Consent Records and Receipts as per ISO/IEC TS 27560:2023 using DPV

Final Community Group Report

This version:
https://www.w3.org/community/reports/dpvcg/CG-FINAL-guide-27560-20240801/
Latest published version:
https://w3id.org/dpv/guides/consent-27560
Latest editor's draft:
https://dev.dpvcg.org/guides/consent-27560
Editor:
Harshvardhan J. Pandit (Harshvardhan J. Pandit)
Authors:
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University, Ireland)
Georg P Krog (Signatu, Oslo, Norway)
Jan Lindquist (Linaltech, Stockholm, Sweden)
Feedback:
GitHub w3c/dpv (pull requests, new issue, open issues)
Key Publications
Implementing ISO/IEC TS 27560:2023 Consent Records and Receipts for GDPR and DGA (2024)
Data Privacy Vocabulary (DPV) -- Version 2 (2024)
Creating a Vocabulary for Data Privacy (2019)

Copyright © 2024 the Contributors to the Consent Records and Receipts as per ISO/IEC TS 27560:2023 using DPV Specification, published by the Data Privacy Vocabularies and Controls Community Group under the W3C Community Final Specification Agreement (FSA). A human-readable summary is available.

Abstract

The ISO/IEC TS 27560:2023 Privacy technologies — Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of 'receipts'. This document provides a guide for the implementation of machine-readable consent records and receipts as defined in ISO/IEC TS 27560:2023 by using the Data Privacy Vocabulary (DPV). Additionally, this document also provides guidance on using ISO/IEC TS 27560:2023 for meeting EU GDPR requirements regarding consent.

Status of This Document

This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Final Specification Agreement (FSA) other conditions apply. Learn more about W3C Community and Business Groups.

Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.

GitHub Issues are preferred for discussion of this specification.

Data Privacy Vocabulary (DPV) Specification: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH], and [AI]. Specific [LEGAL] extensions are also provided which model jurisdiction specific regulations and concepts . To support understanding and applications of [DPV], various guides and resources [GUIDES] are provided, including a [PRIMER]. A Search Index of all concepts from DPV and extensions is available.

[DPV] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [DPVCG], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.

The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article Data Privacy Vocabulary (DPV) - Version 2, accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes the changes made in DPV v2.

2. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY and MUST in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Profiles

The following profiles are provided by DPVCG for the implementation of [ISO-27560] in different use-cases. They are defined under the namespace: https://w3id.org/dpv/schema/dpv-27560#, prefixed hereafter as dpv-27560:

  1. dpv-27560:record: Consent Records conforming with 27560
  2. dpv-27560:record-eu-gdpr Consent Records conforming with 27560 and containing information as required by EU GDPR
  3. dpv-27560:receipt-record Consent Receipts conforming with 27560 and providing a copy of the consent record
  4. dpv-27560:receipt-eu-gdpr Consent Receipts conforming with 27560 and providing information as required by EU GDPR

4. Namespaces

The following namespaces and prefixes are used throughout this document:

prefixURI
dpv https://w3id.org/dpv#
pd https://w3id.org/dpv/pd#
loc https://w3id.org/dpv/loc#
tech https://w3id.org/dpv/tech#
eu-gdpr https://w3id.org/dpv/legal/eu/gdpr#
dct http://purl.org/dc/terms/
dcat http://www.w3.org/ns/dcat#
ex https://example.com/

5. Introduction

5.3 Objectives

The following are the objectives of this document:

  1. To introduce [ISO-27560] for [DPV]] audiences.
  2. To provide a mapping of [ISO-27560] to [DPV] concepts.
  3. To define [DPV-27560] as a schema or profile of [ISO-27560] that uses [DPV] concepts to represent information.
  4. To provide examples and guidance for the use of [DPV-27560].

5.4 Scope

The scope of this document is defined as follows:

5.5 Terminology

The terminology used in [ISO-27560], [EU-GDPR], and [DPV] differ in terms or labels used, but largely represent similar semantic concepts. For example, ISO terminology uses PII for Personally Identifiable Information, which is similar to personal data in GDPR and DPV. This guide uses the [DPV] terminology unless referring to specific fields or terms used in a particular document. To assist with understanding and applying the terminologies across these three sources, 8. Mappings of Terms provides a summary table mapping the terms.

7. Overview of 27560

7.1 Goals & Scope

ISO/IEC TS 27560 Privacy technologies — Consent record information structure has two broad goals: to guide the recording of information about consent for processing of personal data in a form that is interoperable, open, and extendable, and to provide information to individuals. To supplement this, it defines several requirements (as controls in ISO terminology) for ensuring the required information is maintained and is supported by appropriate processes within the organisation. [ISO-27560] is stated as a supplement to the earlier ISO/IEC 29184:2020 Privacy Notices and Consent, where [ISO-29184] defines how information is provided via notices in order to request consent, and [ISO-27560] defines how information is recorded for given consent and provided back to the individual (as receipts).

The objective of [ISO-27560] is to define an information structure for consent record which contains: (1) Information about the processing of personal data; (2) Privacy notices where this information was provided; (3) Sources of data; and (4) Events related to consent (giving, withdrawing, etc.). It also defines an information structure providing all of some of this information to the data subject in the form of a consent receipt. To support implementations, Annex A provides examples of consent records and receipts using [DPV], and Annex B provides an overview the different states or stages in 'consent lifecycle' - which are similar to DPV's consent states.

Specific guidance on implementation such as the choice of technologies is not in the scope of [ISO-27560], though its Annexes provide informative guidance on related topics. Annex C describes performance and efficiency considerations, Annex D describes format and encoding structures, Annex E describes security of records and receipts, and Annex G describes application in Privacy Information Management Systems (PIMS). Further uses of consent records or receipts, such as how data subjects can obtain consent receipts or maintain their own consent records is not described in [ISO-27560].

