The Data Privacy Vocabulary [[DPV]] enables expressing machine-readable metadata about the use and processing of personal data based on legislative requirements such as the General Data Protection Regulation [[GDPR]]. This document describes the DPV specification along with its data model.
The canonical URL for DPV is https://w3id.org/dpv# which contains (this) specification. The namespace for DPV terms is https://w3id.org/dpv#, the suggested prefix for is dpv, and this document along with its various serializations are available on GitHub.
DPV Family of Documents
[[[DPV-Primer]]]: introductory document to DPV concepts
Newcomers to the DPV are strongly recommended to first read through the Primer to familiarise themselves with the semantics and concepts of DPV.
[[[DPV]]]: (this document) formal and normative description of DPV and its concepts.
Serialisations of DPV:
[[[DPV-SKOS]]]: serialisation of DPV with [[SKOS]] and [[RDFS]] semantics
[[[DPV-OWL]]]: serialisation of DPV using [[OWL]] semantics
Extensions to Concepts:
[[[DPV-GDPR]]]: extends DPV concepts for [[GDPR]]
[[[DPV-PD]]]
[[[DPV-LEGAL]]]
[[[DPV-TECH]]]
[[[DPV-GUIDES]]]:
[[[DPV-GUIDE-OWL2]]]
Other Resources:
[[[DPV-NACE]]]
Related Links
For a general overview of the Data Protection Vocabularies and Controls Community Group [[DPVCG]], its history, deliverables, and activities - refer to DPVCG Website.
The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here.
Contributing to the DPV and its extensions The DPVCG welcomes participation regarding the DPV, including expansion or refinement of its terms, addressing open issues, and welcomes suggestions on their resolution or mitigation.
For contributions to the DPV, please see the section on GitHub. The current list of open issues and their discussions to date can be found at GitHub issues.
Base Vocabulary
Base Vocabulary
The 'Base' or 'Core' concepts in DPV represent the most relevant concepts for representing information regarding the what, how, where, who, why of personal data and its processing. Each of these concepts is further elaborated as a taxonomy of concepts in a hierarchical fashion. The DPV provides the following as 'top-level' concepts and relations to associate them with other concepts:
Class
Property
Description
[=PersonalData=]
[=hasPersonalData=]
Personal data categories
[=Purpose=]
[=hasPurpose=]
Purpose of Processing
[=Processing=]
[=hasProcessing=]
Category or type of processing of personal data
[=DataController=]
[=hasDataController=]
Data Controller responsible for processing
[=DataSubject=]
[=hasDataSubject=]
Data Subject or Individual whose data is being processing
[=Recipient=]
[=hasRecipient=]
Recipient of personal data
[=TechnicalOrganisationalMeasure=]
[=hasTechnicalOrganisationalMeasure=]
Technical and/or Organisational measures associated with processing
[=LegalBasis=]
[=hasLegalBasis=]
Legal bases or justifications for processing
[=Right=]
[=hasRight=]
Rights applicable or provided
[=Risk=]
[=hasRisk=]
Risks applicable or probable regarding processing
[=PersonalDataHandling=]
[=hasPersonalDataHandling=]
A concept for associating the other core concepts as a 'group, 'policy', or 'set' - so as to express different use-cases and combinations
DPV provides taxonomies for all core concepts except the ones specified below:
PersonalDataHandling: DPV defines the concept of for representing a 'policy' or 'grouping' that associates the top-level concepts with one another. The relation hasPersonalDataHandling provides a relation to associate a PersonalDataHandling with other concepts, including like itself.
Right: The concept Right represents a generic rights provided or recognised by some law or convention. The relation hasRight provides the relation to associate a Right with concepts.. In addition, DataSubjectRight refers to rights specifically available to applicable for Data Subjects.
[=Risk=] represents the generic concept of Risk that can be associated with other concepts using [=hasRisk=].
This definition of personal data encompasses the concepts used in GDPR Art.4-1 for 'personal data' and ISO/IEC 2700 for 'personally identifiable information (PII)'.
A high-level Class to describe 'data handling'. This can consist of personal data being processed for a purpose, involving entities, using technical and organisational measures, applicable risks, rights, and legal basis.
A recipient of personal data can be used to indicate any entity that receives personal data. This can be a Third Party, Processor (GDPR), or even a Controller.
