DPV-GDPR extends the [[[DPV]]] to provide concepts specific to the obligations and requirements of the [[[GDPR]]]. More specifically, it provides a taxonomy of legal bases, rights, and data transfer tools as defined within the GDPR.

The namespace for terms in DPV-GDPR is https://www.w3id.org/dpv/dpv-gdpr#
The suggested prefix for the namespace is dpv-gdpr
The DPV-GDPR vocabulary and its documentation is available on GitHub.

DPV Family of Documents

Related Links

This document is published by the Data Privacy Vocabularies and Controls Community Group (DPVCG) as a deliverable and report of its work in creating and maintaining the Data Privacy Vocabulary (DPV).

Contributing to the DPV and its extensions The DPVCG welcomes participation regarding the DPV, including expansion or refinement of its terms, addressing open issues, and welcomes suggestions on their resolution or mitigation.

For contributions to the DPV, please see the section on GitHub. The current list of open issues and their discussions to date can be found at GitHub issues.

Introduction

The Data Privacy Vocabulary (DPV) provides terms to annotate and categorise instances of legally compliant personal data handling. In particular, the vocabulary provides LegalBasis and DataSubjectRight as top-level concepts representing the various legal bases for justifying processing of personal data and rights provided to the data subject respectively. Since these concepts are specifically defined within the scope of jurisdictional laws, their implementation is provided as a separate vocabulary that extends the DPV, thereby permitting continued usage of DPV as a jurisdiction-agnostic and generic vocabulary.

This vocabulary, termed as DPV-GDPR, extends the concepts within DPV regarding legal bases, data subject rights, and data transfer tools with those defined and intended by GDPR. It provides a compatible extension to be used in combination with the DPV to represent GDPR-specific information.

Rights under GDPR

GDPR provides several rights to the data subject, whose applicability depends on the context and nature of processing taking place. DPV lists these rights at an abstract level as concepts along with their origin in specific clauses of the GDPR.

Classes

A13 Right to be Informed | A14 Right to be Informed | A15 Right of Access | A16 Right to Rectification | A17 Right to Erasure | A18 Right to Restrict Processing | A19 Right to Rectification | A20 Right to Data Portability | A21 Right to object | A22 Right to object to automated decision making | A7-3 Right to Withdraw Consent | A77 Right to Complaint

A13 Right to be Informed

IRI `https://w3id.org/dpv/dpv-gdpr#A13`
Term: A13
Definition: information to be provided where personal data is directly collected from data subject
SubType of: dpv:DataSubjectRight
Source: GDPR Art.13
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A14 Right to be Informed

IRI `https://w3id.org/dpv/dpv-gdpr#A14`
Term: A14
Definition: information to be provided where personal data is collected from other sources
SubType of: dpv:DataSubjectRight
Source: GDPR Art.14
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A15 Right of Access

IRI `https://w3id.org/dpv/dpv-gdpr#A15`
Term: A15
Definition: Right of access
SubType of: dpv:DataSubjectRight
Source: GDPR Art.15
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A16 Right to Rectification

IRI `https://w3id.org/dpv/dpv-gdpr#A16`
Term: A16
Definition: Right to rectification
SubType of: dpv:DataSubjectRight
Source: GDPR Art.16
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A17 Right to Erasure

IRI `https://w3id.org/dpv/dpv-gdpr#A17`
Term: A17
Definition: Right to erasure ('Right to be forgotten')
SubType of: dpv:DataSubjectRight
Source: GDPR Art.17
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A18 Right to Restrict Processing

IRI `https://w3id.org/dpv/dpv-gdpr#A18`
Term: A18
Definition: Right to restriction of processing
SubType of: dpv:DataSubjectRight
Source: GDPR Art.18
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A19 Right to Rectification

IRI `https://w3id.org/dpv/dpv-gdpr#A19`
Term: A19
Definition: Right to be notified in case of rectification or erasure of personal data or restriction of processing
SubType of: dpv:DataSubjectRight
Source: GDPR Art.19
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A20 Right to Data Portability

IRI `https://w3id.org/dpv/dpv-gdpr#A20`
Term: A20
Definition: Right to data portability
SubType of: dpv:DataSubjectRight
Source: GDPR Art.20
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A21 Right to object

IRI `https://w3id.org/dpv/dpv-gdpr#A21`
Term: A21
Definition: Right to object to processing of personal data
SubType of: dpv:DataSubjectRight
Source: GDPR Art.21
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A22 Right to object to automated decision making

IRI `https://w3id.org/dpv/dpv-gdpr#A22`
Term: A22
Definition: Right not to be subject to a decision based solely on automated processing including profiling
SubType of: dpv:DataSubjectRight
Source: GDPR Art.22
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A7-3 Right to Withdraw Consent