7.4 Structure

A Consent Record contains four sections as described below and depicted visually in the figure:

  1. Header: metadata about the record e.g. its unique identifier and timestamp of creation.
  2. Processing: information about the processing activities e.g. purposes, personal data.
  3. Parties: information about entities involved in the processing e.g. controllers.
  4. Events: information about consent events e.g. consent given, consent withdrawn.
Figure 2 Summary of fields in ISO/IEC TS 27560:2023. The field names have been modified for alignment with DPV concepts. Field names in bold are mandatory.

Each section contains fields which describe the information that must be represented along with the form (e.g. timestamp format) and its necessity (e.g. required or optional). Certain fields are expressed as references to other fields (e.g. 'Controller' in 'Processing' section is a reference to an instance or record in 'Parties' section).

The Consent Receipt in [ISO-27560] contains only two required fields representing a unique identifier for the receipt and the schema version used for the structuring of information. The information and contents are undefined and left to each implementer to specify. A receipt can optionally contain the entirety of the information within a consent record or can also contain multiple consent records or other information not within a particular consent record. Similarly, a receipt can be made to contain only references to information within a record without containing the information itself e.g. providing only the consent record identifier without the contents of the record itself.

Considering the practical application of consent receipts require them to provide information to data subjects. For the implementation described in this document, it is assumed that the consent receipt provides all information contained within a consent record i.e. a receipt is a copy of the record provided to another entity. This is in line with [ISO-27560] guidance which states that the receipt may contain the same fields as that of a consent record, and that the mandatory fields in a consent record are also mandatory in a consent receipt. Further, [ISO-27560] allows creating different 'schemas' (which we call 'profiles') to indicate changes in requirements and their interpretations.

8. Mappings of Terms

8.1 ISO 29100:2011 and EU GDPR

The below table provides a mapping between DPV, ISO, and GDPR terminology regarding the basic concepts associated with personal data processing.

DPV Term ISO/IEC 29100:2011 EU GDPR
dpv:Consent Section 2.4 Consent Article 4-11 Consent
dpv:PersonalData Section 2.9 PII Article 4-1 Personal Data
dpv:DataController Section 2.10 PII Controller Article 4-7 Controller
dpv:DataSubject Section 2.11 PII Principal Article 4-1 Data Subject
dpv:DataProcessor Section 2.12 PII Processor Article 4-8 Processor
dpv:Processing Section 2.23 Processing of PII Article 4-2 Processing
dpv:SensitivePersonalData and dpv:SpecialCategoryPersonalData Section 2.26 Sensitive PII Article 9 Special Categories of Personal Data
dpv:ThirdParty Section 2.27 Third Party Article 4-10 Third Party

8.2 ISO 27560:2023, EU GDPR, and DPV

The table below provides a comparison between the terms and concepts used in [ISO-27560], [EU-GDPR], and [DPV]. It is neither exhaustive nor authoritative, and is provided as an informative resource to better understand and apply the concepts as they are expressed in the two normative documents ([ISO-27560] and [EU-GDPR]). The column req.? reflects whether maintaining information on the concept is mandatory or optional. Where the value of this is expressed as a dash (-) it means not applicable to reflect the concept is not present or is covered by another term in the table. Note that for GDPR, the table only reflects the information to be maintained - either directly associated with the consent or elsewhere, and does not cover any specific requirements such as the validity of consent as per Art.4-11 or application of principles in Art.6 as these are outside the scope of [ISO-27560].

