoms of the data subjects. To represent this, the concept DBIARiskStatus is provided with specific outcomes. For example, DBIAIndicatesHighRisk indicates the data breach has a 'high-risk' status.
eu-gdpr:DataBreach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
go to full definition
eu-gdpr:AvailabilityBreach: A data breach where there is an accidental or unauthorised loss of access to or destruction of personal data
go to full definition
eu-gdpr:ConfidentialityBreach: A data breach where there is an unauthorised or accidental disclosure of or access to personal data
go to full definition
eu-gdpr:CrossBorderDataBreach: A data breach involving cross-border data subjects or processing operations
go to full definition
eu-gdpr:IntegrityBreach: A data breach where there is an unauthorised or accidental alteration of personal data
go to full definition
eu-gdpr:DataBreachNotice: Notice associated with data breach providing information in compliance with GDPR
go to full definition
eu-gdpr:ControllerBreachNotice: Notice regarding a data breach to the Controller
go to full definition
eu-gdpr:DataSubjectBreachNotice: Notice regarding a data breach to the Data Subject
go to full definition
eu-gdpr:DPABreachNotice: Notice regarding a data breach to the DPA
go to full definition
eu-gdpr:DPABreachInitialNotice: Notice sent by a Controller within 72 hours of becoming aware of a personal data breach to the competent DPA, with justifications provided where the notice is made after 72 hours
go to full definition
eu-gdpr:DPABundledBreachNotice: Notice sent by a Controller to the DPA regarding multiple data breaches concerning the same type of personal data
go to full definition
eu-gdpr:DPAPhasedBreachNotice: Notice sent to a DPA in phases i.e. by providing incremental information as it becomes available or is requested following previously submitted notifications
go to full definition
eu-gdpr:ProcessorBreachNotice: Notice regarding a data breach to the Processor
go to full definition
eu-gdpr:DataBreachNoticeRequirement: Whether a Data Breach notification is required
go to full definition
eu-gdpr:BreachNotificationNotNeeded: Data Breach notifications to DPA or Data Subjects are not required
go to full definition
eu-gdpr:ControllerBreachNotificationNeeded: Data Breach notification to the Controller is required
go to full definition
eu-gdpr:DataSubjectBreachNotificationNeeded: Data Breach notification to the Data Subject is required
go to full definition
eu-gdpr:DPABreachNotificationNeeded: Data Breach notification to the DPA is required
go to full definition
eu-gdpr:ProcessorBreachNotificationNeeded: Data Breach notification to the Processor is required
go to full definition
eu-gdpr:DataBreachRegister: Register of data breaches containing facts relating to the personal data breach, its effects and the remedial action taken
go to full definition
eu-gdpr:DataBreachReport: Documented information about a data breach incident, its handling, assessments, and notifications
go to full definition
eu-gdpr:DataBreachConcludingReport: Documented information about a concluded data breach incident
go to full definition
eu-gdpr:DataBreachDetectionReport: Documented information about a data breach being detected
go to full definition
eu-gdpr:DataBreachOngoingReport: Documented information about an ongoing data breach
go to full definition
eu-gdpr:DataBreachPreliminaryReport: Documented information about preliminary assessment regarding a data breach
go to full definition
eu-gdpr:DBIARiskStatus: Status reflecting the status of risk associated with a DBIA regarding rights and freedoms of natural persons
go to full definition
eu-gdpr:DBIAIndicatesHighRisk: DBIA identifying high risk levels regarding rights and freedoms of natural persons
go to full definition
eu-gdpr:DBIAIndicatesLowRisk: DBIA identifying low risk levels regarding rights and freedoms of natural persons
go to full definition
eu-gdpr:DBIAIndicatesNoRisk: DBIA identifying no risk is present regarding rights and freedoms of natural persons
go to full definition
10. Establishment and Authorities
10.1 Establishment
The concept 'establishment' is defined in the GPDR in Article 4-16 as 'main establishment' which is used to determine who will be the 'lead' supervisory authority responsible. An establishment in this context can be a subsidiary, a division or branch, or other forms of corporate structures through which multi-national corporations and organisations operate. To support representation of this, [EU-GDPR] defines the concept Establishment, and extends it as MainEstablishment to indicate which establishment is the 'main'. To indicate that there is only a single establishment and no other locations are involved, the concept SingleEstablishment is provided.