A 'right' is a legal, social, or ethical principle of freedom or entitlement which dictate the norms regarding what is allowed or owed.. Rights as a concept encompass a broad area of norms and entities, and are not specific to Individuals or Data Protection / Privacy. For individual specific rights, see dpv:DataSubjectRight
Created:
Contributor(s):
Beatriz Esteves,
Georg P Krog,
Harshvardhan J Pandit
Risk
IRI
`https://w3id.org/dpv#Risk`
Term:
Risk
Definition:
A risk or possibility or uncertainty of negative effects, impacts, or consequences.
Note:
Risks can be associated with one or more different concepts such as purpose, processing, personal data, technical or organisational measure.
The EU, in particular the EDPB, uses data exporter the context of cross-border data transfers/flows. These concepts are not bound by jurisdictional or geopolitical scopes within DPV and can thus be used for any notion of exporting
The EU, in particular the EDPB, uses data importing the context of cross-border data transfers/flows. These concepts are not bound by jurisdictional or geopolitical scopes within DPV and can thus be used for any notion of importing
An entity within or authorised by an organisation to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for data subjects and the supervisory authority.
A recipient of personal data can be used to indicate any entity that receives personal data. This can be a Third Party, Processor (GDPR), or even a Controller.
A ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and people who, under the direct authority of the controller or processor, are authorised to process personal data.
An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
The legality of age defining a child varies by jurisdiction. In addition, 'child' is distinct from a 'minor'. For example, the legal age for consumption of alcohol can be 21, which makes a person of age 20 a 'minor' in this context. In other cases, 'minor' and 'child' are used interchangeably to refer to a person below some legally defined age.
Created:
Contributor(s):
Harshvardhan J. Pandit
Citizen
IRI
`https://w3id.org/dpv#Citizen`
Term:
Citizen
Definition:
Data subjects that are citizens (for a jurisdiction)
This concept denotes a Data Subject or a group are vulnerable, but not what vulnerability they possess or its context. This information can be provided additionally as comments, or as separate concepts and relations. Proposals for this are welcome.
Beatriz Esteves,
Georg P Krog,
Harshvardhan J. Pandit
Advertising
IRI
`https://w3id.org/dpv#Advertising`
Term:
Advertising
Definition:
Conduct advertising i.e. process or artefact used to call attention to a product, service, etc. through announcements, notices, or other forms of communication
This purpose by itself does not sufficiently and clearly indicate what the communication is about. As such, it is recommended to combine it with another purpose to indicate the application. For example, Communication of Payment.
Created:
Contributor(s):
David Hickey,
Georg P Krog,
Harshvardhan J. Pandit,
Paul Ryan
HR is a broad concept. Its management includes, amongst others - recruiting employees and intermediaries e.g. brokers, independent representatives; payroll administration, remunerations, commissions, and wages; and application of social legislation.
This term is a blanket purpose category for indicating personalisation of some other purpose, e.g. by creating a subclass of the other concept and Personalisation
Axel Polleres,
Elmar Kiesling,
Fajar Ekaputra,
Harshvardhan J. Pandit,
Javier Fernandez,
Simon Steyskal
Sector
IRI
`https://w3id.org/dpv#Sector`
Term:
Sector
Definition:
Indicate or restrict scope for interpretation and application of purpose in a domain e.g. Agriculture, Banking
Note:
There are various sector codes used commonly to indicate the domain of an organisation or business. Examples include NACE (EU), ISIC (UN), SIC and NAICS (USA).
Created:
Contributor(s):
Axel Polleres,
Elmar Kiesling,
Fajar Ekaputra,
Harshvardhan J. Pandit,
Javier Fernandez,
Simon Steyskal
Sell here means exchange, submit, or provide in return for direct or indirect compensation. Was subclass of commercial interest, changed to reflect selling something
Created:
Contributor(s):
Axel Polleres,
Elmar Kiesling,
Fajar Ekaputra,
Harshvardhan J. Pandit,
Javier Fernandez,
Simon Steyskal
Sell Insights from Data
IRI
`https://w3id.org/dpv#SellInsightsFromData`
Term:
SellInsightsFromData
Definition:
Sell data or information relevant to insights obtained from analysis of data
Sell here means exchange, submit, or provide in return for direct or indirect compensation. Was subclass of commercial interest, changed to reflect selling something
Created:
Contributor(s):
Axel Polleres,
Elmar Kiesling,
Fajar Ekaputra,
Harshvardhan J. Pandit,
Javier Fernandez,
Simon Steyskal
to irreversibly alter personal data in such a way that an unique data subject can no longer be identified directly or indirectly or in combination with other data
Infer indicates data that is derived without it being present or obtainable from existing data. For data that is presented, and is 'extracted' or 'obtained' from existing data, see Derive.