ISO/IEC 27560:2023 EU GDPR DPV
term required? clauses required? concept relation
Metadata fields
schema version Mandatory N/A N/A None dct:conformsTo
record id Mandatory N/A N/A None dct:identifier, dpv:hasIdentifier
receipt id Mandatory N/A N/A None dct:identifier, dpv:hasIdentifier
pii principal id Mandatory N/A N/A dpv:DataSubject dpv:hasDataSubject, dct:identifier
Processing fields
privacy notice Mandatory 13, 14 information to be provided Mandatory dpv:PrivacyNotice, dpv:ConsentNotice dpv:hasNotice
language Mandatory N/A N/A None dct:language
purpose Mandatory 6-1a purpose Mandatory dpv:Purpose dpv:hasPurpose
purpose type Optional N/A N/A dpv:Purpose categories dpv:hasPurpose
lawful basis Optional 6 legal basis Mandatory dpv:LegalBasis dpv:hasLegalBasis
pii information Mandatory N/A N/A dpv:PersonalData dpv:hasPersonalData
pii controllers Mandatory N/A N/A dpv:DataController dpv:hasDataController
collection method Optional 13-1 collected from data subject; 14-2f source Mandatory dpv:DataSource, dpv:Collect dpv:hasDataSource, dpv:hasProcessing
processing method Optional 4-2 processing; 30-2b processing categories; 13-2f, 14-2g, 151-h automated decision making, logic, consequences; 35-1b large scale processing of special categories; 35-1c large scale of processing Mandatory dpv:Processing, dpv:AutomationOfProcessing, dpv:Profiling, dpv:AlgorithmicLogic, dpv:Consequence; dpv:DataVolume, dpv:ScaleOfProcessing dpv:hasProcessing, dpv:hasAutomation, dpv:hasAlgorithmicLogic, dpv:hasConsequence, dpv:hasDataVolume, dpv:hasScale, dpv:hasContext
storage locations Mandatory 15-2 third country Mandatory dpv:StorageLocation, dpv:Jurisdiction dpv:hasStorageCondition, dpv:hasLocation, dpv:hasJurisdiction
retention period Mandatory 13-2a, 14-2a, 15-1d storage period or criteria; 30-1f erasure time limit Mandatory dpv:StorageCondition, dpv:StorageDuration, dpv:StorageDeletion dpv:hasStorageCondition, dpv:hasDuration
processing location Optional 13-1f, 14-1f, 15-2 transfer to third country Mandatory dpv:Location, dpv:Jurisdiction dpv:hasLocation, dpv:hasJurisdiction
geographic restrictions Optional 13-1f, 14-1f, 15-2, 30-1e, 30-2c, 44, 45, 46, 47, 48, 49-1a transfer to third country Mandatory dpv:Location, dpv:Jurisdiction, dpv:Rule dpv:hasLocation, dpv:hasJurisdiction, dpv:hasRule
service Optional N/A N/A dpv:Service dpv:hasService
jurisdiction Mandatory N/A N/A dpv:Jurisdiction dpv:hasJurisdiction
recipient third parties Mandatory 4-9 recipient; 4-10 third party Mandatory dpv:Recipient, dpv:ThirdParty dpv:hasRecipient, dpv:hasThirdParty
withdrawal method Mandatory 7-3, 13-2c, 14-2d withdrawing consent Mandatory dpv:WithdrawConsent dpv:hasConsentControl
privacy rights Optional 13-22 rights Mandatory dpv:DataSubjectRight, dpv:RightExerciseNotice dpv:hasRight, dpv:hasNotice
codes of conduct Optional 24-3, 32-3, 35-8, 40 codes of conduct; 42 certification Optional dpv:CodeOfConduct, dpv:Certification, dpv:Seal dpv:hasOrganisationalMeasure
impact assessment Optional 35 DPIA Optional dpv:ImpactAssessment, dpv:DPIA dpv:hasImpactAssessment
authority party Optional 13-2d, 14-2e, 15-1f complaint to authority; 51 supervisory authority; 56 lead authority. Mandatory dpv:Authority dpv:hasAuthority
personal data fields
pii type Mandatory 4-1, 14-1d, 15-1b personal data categories Mandatory dpv:PersonalData dpv:hasPersonalData
pii attribute id Optional N/A N/A dct:identifier
pii optional Optional 13-2e, 35 necessity of personal data Mandatory dpv:Necessity dpv:hasNecessity
sensitive pii category Optional N/A N/A dpv:SensitivePersonalData, dpv:SensitivityLevel dpv:hasPersonalData, dpv:hasSensitivityLevel
special pii category Optional 9 special categories of data Mandatory dpv:SpecialCategoryPersonalData dpv:hasPersonalData
party fields
party id Mandatory N/A N/A dpv:LegalEntity dct:identifier, dpv:hasIdentifier
party address Mandatory 13-1a, 14-1a identity of controller Mandatory None dpv:hasAddress
party email Optional N/A N/A None dpv:hasContact
party url Optional N/A N/A None dpv:hasContact
party phone Optional N/A N/A None dpv:hasContact
party name Mandatory 13-1a, 14-1a identity of controller Mandatory None dpv:hasName
party role Optional 4-1 data subject; 4-7 controller; 4-8 processor; 4-9 recipient; 4-10 third party; 4-17 representative; 4-21 supervisory authority Mandatory dpv:DataSubject, dpv:DataController, dpv:DataProcessor, dpv:Recipient, dpv:ThirdParty, dpv:Representative; dpv:Authority dpv:hasDataSubject, dpv:hasDataController, dpv:hasDataProcessor, dpv:hasRecipient, dpv:hasThirdParty, dpv:hasRepresentative; dpv:hasAuthority
party contact Mandatory 13-1a, 14-1a contact details of controller Mandatory None dpv:hasContact
party type Mandatory 4-9 recipient, data importer and data exporter (external concepts) Mandatory dpv:Recipient, dpv:DataImporter, dpv:DataExporter, dpv:DataSource dpv:hasRecipient, dpv:hasDataImporter, dpv:hasDataExporter, dpv:hasDataSource
event fields
event time Mandatory 7-1 demonstrate consent Mandatory None dct:date
validity duration Mandatory N/A (external guidance requires validity) Mandatory None dct:valid
entity id Mandatory N/A (assumed roles, e.g. data subject, controller) Mandatory dpv:LegalEntity dpv:isImplementedByEntity
event type Mandatory 4-11 (regular or expressed) consent; 9-2a explicit consent Mandatory dpv:Consent types dpv:hasLegalBasis
event state Mandatory 4-11, 9-2a consent given; 7-3 withdrawal of consent; 13, 14 notice for consent; (from derivations) lapsed validity, invalidation authorities, termination by controller Mandatory dpv:ConsentStatus dpv:hasConsentStatus

