The [EU-GDPR] extension provides concepts extending the [DPV] to represent information requirements from the [GDPR]. It enables the use of DPV to represent use-cases that are regulated by the GDPR, such as using specific legal bases defined in the GDPR, or to represent the applicability of rights, or requirements for conducting data protection impact assessments. It also enables representing practicalities such as organisations and their 'establishments' in the EU, data breach reporting and impact assessments, and data transfer tools. In particular, the [EU-GDPR] extension provides the following:

• Legal Bases for processing personal data as defined in Articles 6 and 9 (special categories of personal data) and 45-49 (data transfer)
• Principles as defined in Article 5
• Data Subject Rights as defined in Articles 7, 12-22, and 77-79, as well as notices required to be provided
• Mapping between Rights and Legal Bases which indicates which right must be provided for each legal basis
• Justifications associated with exercising, delaying, and non-fulfilment of Rights
• Data Transfer Tools as defined by EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
• Data Protection Impact Assessment (DPIA) information as defined in Article 35, such as necessity to conduct a DPIA, indicating the findings of DPIA in terms of risk levels and impacts, and the outcomes of DPIAs regarding continuation of processing
• Data Breach information such as types of breaches, notices, reporting requirements, and risk levels
• Establishment & Authorities to indicate aspects such as 'main' establishment of an organisation, and to indicate role of DPAs as 'lead' supervisory authority
• Compliance to express whether the specific process or context is compliant with the GDPR

This draft mapping table shows how the DPV and EU-GDPR extension represents specific concepts within the GDPR.

GDPR Article 6 specifies that it is mandatory for every processing to have one (or more) legal basis that justifies its compliance. These are represented as Core Legal Basis concepts by extending relevant dpv:LegalBasis concepts, such as for consent or contract. Similarly, Article 9 legal basis are represented as Special Category Legal Basis, and those from Articles 45, 46, and 49 are represented as instances of dpv:DataTransferLegalBasis to create Data Transfer Legal Basis.

3.1 Core (Art.6)

These concepts represent the Article 6-1 legal bases from GDPR. They are defined by extending dpv:LegalBasis and can be indicated by using dpv:hasLegalBasis.

expand allcollapse all

• eu-gdpr:A6-1-b: Legal basis based on performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract go to full definition
  • eu-gdpr:A6-1-b-contract-performance: Legal basis based on performance of a contract to which the data subject is party go to full definition
  • eu-gdpr:A6-1-b-enter-into-contract: Legal basis based on taking steps at the request of the data subject prior to entering into a contract go to full definition
• eu-gdpr:A6-1-c: Legal basis based on compliance with a legal obligation to which the controller is subject go to full definition
• eu-gdpr:A6-1-d: Legal basis based on protecting the vital interests of the data subject or of another natural person go to full definition
  • eu-gdpr:A6-1-d-data-subject: Legal basis based on protecting the vital interests of the data subject go to full definition
  • eu-gdpr:A6-1-d-natural-person: Legal basis based on protecting the vital interests of another natural person that is not the data subject go to full definition
• eu-gdpr:A6-1-e: Legal basis based on performance of a task carried out in the public interest or in the exercise of official authority vested in the controller go to full definition
  • eu-gdpr:A6-1-e-official-authority: Legal basis based on the exercise of official authority vested in the controller go to full definition
  • eu-gdpr:A6-1-e-public-interest: Legal basis based on performance of a task carried out in the public interest go to full definition
• eu-gdpr:A6-1-f: Legal basis based on the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child go to full definition
  • eu-gdpr:A6-1-f-controller: Legal basis based on the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child go to full definition
  • eu-gdpr:A6-1-f-third-party: Legal basis based on the purposes of the legitimate interests pursued by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child go to full definition
• eu-gdpr:Consent: Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her go to full definition
  • eu-gdpr:A6-1-a: Legal basis based on data subject's given consent to the processing of his or her personal data for one or more specific purposes go to full definition
    • eu-gdpr:A6-1-a-explicit-consent: Legal basis based on data subject's given explicit consent to the processing of his or her personal data for one or more specific purposes go to full definition
    • eu-gdpr:A6-1-a-non-explicit-consent: Legal basis based on data subject's given non-explicit express consent to the processing of his or her personal data for one or more specific purposes go to full definition
  • eu-gdpr:A6-1-a-explicit-consent: Legal basis based on data subject's given explicit consent to the processing of his or her personal data for one or more specific purposes go to full definition
  • eu-gdpr:A6-1-a-non-explicit-consent: Legal basis based on data subject's given non-explicit express consent to the processing of his or her personal data for one or more specific purposes go to full definition

3.2 Special Category (Art.9)

These concepts represent the Article 9-2 legal bases from GDPR regarding processing of special category personal data as defined in Article 9-1. They are defined by extending dpv:LegalBasis and can be indicated by using dpv:hasLegalBasis. The Personal Data categories for DPV extension provides an indication of whether its concepts belong to the special categories as defined in GDPR, which may be of interest here.