IRI `https://w3id.org/dpv/dpv-gdpr#A7-3`
Term: A7-3
Definition: Right to withdraw consent
SubType of: dpv:DataSubjectRight
Source: GDPR Art.7-3
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

A77 Right to Complaint

IRI `https://w3id.org/dpv/dpv-gdpr#A77`
Term: A77
Definition: Right to lodge a complaint with a supervisory authority
SubType of: dpv:DataSubjectRight
Source: GDPR Art.77
Created:
Contributor(s): Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit

Data Transfers under GDPR

GDPR regulates data transfers outside the EU/EEA based on jurisdictions the transfer is occurring within and the guarantees available regarding the protection of personal data and fundamental rights. To indicate the sufficiency of a data transfer being compatible and adherent to these requirements, the European Commission provides various 'data transfer tools' based on the legal bases provided within the GDPR. DPV-GDPR models these as follows.

Classes

AdHoc Contractual Clauses | Binding Corporate Rules (BCR) | Certification Mechanisms for Data Transfers | Codes of Conduct for Data Transfers | Data Transfer Tool | SCCs adopted by Commission | SCCs adopted by Supervisory Authority | Standard Contractual Clauses (SCC) | Supplementary Measure

AdHoc Contractual Clauses

IRI `https://w3id.org/dpv/dpv-gdpr#AdHocContractualClauses`
Term: AdHocContractualClauses
Definition: Contractual Clauses not drafted by the EU Commission, e.g. by the Controller
SubType of: dpv:Contract, dpv-gdpr:DataTransferTool
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
Created:
Contributor(s): Harshvardhan J. Pandit

Binding Corporate Rules (BCR)

IRI `https://w3id.org/dpv/dpv-gdpr#BindingCorporateRules`
Term: BindingCorporateRules
Definition: Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises.
SubType of: dpv-gdpr:DataTransferTool
Source: GDPR Art.4-20
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit, Paul Ryan

Certification Mechanisms for Data Transfers

IRI `https://w3id.org/dpv/dpv-gdpr#CertificationMechanismsForDataTransfers`
Term: CertificationMechanismsForDataTransfers
Definition: Certification and its binding or specified mechanisms intended to provide sufficient safeguards for data transfers
SubType of: dpv-gdpr:DataTransferTool
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
Created:
Contributor(s): Harshvardhan J. Pandit

Codes of Conduct for Data Transfers

IRI `https://w3id.org/dpv/dpv-gdpr#CodesOfConductForDataTransfers`
Term: CodesOfConductForDataTransfers
Definition: Codes of Conduct that outline sufficient safeguards for carrying out data transfers
SubType of: dpv-gdpr:DataTransferTool
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
Created:
Contributor(s): Harshvardhan J. Pandit

Data Transfer Tool

IRI `https://w3id.org/dpv/dpv-gdpr#DataTransferTool`
Term: DataTransferTool
Definition: A legal instrument or tool intended to assist or justify data transfers
SubType of: dpv:TechnicalOrganisationalMeasure
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools, GDPR Art.46
Created:
Contributor(s): David Hickey, Harshvardhan J. Pandit

SCCs adopted by Commission

IRI `https://w3id.org/dpv/dpv-gdpr#SCCByCommission`
Term: SCCByCommission
Definition: Standard contractual clauses adopted by the Commission in accordance with the examination procedure referred to in GDPR Article 93(2)
SubType of: dpv-gdpr:StandardContractualClauses
Source: GDPR Art.46-2c
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit, Paul Ryan

SCCs adopted by Supervisory Authority

IRI `https://w3id.org/dpv/dpv-gdpr#SCCBySupervisoryAuthority`
Term: SCCBySupervisoryAuthority
Definition: Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in GDPR Article 93(2)
SubType of: dpv-gdpr:StandardContractualClauses
Source: GDPR Art.46-2d
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit, Paul Ryan

Standard Contractual Clauses (SCC)

IRI `https://w3id.org/dpv/dpv-gdpr#StandardContractualClauses`
Term: StandardContractualClauses
Definition: Standard Contractual Clauses (SCCs) are pre-approved clauses by the EU for ensuring appropriate data protection safeguards intended for data transfers from the EU to third countries
SubType of: dpv:Contract, dpv-gdpr:DataTransferTool
Source: Implementing Decision on SCC for Data Transfers
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit, Paul Ryan

Supplementary Measure

IRI `https://w3id.org/dpv/dpv-gdpr#SupplementaryMeasure`
Term: SupplementaryMeasure
Definition: Supplementary measures are intended to additionally provide safeguards or guarentees to bring the resulting protection in line with EU requirements
SubType of: dpv:TechnicalOrganisationalMeasure
Source: EDPB Recommendations 01/2020 on Supplementary Measures and Transfer Tools
Created:
Contributor(s): David Hickey, Georg P Krog, Harshvardhan J. Pandit