8.3 ISO/IEC 27560:2023, 29184:2020, EU GDPR

ISO/IEC TS 27560:2023 ISO/IEC 29184:2020 EU GDPR
3.1 consent 4-11 definition of consent
3.2 consent receipt Annex B R42, 7-1 demonstrating consent
3.3 consent record R42, 7-1, 13, 14, 30 recording information related to consent
3.4 consent type 5.4.3 Informed and freely given consent. 3.1 explicit consent R32, R43, 6-1a, 9-2a conditions for consent. R42 demonstrating consent. 8 child’s consent. 9-2a explicit consent
6.2 recordkeeping for privacy notices and consent R42, 7-1, 13, 14, 30 recording and demonstrating consent
6.2.2.1 presentation of notice 5.2.2 providing notice, 5.2.3 appropriate expression, 5.2.7 appropriate forms, 5.2.9 accessibility R32, R42, R43, R58, 7-2 notice for consent
6.2.2.2 timeliness of notice 5.2.5 appropriate timing R32, R42, R43, R60, 7-2, 13, 14 notice for providing information and requesting consent. R61, 13-2 14-3 timing of notice. R62 exceptions
6.2.2.3 obtaining consent 5.2.7 appropriate forms R42, 7-1 record of consent
6.2.2.4 time and manner of consent 5.2.6 appropriate locations R32, R42, R43, 7-2
6.2.2.5 technical implementation R42, 7-1, 13, 14, 30 maintaining information for demonstrating consent
6.2.2.6 unique reference 5.2.8 ongoing reference R42, 7-1 demonstrating consent
6.2.2.7 legal compliance R39, 5 principles, 5 principles. R40, R41, 6 lawfulness and legal basis. R50 further processing. R42, 7-1 record of consent
6.3.4.1 privacy_notice 3.2 notice R32, R42, R43, R60, R61, 7-2, 13, 14 notice for providing information
6.3.4.2 language 5.2.4 multi-lingual notice R32, R42, R43 conditions for consent
6.3.4.3, 6.3.4.4 purposes 5.3.2 purpose description, 5.3.3 Presentation of purpose description 5, 6-1a, 13-1c, 13-3, 14-1c, 14-4, 15-a, 30-1b purpose of processing
6.3.4.6 lawful_basis 5.3.15 Basis for processing R40, R41, 6-1a, 7-1a, 9-2a, 13-1c, 13-1d, 14-1c lawfulness and legal basis
6.3.4.7 pii_information 3.3 element of PII 4-1, 14-1d, 15-1b, 30-1c personal data
6.3.4.8 pii_controllers 5.3.4 Identification of the PII controller 13-1a, 14-1a, 30-1a identity of controller
6.3.4.9 collection_method 5.3.5 PII collection, 5.3.6 Collection method, 5.3.7 Timing and location of the PII collection R61, 13-1, 14-1, 14-2f, 15-1g source of personal data
6.3.4.10 processing_method 5.3.8 Method of use 4-2, 30-2b processing methods. 13-2f, 14-2g, 15-1h automated decision making and profiling
6.3.4.11 storage_locations 5.3.9 Geo-location of, and legal jurisdiction over, stored PII 13-1f, 14-1f, 15-2 storage or processing location
6.3.4.12 retention_period 5.3.11 Retention period 13-2a, 14-2a, 15-1d, 30-1f storage duration or time limits
6.3.4.13 processing_locations 5.3.9 Geo-location of, and legal jurisdiction over, stored PII 13-1f, 14-1f, 15-2 processing location (including data transfers)
6.3.4.14 geographic_restrictions 5.3.9 Geo-location of, and legal jurisdiction over, stored PII 13-1f, 14-1f, 15-2, 30-1e, 30-2c, 44, 45, 46, 47, 48, 49-1a geographic condition (e.g. third country)
6.3.4.16 jurisdiction 5.3.9 Geo-location of, and legal jurisdiction over, stored PII 13-1f, 14-1f, 15-2, 30-1e, 30-2c, 44, 45, 46, 47, 48, 49-1a geographic condition (e.g. third country)
6.3.4.17 recipient_third_parties 5.3.10 Third-party transfer 4-9, 4-10, 13-1e, 14-1e, 15-1c, 19, 30-1d recipients
6.3.4.18 withdrawal_method 5.3.12 Participation of PII principal R42, 7-3, 13-2c, 14-2d withdrawing consent
6.3.4.19 privacy_rights 5.3.12 Participation of PII principal 13-2b, 13-2c, 14-2c, 14-2d, 15-1e, 16, 17, 18, 20, 21, 22 rights of data subject
6.3.4.20 codes_of_conduct 24-3, 32-3, 35-8, 40 codes of conduct, 42 certification
6.3.4.21 impact_assessment 5.3.16 Risks R75, R84 risks and risk evaluation. R90, R91, R92, R93, 35 Data Protection Impact Assessments (DPIA)
6.3.4.22 authority_party 5.3.13 Inquiry and complaint 13-2d, 14-2e, 15-1f complaint to authority. 36-1 consult with authority for impact assessment. 51 supervisory authority, 56 lead authority.
6.3.5.1 pii_type 3.3 element of PII 4-1, 14-1d, 15-1b, 30-1c personal data types and categories
6.3.5.2 pii_attribute_id 3.3 element of PII
6.3.5.3 pii_optional 5.4.6 Separate consent to necessary and optional elements of PII R90, R91, 5, 13-2e, 35 optionality or necessity of personal data
6.3.5.4 sensitive_pii_category R51 protecting sensitive data
6.3.5.5 special_pii_category R51, R53, R71, 6, 9, 22-4, 30-1c, 35 special categories of personal data
6.3.6.6 party_name 13-1a, 14-1a, 30-1a, 30-2a
6.3.6.7 party_role 4-1, 4-7, 4-7, 4-8, 4-9, 4-10, 13-1a, 13-1e, 14-1a, 14-1e, 26-1, 28, 30-1a, 30-1d, 30-2a, 37
6.3.6.8 party_contact 13-1a, 13-1b, 14-1a, 14-1b, 26-1
6.3.6.9 party_type 4-1, 4-7, 4-7, 4-8, 4-9, 4-10, 13-1e, 14-1e, 15-1c, 19
6.3.7.1 event_time 5.4.8 Timeliness R42, 7-1, 13, 14, 30 maintaining information for demonstrating consent
6.3.7.2 validity_duration 5.4.7 Frequency 25 Data Protection by Design and by Default
6.3.7.3 entity_id R42, 4-11, 6-1a, 7-3, 8-1, 8-2, A13, A14
6.3.7.4 event_type 5.4.3 Informed and freely given consent 4-11 (regular) consent. 9-2a explicit consent. R32, 7-1 given consent. R32, 7-2 request for consent
6.3.7.6 event_state 5.5.2 Renewing notice, 5.5 Change of conditions, 5.5.3 Renewing consent 4-11, 6-1a, 9-2a given consent. R42, 7-3 withdrawn consent.
6.4.3 consent management R32, R42, R43, R60, R61, 7-2, 12, 13, 14 information about given consent and applicable rights, R42, 7-3 withdrawing consent
6.4.4 PII principal participation 5.3.12 Participation of PII principal, 5.3.14 Information about accessing the choices made for consent R32, R42, R43, R60, R61, 7-2, 12, 13, 14 information about given consent and applicable rights, R42, 7-3 withdrawing consent
6.4.6 receipt content 5.3.14 Information about accessing the choices made for consent R32, R42, R43, R60, R61, 7-2, 12, 13, 14 information about given consent and applicable rights
Annex B consent lifecycle 5.5.2 Renewing notice, 5.5 Change of conditions, 5.5.3 Renewing consent 4-11, 6-1a, 9-2a given consent. R42, 7-3 withdrawn consent.
Annex E security of consent records and receipts R75, R76, R77, R78, R83, 24, 25, 30, 32, 44
Annex F signals communicating PII Principal’s preferences and decisions R32, 7-2, 21-5

9.1 Record Metadata

Information representing the metadata in the header field containing information about the record.

Field Cardinality DPV Concept DPV Property
Schema Version 1 N/A dct:conformsTo
Record Identifier 1..* N/A dpv:hasIdentifier
Data Subject 1 dpv:DataSubject dpv:hasDataSubject

9.1.1 Schema Version

This field MUST be present.