• eu-gdpr:A9-2-a: explicit consent with special categories of data go to full definition
• eu-gdpr:A9-2-b: employment and social security and social protection law go to full definition
• eu-gdpr:A9-2-c: protection of the vital interests go to full definition
• eu-gdpr:A9-2-d: legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; go to full definition
• eu-gdpr:A9-2-e: data manifestly made public by the data subject go to full definition
• eu-gdpr:A9-2-f: establishment, exercise or defence of legal claims / courts acting in their judicial capacity go to full definition
• eu-gdpr:A9-2-g: substantial public interest, on the basis of Union or Member State law go to full definition
• eu-gdpr:A9-2-h: preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 go to full definition
• eu-gdpr:A9-2-i: public interest in public health go to full definition
• eu-gdpr:A9-2-j: public interest, scientific or historical research purposes or statistical purposes based on Union or Member State law go to full definition

3.3 Data Transfer (Art.45-49)

These concepts represent the legal bases from GDPR Articles 45 (adequacy decisions), 46 (data transfer tools), and 49 (consent, contract, etc.). They are defined by extending dpv:DataTransferLegalBasis and can be indicated by using dpv:hasLegalBasis. The Article 45 adequacy decisions between EU and other jurisdictions are provided as concepts for use with DPV in Location and Geo-Political Membership concepts for DPV.

• eu-gdpr:A45-3: Personal data can flow freely from the EU to a third country with an Adequacy Decision without any further safeguard being necessary. go to full definition
  • eu-gdpr:AdequacyDecision: An adequacy decision as per GDPR Art.45(3) for the transfer of data to a third country or an international organisation go to full definition
• eu-gdpr:A46-2-a: A legally binding and enforceable instrument between public authorities or bodies go to full definition
• eu-gdpr:A46-2-b: ‘Binding Corporate Rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity go to full definition
• eu-gdpr:A46-2-c: Standard data protection clauses adopted by the Commission go to full definition
• eu-gdpr:A46-2-d: Standard data protection clauses adopted by a Supervisory Authority go to full definition
• eu-gdpr:A46-2-e: An approved code of conduct pursuant to GDPR Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals´ rights go to full definition
• eu-gdpr:A46-2-f: An approved certification mechanism pursuant to GDPR Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals` rights go to full definition
• eu-gdpr:A46-3-a: Contractual clauses with controller, processor or recipient of the personal data in the third country or the international organisation. go to full definition
• eu-gdpr:A46-3-b: Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights go to full definition
• eu-gdpr:A49-1-a: The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. go to full definition
• eu-gdpr:A49-1-b: The transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject´s request. go to full definition
• eu-gdpr:A49-1-c: The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject and controller and another natural or legal person. go to full definition
• eu-gdpr:A49-1-d: The transfer is necessary for important reasons of public interest. go to full definition
• eu-gdpr:A49-1-e: The transfer is necessary for the establishment, exercise or defence of legal claims. go to full definition
• eu-gdpr:A49-1-f: The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the person is physically or legally incapable of giving consent. go to full definition
• eu-gdpr:A49-1-g: The transfer is made from a register which according to Union or Member State law is intended to provide information to the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. go to full definition
• eu-gdpr:A49-2: The transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by controller which are not overridden by the interests or rights and freedoms of the data subject, and controller has assessed all the circumstances surrounding the data transfer and have on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. go to full definition

Principles, as defined in GDPR Article 5, are represented as concepts by extending the concept dpv:Principle, which is a type of organisational measure in [DPV]. How these principles are used or applied or evaluated is not defined in this extension. These concepts can be used as part of compliance assessments, for example with dpv:ComplianceStatus or dpv:Lawfulness, to indicate whether the principle has been fulfilled or violated.

GDPR regulates data transfers outside the EU/EEA based on jurisdictions the transfer is occurring within and the guarantees available regarding the protection of personal data and fundamental rights. To indicate the sufficiency of a data transfer being compatible and adherent to these requirements, the European Commission provides various 'data transfer tools' based on the legal bases provided within the GDPR. EU-GDPR models these as follows.