Establishments are indicated by using the relation hasEstablishment. Main establishment is associated by using the relation isMainEstablishmentFor, or the main establishment can be indicated using hasMainEstablishment. To represent organisation structures such as subsidiaries, the relation dpv:hasSubsidiary and dpv:isSubsidiaryOf can be reused.
eu-gdpr:Establishment: Establishment is a Legal Entity which implies the effective and real exercise of activities through stable arrangements (with a presumed parent or primary establishment)
go to full definition
eu-gdpr:MainEstablishment: A Main Establishment is the place of central administration in the Union unless the decisions on the purposes and means of the processing of personal data are taken in another establishment in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment
go to full definition
eu-gdpr:SingleEstablishment: A legal entity that is established in only one Member State
go to full definition
10.2 Authorities
GDPR has a cross-border procedure for handling of compliance and investigations as the authorities are defined at a national level (in addition to supra- and intra- authorities). As part of this, an investigation involving multiple authorities requires establishing which authority is the 'lead' with the others categorised as 'concerned' authorities. The 'lead' authority may be different from the 'local' authority which is defined based on where the organisation is established or has its main establishment. To represent these cases, the [EU-GDPR] defines LeadSupervisoryAuthority, ConcernedSupervisoryAuthority, and LocalSupervisoryAuthority concepts. To associate them, the relations hasLeadSA, hasConcernedSA, and hasLocalSA are provided.
eu-gdpr:DataProtectionAuthority: A Supervisory Authority responsible for the enfocement of the GDPR
go to full definition
eu-gdpr:ConcernedSupervisoryAuthority: Authority with other than lead supervisory authority who is involved in dealing with a cross-border data processing activity
go to full definition
eu-gdpr:LeadSupervisoryAuthority: Authority with the primary responsibility for dealing with a cross-border data processing activity
go to full definition
eu-gdpr:LocalSupervisoryAuthority: Authority associated with the main or local establishment of an organisation
go to full definition
11. Compliance
The concepts in this section reflect the status of processing operations being in compliance with GDPR, by extending the ComplianceStatus from DPV for GDPR. It does not define the requirements for compliance itself. To indicate these, the relation dpv:hasLawfulness can be used.
eu-gdpr:GDPRLawfulness: Status or state associated with being lawful or legally compliant regarding GDPR
go to full definition
eu-gdpr:GDPRComplianceUnknown: State where lawfulness or compliance with GDPR is unknown
go to full definition
eu-gdpr:GDPRCompliant: State of being lawful or legally compliant for GDPR
go to full definition
eu-gdpr:GDPRNonCompliant: State of being unlawful or legally non-compliant for GDPR
go to full definition
A legally binding and enforceable instrument between public authorities or bodies
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
Standard data protection clauses adopted by the Commission
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
Standard data protection clauses adopted by a Supervisory Authority
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority
An approved code of conduct pursuant to GDPR Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals´ rights
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
An approved certification mechanism pursuant to GDPR Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals` rights
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
Contractual clauses with controller, processor or recipient of the personal data in the third country or the international organisation.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards exist. Transfer does requires specific authorisation from a Supervisor Authority.
Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards exist. Transfer does requires specific authorisation from a Supervisor Authority.
The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist.
The transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject´s request.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist.
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject and controller and another natural or legal person.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist.
The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the person is physically or legally incapable of giving consent.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist.
The transfer is made from a register which according to Union or Member State law is intended to provide information to the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Usage Note
Transfer from EU to a third country. Third country has not Adequacy Decision. Appropriate safeguards do not exist.
The transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by controller which are not overridden by the interests or rights and freedoms of the data subject, and controller has assessed all the circumstances surrounding the data transfer and have on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist and no other options apply.
Legal basis based on data subject's given explicit consent to the processing of his or her personal data for one or more specific purposes
Usage Note
Valid consent in this case would have requirements for being 'explicit' in addition to requirements defined by A4-11. This is also mentioned in the Article 29 Working Party document "Guidelines on Consent under Regulation 2016/679 (wp259rev.01)"
Legal basis based on data subject's given non-explicit express consent to the processing of his or her personal data for one or more specific purposes
Usage Note
Definition of consent: A data subject's unambiguous/clear affirmative action that signifies an agreement to process their personal data (Rigo Wenning) . What is referred to as 'non-explicit consent' here is also termed as 'regular' consent in the Article 29 Working Party document "Guidelines on Consent under Regulation 2016/679 (wp259rev.01)". This is the legal basis that requires consent but not at the level of being 'explicit'.
