Copyright © 2025 the Contributors to the Guides for Data Privacy Vocabulary (DPV) Specification, published by the Data Privacy Vocabularies and Controls Community Group under the W3C Community Final Specification Agreement (FSA). A human-readable summary is available.
This document lists the various guides created by the DPVCG and the community providing guidance for the adoption and use of DPV in terms of its concepts and serialisations, or regarding the application of DPV for specific applications or domains.
The DPVCG invites contributions regarding additional guides as well as updates to existing guides.
DPV Specifications: The [DPV] is the core specification within the DPV family, with the following extensions: Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH] and [AI], [JUSTIFICATIONS], [SECTOR] specific extensions, and [LEGAL] extensions modelling specific jurisdictions and regulations. A [PRIMER] introduces the concepts and modelling of DPV specifications, and [GUIDES] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
To cite and understand the structure of DPV, the article "Data Privacy Vocabulary (DPV) - Version 2.0" (2024) describes the current state of DPV and extensions from version 2.0 onwards (open access version here). The earlier article "Creating A Vocabulary for Data Privacy" (2019) describes how the DPV was developed (open access versions here, here, and here).
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Final Specification Agreement (FSA) other conditions apply. Learn more about W3C Community and Business Groups.
GitHub Issues are preferred for discussion of this specification.
The Data Privacy Vocabulary [DPV] enables expressing machine-readable metadata about the use and processing of personal data based on legislative requirements such as the General Data Protection Regulation [GDPR]. The Primer for Data Privacy Vocabulary [PRIMER] introduces the fundamental structuring and use of concepts in DPV. It is intended to be a starting point for those wishing to use the DPV and an orientation for people from all disciplines. [PRIMER-concise] is a shorter version (2 pages) of the primer intended for a quick introduction.
The guide for using DPV with RDFS/SKOS will provide guidance, considerations, and best practices for using DPV with RDFS/SKOS modelling. The guide will explain how RDFS enables creating a simple ontological models (concepts and properties) and how SKOS enables taxonomies/thesauri of concepts. The guide will also explain how this model suits use-cases which require referencing concepts directly (e.g. we use Consent) instead of or alongside instantiation (e.g. x is an instance of Consent) which is how OWL2 is expected to be used.
The Guide for using DPV in OWL2 [GUIDE-OWL2] provides guidance for the use of DPV as an OWL2 ontology, and explains how DPV can be easily encoded in a low-complexity profile of OWL2 called OWL2-PL to perform efficient semantic reasoning.
The DPV is defined using semantic web standards (RDF). For use-cases that do not use semantic web, DPV is still useful as a controlled vocabulary, such as an use-cases that uses the list of purposes as suggestions in a form. To support such use-cases, this guide will explain how to use DPV - in particular as a CSV serialisation is provided to support such uses.
The Guide for using DPV with ODRL [GUIDE-ODRL] is a guide that will provide guidance for the use of DPV concepts with ODRL Information Model 2.2 and ODRL Vocabulary & Expression 2.2. ODRL is a W3C standard for machine-readable representations of policies and agreements. The aim of the guide will be to demonstrate the compatibility and alignment of DPV concepts with those from ODRL, and to guide adopters in using DPV concepts within ODRL and vice-versa. This will enable using DPV to represent policies and agreements as defined by the ODRL standard.
For those interested in this, please refer to publications authored by DPVCG members which have explored this work:
ISO/IEC TS 27560 Privacy technologies — Consent record information structure provides guidance for the creation and maintainence of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. The Consent Records and Receipts as per ISO/IEC TS 27560:2023 using DPV [GUIDE-Consent-27560] provides implementation of machine-readable consent records and receipts as defined in [ISO-27560] by using the Data Privacy Vocabulary (DPV). Additionally, it also provides guidance on using [ISO-27560] for meeting [GDPR] requirements regarding consent.
For more information on the development process and further use of consent records and receipts implemented using DPV, see the 2024 article preprint Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA authored by Harshvardhan J. Pandit, Jan Lindquist, and Georg P. Krog.