The specific version of the schema (schema_version in [ISO-27560]) used to interpret the record and its information, indicated using dct:conformsTo with the corresponding IRI from 4. Namespaces. Future changes to the schema will result in suffixes to this IRI e.g. dpv-27560-v2. To indicate conformance with specific requirements such as from GDPR, a separate schema or profile IRI must be utilised, as seen in 3. Profiles.

9.1.2 Record Identifier

This field MUST be present.

The unique identifier (record_id in [ISO-27560]) associated with this record, indicated using dct:identifier. This can be a [ISO-27560] recommended UUID-4 string or an IRI.

Note: Identifier vs IRI

Even if the IRI or @id field represents a unique identifier, this information must be specified using dct:identifier as the IRI may refer to a copy or alternate location of the same record.

9.1.3 Data Subject

This field MUST be present.

The data subject (pii_principal_id in [ISO-27560]) associated with the consent (record), indicated using dpv:hasDataSubject. The data subject can be represented by an instance of dpv:DataSubject or an identifier.

9.1.4 Additional Metadata

Information such as who maintains or published the record, when was it created or modified, and its provenance is not covered by [ISO-27560] as it is considered "implementation detail". To assist in maintaining this information, the following fields from [DCT] are suggested for documenting this information in an optional and non-normative manner:

  • dct:accessRights: information on who can access the consent record.
  • dct:contributor: entity or entities that have contributed to the information within the consent record.
  • dct:created: date/time for when the consent record was created.
  • dct:creator: entity that created the consent record. NOTE: this entity may be different from the publisher of the consent record, e.g. a processor (creator) manages the record for a controller (publisher).
  • dct:hasPart (with inverse dct:isPartOf): to associate with a part of the consent record, e.g. where the information in a consent record may be maintained separately or partitioned based on common information for efficiency.
  • dct:hasVersion (with inverse dct:isVersionOf): to associate one consent record with its updated version, e.g. where each event in a consent record results in a new consent record.
  • dct:replaces (with inverse dct:isReplacedBy): to associate the consent record which is being replaced, e.g. where the other consent record is no longer in use and this is a new consent record intended to replace it.
  • dct:issued: date/time associated with 'formal issuance' of the consent record, e.g. where dct:created is a timestamp for when the record was generated by a machine agent and where dct:issued captures its formal acceptance as a legally relevant record.
  • dct:modified: date/time for when the consent record was modified.
  • dct:provenance: information about the provenance of the consent record, e.g. where the record has been transferred between entities.
  • dct:publisher: entity or entities that 'publish' the consent record i.e. make it available within some contextual sense, e.g. to produce it within an audit or legal investigation.
  • dct:source: information on the sources used within the consent record, e.g. other records or logs that should be associated to record the provenance of information.
  • dct:valid: date/time until when this record can be considered valid. NOTE: this refers to assessing validity of the record as a whole and does NOT refer to validity of consent events or the processing specified within the record.

Further, the use of Data Catalog Vocabulary (DCAT) - Version 3 is also recommended to store consent records and receipts as it assists with metadata fields (see above) as well as expressing relations between collections of records/receipts (i.e. catalogues) and relations between datasets (e.g. latest version). See technical considerations.

9.2 Notice Fields

These fields refer to information about the notice that has been shown to request consent. In [ISO-27560], these fields are part of the Processing section.

Field Cardinality DPV Concept DPV Property
Notice 1..* dpv:Notice dpv:hasNotice
Notice Language 1..* N/A dct:language

9.2.1 Notice

This field MUST be present.

Reference to the specific version of the notice (privacy_notice in [ISO-27560]) associated with consent, indicated using dpv:hasNotice and a reference to the notice or an instance of dpv:ConsentNotice. If there are multiple notices - then each must be indicated separately. Multiple notices can be associated where such notices are part of the same context e.g. shown one after the other, or where they are associated over time, e.g. one notice shown initially when requesting and another when re-confirming it at a later time.

Note: Distinction between Privacy Notice and Consent Notice

In DPV, the concepts dpv:PrivacyNotice and dpv:ConsentNotice have different intended meanings - a consent notice is a specific privacy notice associated with consent, most commonly providing information in order to request consent. Whereas, a privacy notice can also refer to other documents providing information, such as what is commonly called as 'privacy policy'. For the purposes of the consent record, both documents can be included, but dpv:ConsentNotice MUST be used when referring to the notice used for providing information for consent.

9.2.2 Notice Language

This field MUST be present.

The language used in the communications regarding consent, such as the information provided within a notice. The language is indicated using dct:language, and it is recommended to use standardised notations for representing languages such as the ISO 639.

For examples, please refer to 9.2.1 Notice section.

9.3 Processing Fields

[ISO-27560] contains 22 fields related to processing activities, and 5 additional fields regarding personal data involved in processing. The structuring of these fields within [ISO-27560] is of the form where the "PII Processing" section contains an array of "purposes" where each "purpose" is expressed with its own fields regarding legal basis, collection method, storage locations, and so on. Within the DPV implementation, this is replaced with dpv:Process so that each instance represents a distinct processing activity with its fields e.g. purposes, personal data, recipients.