It is advised to carefully consider indicating data is fully or completely anonymised by determining whether the data by itself or in combination with other data can identify a person. Failing this condition, the data should be denoted as PseudoAnonymisedData. To indicate data is anonymised only for a specified entity (e.g. within an organisation), the concept AnonymisedDataWithinScope (as subclass of PseudoAnonymisedData) should be used instead of AnonymisedData.
Created:
Contributor(s):
Piero Bonatti
Collected Personal Data
IRI
`https://w3id.org/dpv#CollectedPersonalData`
Term:
CollectedPersonalData
Definition:
Personal Data that has been collected from another source such as the Data Subject
Derived Data is data that is obtained through processing of existing data, e.g. deriving first name from full name. To indicate data that is derived but which was not present or evident within the source data, InferredPersonalData should be used.
Inferred Data is derived data generated from existing data, but which did not originally exist within it, e.g. inferring demographics from browsing history.
The term NonPersonalData is provided to distinguish between PersonalData and other data, e.g. for indicating which data is regulated by privacy laws. To specify personal data that has been anonymised, the concept AnonymisedData should be used.
Created:
Contributor(s):
Harshvardhan J. Pandit
Personal Data
IRI
`https://w3id.org/dpv#PersonalData`
Term:
PersonalData
Definition:
Data directly or indirectly associated or related to an individual.
This definition of personal data encompasses the concepts used in GDPR Art.4-1 for 'personal data' and ISO/IEC 2700 for 'personally identifiable information (PII)'.
Sensitivity' is a matter of context, and may be defined within legal frameworks. For GDPR, Special categories of personal data are considered a subset of sensitive data. To illustrate the difference between the two, consider the situation where Location data is collected, and which is considered 'sensitive' but not 'special'. As a probable rule, sensitive data require additional considerations whereas special category data requires additional legal basis / justifications.
The term 'special category' is based on GDPR Art.9, but should not be considered as exlusive to it. DPV considers all Special Categories to also be Sensitive, but whose use is either prohibited or regulated and therefore requires additional legal basis for justification.
Axel Polleres,
Harshvardhan J. Pandit,
Mark Lizar,
Rob Brennan
Complete Anonymisation
IRI
`https://w3id.org/dpv#CompleteAnonymisation`
Term:
CompleteAnonymisation
Definition:
Altering personal data irreversibly such that a data subject can no longer be identified directly or indirectly, either by the data controller alone or in collaboration with any other party
An agreement outlining conditions, criteria, obligations, responsibilities, and specifics for carrying out processing of personal data between a Data Controller and a Data Processor
An agreement outlining conditions, criteria, obligations, responsibilities, and specifics for carrying out processing of personal data between Controllers within a Joint Controllers relationship
David Hickey,
Georg P Krog,
Harshvardhan J. Pandit,
Paul Ryan
Pseudo-Anonymization
IRI
`https://w3id.org/dpv#PseudoAnonymization`
Term:
PseudoAnonymization
Definition:
PseudoAnonmyization or 'pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Axel Polleres,
Harshvardhan J. Pandit,
Mark Lizar,
Rob Brennan
Sub-Processor Agreement
IRI
`https://w3id.org/dpv#SubProcessorAgreement`
Term:
SubProcessorAgreement
Definition:
An agreement outlining conditions, criteria, obligations, responsibilities, and specifics for carrying out processing of personal data between a Data Processor and a Data (Sub-)Processor
An agreement outlining conditions, criteria, obligations, responsibilities, and specifics for carrying out processing of personal data between a Data Controller or Processor and a Third Party
Algorithmic Logic is intended as a broad concept for explaining the use of algorithms and automated decisions making within Processing. To describe the actual algorithm, see the Algorithm concept.