[GDPR] Article 35 specifies the conditions and requirements associated with Data Protection Impact Assessments. EU-GDPR expands on the DPIA concept defined as an Organisational Measure within DPV by considering a DPIA as consisting of the following iterative process, and providing statuses for documenting their progression and outputs:

1. Identifying activities for which a DPIA is to be undertaken (represented using DPV and EU-GDPR)
2. Checking whether a DPIA is needed as per GDPR Art.35 and other jurisdictional requirements: the activity is DPIANecessityAssessment and its output is denoted using DPIANecessityStatus
3. Conducting the DPIA to identify risks and impacts: the activity is DPIAProcedure and its output is denoted using DPIARiskStatus
4. Determining the outcome based on risk mitigation: the activity is DPIAOutcome and its output is denoted using DPIAOutcomeStatus
5. Determining whether processing should be permitted to continue or be carried out, with the outcome being denote using DPIAProcessingRecommendation
6. Assessing whether processing is carried out in conformance with the DPIA, with the outcome being denoted using DPIAConformity

In addition to DPV's concepts for representing information about processing of personal data, EU-GDPR also recommends using DCMI Metadata Terms (DCT) concepts to represent relevant metadata, such as dates, identifiers, validity, etc.

[GDPR] defines several obligations regarding the handling of data breach incidents, and authoritative guidance establishes the categories of data breach based on how it affects data. To support implementation of these, the [EU-GDPR] extension provides concepts that extend the [DPV] to define GDPR specific requirements.

DataBreach is a specific concept that reflects the GDPR's definition of data breaches, and is separate from a general data breach incident (such as that defined within the [RISK] extension) in terms of its involvement of personal data as well the use of GDPR 'processing' definition. Under GDPR, data breaches are categorised based on the CIA information security model as ConfidentialityBreach for disclosures e.g. accidentally sharing data, IntegrityBreach for alterations e.g. maliciously overwriting data, and AvailabilityBreach for loss or destruction e.g. erasing all data on disk. In addition to these, GDPR also requires awareness of when a breach affects multiple jurisdictions either due to involvement of data subjects from multiple EU countries or because the processing of personal data involves multiple locations spread across EU. Such breaches are categorised as CrossBorderDataBreach.

DataBreachNotice represents the communication of information regarding a data breach to another entity, such as reporting it to the authority or sending communications to data subjects. Specific notice concepts are defined to reflect the recipients, for example ControllerBreachNotice is a notice sent to the controller and DataSubjectBreachNotice is a notice sent to the data subject. For reporting data breaches to authorities, there are multiple types of notifications at various stages of investigations - these are represented by DPABreachNotice with additional concepts for initial notice sent within 72 hours, as well as 'phased' notices which are sent as information becomes available.

To represent status of GDPR obligations regarding data breach notifications, the concept DataBreachNoticeRequirement provides specific outcomes which can be documented. For example, BreachNotificationNotNeeded indicates that notifications are not needed, and DPABreachNotificationNeeded represents a notification to the authority is needed.

To support the documentation of data breaches, the concept DataBreachReport represents a report associated with the breach, which can contain information on how the breach was discovered, the duration and coverage of the breach, what measures were taken to handle it, and what notifications were sent as part of the data breach handling processes. Specific concepts are provided to represent different reports required for fulfilling GDPR requirements, for example DataBreachDetectionReport as a report regarding the detection of a data breach and DataBreachPreliminaryReport as a preliminary report (e.g. within 72 hours) when an investigation is underway.

DataBreachJustification represents a dpv:Justification defined in the context of a data breach handling procedure, with specific concepts defined based on the provisions defined in the GDPR. For example, JustificationA33NotificationDelay represents the justification for why a data breach notification was delayed - which would require additional information for that particular instance, and JustificationA33RiskUnlikely represents the specific justification that a notification was deemed to not be necessary as the risk level was found to be low or unlikely (while this doesn't require more information to describe the justification, it is good practice to associate the risk/impact assessment with this for record keeping).

GDPR requires carrying out an impact assessment to determine the level of risk associated with the data breach, in particular on the processing of personal data and on the rights and freedoms of the data subjects. To represent this, the concept DBIARiskStatus is provided with specific outcomes. For example, DBIAIndicatesHighRisk indicates the data breach has a 'high-risk' status.

The concepts in this section reflect the status of processing operations being in compliance with GDPR, by extending the ComplianceStatus from DPV for GDPR. It does not define the requirements for compliance itself. To indicate these, the relation dpv:hasLawfulness can be used.

These concepts are additionally defined in the EU-GDPR extension, but are not placed within the sections described earlier.