Field Cardinality DPV Concept DPV Property
Process 1..* dpv:Process dpv:hasProcess
Purpose 1..* dpv:Purpose dpv:hasPurpose
Personal Data 1..* dpv: dpv:hasPersonalData
Personal Data Type 1..* dpv:PersonalData taxonomy dpv:hasPersonalData
Personal Data Identifier 0..* N/A dct:identifier
Personal Data Necessity 0..* dpv:Necessity dpv:hasNecessity
Sensitive/Special Category 0..* dpv:SensitivePersonalData, dpv:SpecialCategoryPersonalData dpv:hasPersonalData
Processing Operations 0..* dpv:Processing dpv:hasProcessing
Data Source 0..* dpv:DataSource dpv:hasDataSource
Storage Condition 1..* dpv:StorageCondition, dpv:StorageLocation, dpv:StorageDuration, dpv:StorageDeletion dpv:hasStorageCondition
Processing Condition 0..* dpv:ProcessingCondition, dpv:ProcessingLocation, dpv:ProcessingDuration dpv:hasProcessingCondition
Geographic Restriction 0..* dpv:Rule dpv:hasRule
Data Controller 1..* dpv:DataController dpv:hasDataController
Legal Basis 0..* dpv:LegalBasis dpv:hasLegalBasis
Recipients 1..* dpv:Recipient dpv:hasRecipient
Consent Change & Withdrawal 1..* dpv:ConsentControl, dpv:WithdrawingFromActivity dpv:hasConsentControl
Jurisdiction 1..* dpv:Jurisdiction dpv:hasJurisdiction
Rights 1..* dpv:DataSubjectRight dpv:hasRight
Services 0..* dpv:Service dpv:hasService
Code of Conduct 0..* dpv:CodeOfConduct dpv:hasOrganisationalMeasure
Impact Assessment 0..* dpv:ImpactAssessment dpv:hasAssessment

9.3.1 Process

This field MUST be present.

dpv:Process is a concept that represents a process or 'unit' for combining relevant details such as purposes, processing, personal data categories, recipients, and so on. Instances of dpv:Process can be used to differentiate between information regarding processing - such as where different purposes are used or that lead to different recipients. Such instances can also be nested within other instances to create a 'modular' structuring of processing activities.

Note: Benefits of using `dpv:Process`

Following the [ISO-27560] model requires creating a concept called 'purposes' and to utilise an array or a list to hold the associated 'purpose' instances. Given that DPV prefers a strict taxonomy expressed in a graph representation, following the same model would lead to non-intuitive structures. Further, other similar lists such as those for 'pii_type' also require creation of new concepts to represent groups or collections of the actual intended concepts.

9.3.2 Purpose

This field MUST be present.

The purpose of processing personal data, expressed in DPV using hasPurpose as an instance of Purpose.

[ISO-27560] has an additional field called 'purpose_type' that describes the category of the purpose. This is expressed using skos:broader. For additional information, such as descriptions, relevant DCT relations should be used.

Note: Distinction between type and category
Note: Interpreting multiple purposes within a single context

Where multiple purposes are present within the same or single context, for example the consent record or a personal data handling instance, the interpretation is that they are all applicable for that context. For example, if a personal data handling instance contains 3 purposes - then it is presumed that the consent is for carrying out each of the 3 purposes.

To declare that ALL purposes must occur together i.e. they cannot be carried out independently, the appropriate semantic relations should be used to express this information - for e.g. by declaring the 3 required purposes as the 'type' for a new combined purpose.

Caution is advised when modelling consent as jurisdictional requirements such as those from GDPR e.g. Recital 32 states "Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.". This means all purposes listed within a record pertaining to a single consent are to be used with that single consent as the legal basis.

9.3.3 Personal Data

This field MUST be present.

The personal data ('pii information' in [ISO-27560]) involved in processing activities, associated using dpv:hasPersonalData and instances of dpv:PersonalData.

In [ISO-27560], the personal data fields are used to describe aspects of personal data as - type, identifier, optionality, being sensitive and being special category. In the DPV implementation, these are described as annotations or additional relations over the personal data instance.

9.3.3.1 Personal Data Type

This field MUST be present.

The type or category of personal data ('pii type' in [ISO-27560]), expressed in DPV using skos:broader, and optionally using concepts from the [PD] taxonomy. The value for this field must use a data category from DPV either through an explicit declaration i.e. using skos:broader or through an implicit definition e.g. [PD] taxonomy.

9.3.3.2 Personal Data Identifier

This field MAY be present.

The identifier representing the data values or instances e.g. within a database, expressed in DPV using dct:identifier.

9.3.3.3 Personal Data Necessity

This field MAY be present.

The necessity or optionality of this data ('pii optional' in [ISO-27560]) for the processing, expressed in DPV using hasNecessity and one of the provided instances of Necessity. If this field is absent, it should be inferred as the data being necessary.

9.3.3.4 Sensitive and Special Category

This field MAY be present.

Indicates whether the personal data is considered sensitive ('sensitive pii category' in [ISO-27560]), and separately whether it is also of special category ('special pii category' in [ISO-27560]). Declaring either in DPV is done using skos:broader with value SensitivePersonalData or SpecialCategoryPersonalData. Its absence indicates the data does not belong to either sensitive or special categories.

9.3.4 Processing Operations

This field MAY be present.

Indicates the processing operations or activities carried out over the specific personal data, and indicated using dpv:hasProcessing with instances of dpv:Processing. In [ISO-27560], this field also represents information about automated decision making - which is represented in DPV through the dpv:AutomationOfProcessing concepts and associated with dpv:hasProcessingAutomation, as well as large scale of processing which is represented through dpv:ScaleOfProcessing and associated using dpv:hasScale.

9.3.4.1 Data Source(s)

This field MAY be present.

This field represents the source of data being processed. In [ISO-27560], this field is called collection method and can be about The data provided by or observed from activities of the data subjects, be inferred from existing data, or be collected from another entity or third party. In DPV, this information is represented using dpv:DataSource and associated using dpv:hasDataSource.

Concepts within the DPV taxonomy have an exact meaning - for example data being obtained through observation should not be stated as being collected, but as observed - even if the data source is still the same data subject. Therefore, it is best to separate the data source entity and the processing operation.

9.3.4.2 Storage Condition(s)

This field MUST be present.

Indicates information about the storage of personal data such as regarding its duration, location, and erasure, represented using dpv:StorageCondition and associated using dpv:hasStorageCondition. The existence of Storage Condition implies storing data as a processing operation. In [ISO-27560], this information is represented through two fields - storage locations and retention period - both of which are required to be present.

9.3.4.3 Processing Condition(s)

This field MAY be present.

Indicates information about conditions regarding the processing operations, such as regarding its duration and location, represented using dpv:ProcessingCondition and associated using dpv:hasProcessingCondition. Given that storing data is a specific type of processing operation, this field is useful for other processing activities such as collection of data. In [ISO-27560], the field only relates to processing locations.