Legal basis based on performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Legal basis based on the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Legal basis based on the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Legal basis based on the purposes of the legitimate interests pursued by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
Principle stating personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay used for
Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises.
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Usage Note
GDPR's notion of data breach includes any incident that affects the confidentiality, integrity, and availability of personal data and its processing without distinguishing between internal or external actors involved in the incident
Principle stating personal data must be processed adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Notice sent by a Controller within 72 hours of becoming aware of a personal data breach to the competent DPA, with justifications provided where the notice is made after 72 hours
Notice sent to a DPA in phases i.e. by providing incremental information as it becomes available or is requested following previously submitted notifications
Establishment is a Legal Entity which implies the effective and real exercise of activities through stable arrangements (with a presumed parent or primary establishment)
Principle stating personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
A Main Establishment is the place of central administration in the Union unless the decisions on the purposes and means of the processing of personal data are taken in another establishment in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment
Principle stating personal data collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
A Notice provided in fulfilment of GDPR's Art.19 regarding Recipients to whom a rights exercise has been communicated, such as regarding rectification (A.16) or erasure of personal data (A.17) or restriction of processing (A.18)
Date Created
2022-11-09
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in GDPR Article 93(2)
Standard Contractual Clauses (SCCs) are pre-approved clauses by the EU for ensuring appropriate data protection safeguards intended for data transfers from the EU to third countries
Principle stating personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject
A dataset or catalogue or any other resource provided in fulfilment of a Right Exercise, such as for GDPR's Art.15 regarding Right of Access or Art.20 regarding Right to Data Portability. The associated properties from DCAT and DCMI DCT vocabularies provide convenient means to express metadata such as URL for accessing the data, its temporal validity and access restrictions, and specific datasets present along with their schemas.
Usage Note
A dataset, data service, or any other resource associated with Right Exercise - such as for providing a copy of data
Date Created
2022-11-02
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
For expressing an existing standard, guideline, or requirements to which the DPIA document or process will be conforming to. This could be external guidelines published by an Authority, or internal guidelines established by the organisation
For expressing coverage (e.g. jurisdictions, products, services) of the DPIA document or process. For temporal coverage, please see dct:temporal. The coverage can be expressed using dpv:Process, or using another concept, or even be a link or reference to a document, or a textual description
Indicates an identifier associated with the DPIA documentation or process. Identifiers may be reused from existing systems, or created for the purposes of record management
For expressing the subject of the DPIA document or process, where subject refers to the point of focus. For expressing what is affected or included within the DPIA, please see dct:coverage
Also used for specifying the temporal validity of an activity associated with Right Exercise. For example, limits on duration for providing or accessing provided information
Usage Note
For expressing the temporal date or range of validity of the DPIA document or process. This refers to the time period for which the DPIA is considered valid, and does not refer to the temporal period associated with processing (see dct:temporal instead). The assumption is that after this period, the DPIA should be re-evaluated or some process should be triggered
Also used to Indicate the status of a Right Exercise Activity
Usage Note
For expressing the status of the DPIA document or process. Here different statuses are used to convey different contextual meanings. For example, dpv:ActivityStatus expresses the state of the activity in terms of whether it is ongoing or completed, and dpv:AuditStatus expresses the state of the audit process in terms of being required, approved, or rejected. These are applied over each step of the DPIA i.e. DPIANecessityAssessment, DPIAProcedure, and DPIAOutcome. Similarly, a process also uses hasStatus with DPIAConformity to indicate adherence to the results of the DPIA process.
The following people have contributed to this vocabulary. The names are ordered alphabetically. The affiliations are informative do not represent formal endorsements. Affiliations may be outdated. The list is generated automatically from the contributors listed for defined concepts.
Beatriz Esteves (IDLab, IMEC, Ghent University)
Bud Bruegger (Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein)
David Hickey (Dublin City University)
Eva Schlehahn (Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein)
Georg P. Krog (Signatu AS)
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University)
Paul Ryan (Uniphar PLC)
Rigo Wenning (W3C/ERCIM)
Funding Acknowledgements
Funding Sponsors
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
Funding Acknowledgements for Contributors
The contributions of Axel Polleres, Javier Fernandez, Piero Bonatti, and Luigi Sauro to the DPVCG have been funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement N. 731601 (project SPECIAL) until 2019, and that for Piero Bonatti and Luigi Sauro were under grant agreement N. 883464 (project TRAPEZE) from 2020 until 2023.
The contributions of Beatriz Esteves have received funding through the PROTECT ITN Project from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813497.
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.