The ISO/IEC 29184:2020 Information technology — Online privacy notices and consent provides a standard for privacy notices in terms of the information to be provided as well as its use to inform the data subject about processing of personal data. This GUIDE-29184 will provide guidance to implement machine-readable notices in conformance with 29184 using the DPV. Additionally, the guide will also describe using ISO-29184 for meeting EU-GDPR requirements regarding privacy notices. It is intended to be a companion to the guide on consent records and receipts as per ISO 27560 in #90. The scope as of now does not include providing tools or libraries for the creation of graphical interfaces or other means to visually represent this information.
For more information on 29184, including comparison with GDPR's requirements, see publication Comparison of notice requirements for consent between ISO/IEC 29184:2020 and GDPR .
The GDPR Article 30 requires keeping records of processing activities (ROPA) involving personal data, where the information to be maintained in such records includes purpose, personal data categories, technical and organisational measures utilised, and others. This GUIDE-GDPR-ROPA will provide guidance to implement machine-readable ROPAs using the DPV. The scope as of now does not include providing tools or libraries for the creation of ROPA or interfaces or other means to work with this information.
This will be based on existing specifications developed using DPV called Data Processing Catalogue (DPCat) - see peer-reviewed article by DPVCG members Paul Ryan, Rob Brennan, and Harshvardhan J. Pandit.
The EU-GDPR Article 35 requires a "Data Protection Impact Assessment" (DPIA) assessing the impact of processing activities involving personal data on the data subject's rights and freedoms. This requires maintaining information about whether such a DPIA is required, and if yes, then how it was conducted and what were its findings, and based on which whether processing activities were justified or were halted or not conducted. This GUIDE-GDPR-DPIA will provide guidance to implement machine-readable DPIA using the DPV.
The scope of this guide would be to create machine-readable DPIAs that can provide the information as required for implementing DPIA according to GDPR requirements. The scope as of now does not include providing tools or libraries for the creation of DPIA or interfaces or other means to work with this information. This will be based on the peer-reviewed article A Semantic Specification for Data Protection Impact Assessments (DPIA) and will incorporate work being developed in #183
The GDPR Article 33 and 34 requires keeping records associated with suspicion or occurrence of a data breach and its impacts, including any communications to the data subjects or authorities regarding it. This GUIDE-GDPR-DataBreach will provide guidance to implement machine-readable Data Breach records and notifications using the DPV. The scope of this guide would be to create machine-readable records and notices that can provide the information as required for implementing data breach records, assessments, and notifications according to GDPR requirements. The scope as of now does not include providing tools or libraries for the creation of data breach assessment or notification tools or interfaces or other means to work with this information.
The peer-reviewed article - Towards a Semantic Specification for GDPR Data Breach Reporting authored by DPVCG members Harshvardhan J. Pandit, Paul Ryan, Georg P. Krog, and Rob Brennan is the basis for this work. This will include work conducted in #64 and #100, and the existing draft at https://w3id.org/dpv/guides/data-breach will be updated for new concepts developed in DPV v2.1 and v2.2.
Regulations such as the GDPR, amongst others across the globe, provide specific rights (to data subjects) through which they can avail of information regarding the processing of their personal data, object to it, or obtain a copy of their given personal data. The GUIDE-Rights will provide guidance on how to implement machine-actionable rights using the DPV.
The scope of this guide would be to create machine-readable records that can provide the information as required for demonstrating rights exercise, its fulfilment or non-fulfilment, and the communications, and provide specific guidance for implementing GDPR rights. The scope as of now does not include providing tools or libraries for exercise or management of rights, or interfaces or other means to work with this information.
This work will be based on Rights Exercising with DPV developed by DPVCG members Beatriz Esteves, Harshvardhan J. Pandit, Georg P. Krog, and Paul Ryan, and described in the peer-reviewed article. A working draft is present at https://w3id.org/dpv/guides/rights
| Migrated ISSUE-26: Describe use-cases and examples showing how the vocabulary should be or can be used
State: OPEN
Opened on: 2019-06-18
See Use-Cases and Requirements page for use-cases and requirements that guided the development of DPV.
See Examples page for examples demonstrating use of DPV concepts.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.