9.3.4.4 Geographic Restriction(s)

This field MAY be present.

Geographic restrictions are defined in [ISO-27560] as restrictions related to geo-locations or jurisdictions. While DPV prefers a declarative interpretation where, for e.g., if processing location is mentioned as EU then it implies that processing will only take place within EU since no other locations are mentioned. If the intention is to explicitly state this as a restriction, it can utilise the dpv:Rule concept which provides (simplified) Permissions, Prohibitions, and Obligations. For further expressiveness of complexity, specifications such as ODRL Information Model 2.2 should be considered.

Note that while [ISO-27560] only considers restrictions over geographic locations for processing (including storing), DPV (and ODRL)support specifying information and restrictions over a much wider range of concepts. In theory, restrictions can be expressed over any concept or combination of concepts.

9.3.5 Data Controller(s)

This field MUST be present.

Indicates the Data Controllers (pii controllers in [ISO-27560]) responsible for the specified processing activities, expressed in DPV using hasDataController with instances of DataController.

Note that the notion of a 'Controller' is regarding accountability, and does not necessarily correlate with who performs the processing or has access to data - for example in GDPR. To indicate who performs the processing, DPV provides dpv:isImplementedByEntity.

Information about the Data Controller, such as its name or address, is described through the Entity Fields later in the document based on a similar structure in [ISO-27560].

9.3.7 Recipients

This field MUST be present.

Indicates the recipients of personal data associated with the specific processing activities, expressed as dpv:Recipient and associated using dpv:hasRecipient. In [ISO-27560], this field is only limited to Recipients who are Third Parties, which excludes the Data Controllers and Processors. In DPV, recipients can be any of Data Controllers, or Processors, or Third Parties.

Note that recipients can be specific entities i.e. their identity is known, or groups or categories of entities - for example as in GDPR's Article 13-1e. However, [ISO-27560] only considered explicitly indicated third parties for the recipients field.

In [ISO-27560], the recipient field is also associated with information regarding the geo-location of data being transferred to the recipient third party's and whether this constitutes a jurisdictional change. To represent this in DPV, the location of the transfer should be indicated within the processing information along with the recipient entity. The jurisdiction can also be represented in the same context - to indicate the transfer to that jurisdiction, or it can be specified in association with the recipient entity.

9.3.9 Jurisdiction(s)

This field MUST be present.

Indicates the applicable jurisdiction for the processing indicated within the receipt. The acknowledgement of jurisdiction(s) is necessary to convey applicable laws and requirements regarding consent validity and applicable rights as well as indicating the obligations on parties involved. To indicate the jurisdiction, the concept Location is to be associated using hasJurisdiction. The [LOC] extension can be used for this which provides a list of locations based on ISO-3166.mm

In [ISO-27560], this field can also be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

9.3.10 Rights

This field MUST be present.

Indicates the applicable rights and provides information on how to avail or exercise them. The rights are indicated using DataSubjectRight and associated using hasRight. To indicate how to exercise them, the relation isExercisedAt is to be used. To indicate provision of information regarding rights exercise, the concept RightExerciseNotice is to be used and associated using hasNotice.

In [ISO-27560], this field is optional, and is used to provide a link to information on how to exercise rights. It also allows this field to allow changes to the consent conditions such as the retention period. In [ISO-27560], this field can also be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

9.3.11 Service(s)

This field MAY be present.

Indicates the services the described processing activities are a part of or assist with, expressed as an instance of dpv:Service and associated using dpv:hasService.

In [ISO-27560], a Service can be as broad or granular as desired. A service is related to a purpose by providing a context through which the specific purpose can be understood within their context, and also to enable related purposes and activities to be associated and explained with a common service being provided.

9.3.12 Code of conduct(s)

This field MAY be present.

Indicates the applicability of a Code of Conduct for the specified processing activity. A code of conduct is a voluntary set of rules and responsibilities undertaken by an organisation. It is indicated using an instance of dpv:CodeOfConduct and associated using dpv:hasOrganisationalMeasure.

In [ISO-27560], this field is described as providing information regarding the name of the code of conduct and a publicly accessible reference to it. A code of conduct can also be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

9.3.13 Impact assessment(s)

This field MAY be present.

Indicates the existence of an Impact Assessment for the specified processing activity. An impact assessment in this record refers to the impact of the specified processing activities on the data subject. Impact assessments are indicated using instances of dpv:ImpactAssessment and associated using dpv:hasAssessment. DPV provides concepts for specific types of impact assessments, such as dpv:PIA for Privacy Impact Assessment and dpv:DPIA for Data Protection Impact Assessment.

In [ISO-27560], this field is limited to assessments of privacy risks and potential impacts of "non-compliance" on the data subjects, whereas in common practice assessments such as PIA and DPIA concern the impact of the processing on the data subject - which is what DPV and this specification considers. Impact assessments can also be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

9.4 Entity Fields

[ISO-27560] refers to Entity as Party.

Entities are expressed using instances of dpv:Entity and associated using dpv:hasEntity.

Field Cardinality DPV Concept DPV Property
Name 1..* N/A dpv:hasName
Identifier 1..* N/A dpv:hasIdentifier
Role 1..* dpv:DataController, dpv:DataProcessor, dpv:ThirdParty, dpv:Authority, dpv:DataSubject dpv:hasEntity, dpv:hasDataController, dpv:hasDataProcessor, dpv:hasThirdParty, dpv:hasAuthority, dpv:hasDataSubject
Contact 1..* schema:ContactPoint schema:contactPoint
Postal Address 1..* schema:PostalAddress schema:contactPoint
Email 0..* N/A schema:email
Phone 0..* N/A schema:telephone
URL 0..* N/A schema:url

9.4.1 Name

This field MUST be present.

Indicates the legal name and identity of the Entity, expressed using dpv:hasLegalName and a string.

9.4.2 Identifier

This field MUST be present.

Indicates the unique identifier for the entity within the record. In linked data and semantic web methods of expressing information, the IRI already acts as an unique identifier. To support interoperability, the IRI identifier MUST be declared explicitly using dpv:hasIdentifier. To denote other (unique or otherwise) identifiers as a reference to the entity, dct:identifier should be used.