Created:
Modified:
Contributor(s):
Harshvardhan J. Pandit
Automated Decision Making
IRI
`https://w3id.org/dpv#AutomatedDecisionMaking`
Term:
AutomatedDecisionMaking
Definition:
Processing that involves automated decision making
Automated decision making can be defined as “the ability to make decisions by technological means without human involvement.” (“Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (wp251rev.01)”, 2018, p. 8)
It is difficult to provide a formal definition of automation since any and all processing may be considered automation. This concept instead is intended to explicitly signal the utilisation of automation and its extent towards some context - such as decision making, and to indicate the involvement of humans.
Created:
Contributor(s):
Harshvardhan J. Pandit
Completely Manual Processing
IRI
`https://w3id.org/dpv#CompletelyManualProcessing`
Term:
CompletelyManualProcessing
Definition:
Processing that is completely un-automated or fully manual
Human Involvement here broadly refers to any involvement by a human in the context of carrying out processing. This may include verification of outcomes, providing input data for making decisions, or overseeing activities.
The term 'Public' is used here in a broad sense. Actual consideration of what is 'Public Data' can vary based on several contextual or jurisdictional factors such as definition of open, methods of access, permissions and licenses.
Created:
Contributor(s):
Beatriz Esteves,
Georg P Krog,
Harshvardhan J. Pandit,
Julian Flake,
Paul Ryan
RegionalScale
IRI
`https://w3id.org/dpv#RegionalScale`
Term:
RegionalScale
Definition:
Geographic coverage spanning a specific region or regions
Scales are subjective concepts that need to be defined and interpreted within the context of their application. For example, what would be small within one context could be large within another.
Created:
Contributor(s):
Georg P Krog,
Harshvardhan J. Pandit,
Rana Saniei
SingularDataVolume
IRI
`https://w3id.org/dpv#SingularDataVolume`
Term:
SingularDataVolume
Definition:
Data volume that is considered singular i.e. a specific instance or single item
A risk or possibility or uncertainty of negative effects, impacts, or consequences.
Note:
Risks can be associated with one or more different concepts such as purpose, processing, personal data, technical or organisational measure.
Created:
Contributor(s):
Harshvardhan J. Pandit
Risk Management Procedure
IRI
`https://w3id.org/dpv#RiskManagementProcedure`
Term:
RiskManagementProcedure
Definition:
Risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives. The term risk management also refers to the programme that is used to manage risk. This programme includes risk management principles, a risk management framework, and a risk management process.
Data Protection Impact Assessments as per GDPR art 35, other Privacy Impact Assessments, threat severity assessment https://www.cnil.fr/en/privacy-impact-assessment-pia
The definition of country is not intended for political interpretation. DPVCG welcomes alternate definitions based in existing sources with global scope, such as UN or ISO.
Created:
Contributor(s):
Georg P Krog,
Harshvardhan J. Pandit
Decentralised Locations
IRI
`https://w3id.org/dpv#DecentralisedLocations`
Term:
DecentralisedLocations
Definition:
Location that is spread across multiple separate areas with no distinction between their importance
Specifies the justification for entity withdrawing consent
Created:
Contributor(s):
Bud Bruegger,
Harshvardhan J. Pandit,
Mark Lizar
has withdrawal method
IRI
`https://w3id.org/dpv#hasWithdrawalMethod`
Term:
hasWithdrawalMethod
Description:
Specifries the method by which consent can be/has been withdrawn
Created:
Contributor(s):
Bud Bruegger,
Harshvardhan J. Pandit,
Mark Lizar
has withdrawal time
IRI
`https://w3id.org/dpv#hasWithdrawalTime`
Term:
hasWithdrawalTime
Description:
Specifies the instant in time when consent was withdrawn
Created:
Contributor(s):
Bud Bruegger,
Harshvardhan J. Pandit,
Mark Lizar
is explicit
IRI
`https://w3id.org/dpv#isExplicit`
Term:
isExplicit
Description:
Specifies consent is 'explicit'
Created:
Contributor(s):
Bud Bruegger,
Harshvardhan J. Pandit,
Mark Lizar
Proposed Terms
The following terms have been proposed for inclusion, and are under discussion. They are provided here for illustrative purposes and should not be considered as part of DPV.
personal_data
AnonymisedDataWithinContext
purposes
TagManagement
risk
hasConsequenceOn
technical_organisational_measures
isRequiredFor
entities_datasubject
hasAgeOfMaturity
legal_basis
EULA
TermsOfService
DPV concepts across serialisations
The table provides an overview of the expression of concepts across the three DPV serialisations. These may be expanded in the future, including to non-semantic-web serialisations.