In this specification and in [ISO-27560], the (IRI) identifier is used to associate the entity with specific processing roles, which is described in the next section.

9.4.3 Role

This field MUST be present.

Indicates the role of the entity within the process activities, indicated using rdf:type and an appropriate role such as dpv:DataController, dpv:DataProcessor, dpv:ThirdParty, dpv:Authority, and dpv:DataSubject.

In [ISO-27560], the entity (party) fields are separate from the processing section and therefore the role of the entity is expressed separate from processing. In DPV, the role MUST be expressed contextually within the processing fields by using an appropriate property e.g. dpv:hasDataController and the identifier of the entity. Optionally, the entity description field can also contain an explicit acknowledgement of the role by stating the entity is of type e.g. dpv:DataController.

9.4.4 Contact

This field MUST be present.

Indicates the contact for an entity for communication purposes, indicated using schema:contactPoint and an instance of schema:ContactPoint.

NOTE: As in [ISO-27560], this field MUST be present for all entities EXCEPT data subjects as in a record it may not be necessary to record the contact for data subjects. This follows best practices regarding data minimisation and purpose limitation.

9.4.4.1 Postal Address

This field MUST be present.

Indicates the potal address of the entity, expressed using schema:address and an instance of schema:PostalAddress.

NOTE: As in [ISO-27560], this field MUST be present for all entities EXCEPT data subjects as in a record it may not be necessary to record the postal address of data subjects. This follows best practices regarding data minimisation and purpose limitation.

9.4.4.2 Email

This field MAY be present.

Indicates the email of the entity, expressed using schema:email.

9.4.4.3 Phone

This field MAY be present.

Indicates the telephone of the entity, expressed using schema:telephone.

9.4.5 URL

This field MAY be present.

Indicates the URL of the entity, expressed using schema:url. The type of the page can be expressed using appropriate concepts, such as dpv:PrivacyNotice.

9.6 Examples

[ISO-27560] only defines the schema version and receipt identifier fields for consent receipts. For other fields, it recommends using the same fields as that of a consent record. In its guidance, it states that the mandatory fields in consent records should also be mandatory in receipts. Based on this, we only define the additional fields for consent receipts and suggest reusing the consent record fields with their necessity/conditionality as indicated in the document.

10.1 Header Fields

Field Cardinality DPV Concept DPV Property
Schema Version 1 N/A dct:conformsTo
Receipt Identifier 1..* N/A dpv:hasIdentifier

10.1.1 Schema Version

This field MUST be present.

The specific version of the schema (schema_version in [ISO-27560]) used to interpret the record and its information, indicated using dct:conformsTo with the corresponding IRI from 4. Namespaces. Future changes to the schema will result in suffixes to this IRI e.g. dpv-27560-v2. To indicate conformance with specific requirements such as from GDPR, a separate schema or profile IRI must be utilised, as seen in 4. Namespaces.

10.1.2 Record Identifier

This field MUST be present.

The unique identifier (record_id in [ISO-27560]) associated with this consent receipt, indicated using dpv:hasIdentifier. This can be a ([ISO-27560] recommended) UUID-4 string or an IRI.

10.1.4 Creation Timestamp

This field MUST be present.

Indicates the date/time for when the receipt was generated, indicated using dct:created. NOTE: This field is not present in [ISO-27560].

10.1.5 Additional Metadata

Information such as who maintains or published the receipt, when was it created or modified, and its provenance is not covered by [ISO-27560] as it is considered "implementation detail". To assist in maintaining this information, the following fields from [DC-TERMS] are suggested for documenting this information in an optional and non-normative manner:

  • dct:audience: information on entity or entities for whom the receipt is intended or produced for - this will typically be the Data Subject.
  • dct:accessRights: information on who can access the consent receipt, or to specify information regarding the security measures in place restricting access to information within the receipt.
  • dct:contributor: entity or entities that have contributed to the information within the consent receipt.
  • dct:creator: entity that created the consent receipt. NOTE: this entity may be different from the publisher of the consent receipt, e.g. a processor (creator) manages the receipt for a controller (publisher).
  • dct:hasPart (with inverse dct:isPartOf): to associate with a part of the consent receipt, e.g. where the information in a consent receipt may be maintained separately or partitioned based on common information for efficiency.
  • dct:hasVersion (with inverse dct:isVersionOf): to associate one consent receipt with its updated version, e.g. where each event in a consent receipt results in a new consent receipt.
  • dct:replaces (with inverse dct:isReplacedBy): to associate the consent receipt which is being replaced, e.g. where the other consent receipt is no longer in use and this is a new consent receipt intended to replace it.
  • dct:issued: date/time associated with 'formal issuance' of the consent receipt, e.g. where dct:created is a timestamp for when the receipt was generated by a machine agent and where dct:issued captures its formal acceptance as a legally relevant receipt.
  • dct:modified: date/time for when the consent receipt was modified.
  • dct:provenance: information about the provenance of the consent receipt, e.g. where the receipt has been transferred between entities.
  • dct:publisher: entity or entities that 'publish' the consent receipt i.e. make it available within some contextual sense, e.g. to produce it within an audit or legal investigation.
  • dct:source: information on the sources used within the consent receipt, e.g. other receipts or logs that should be associated to receipt the provenance of information.
  • dct:valid: date/time until when this receipt can be considered valid. NOTE: this refers to assessing validity of the receipt as a whole and does NOT refer to validity of consent events or the processing specified within the receipt.

Further, the use of Data Catalog Vocabulary (DCAT) - Version 3 is also recommended to store consent records and receipts as it assists with metadata fields (see above) as well as expressing relations between collections of records/receipts (i.e. catalogues) and relations between datasets (e.g. latest version). See technical considerations.

10.2 Information in Receipt

[ISO-27560] states the receipt can contain and provide the same information as the consent record it is associated with. It also states that the fields indicated as required for consent records are also required within consent receipts. Since receipts are intended to provide information already documented within a consent record, the same fields and information can also be used to create and provide a receipt. However, to enable the receipt to be a broader communication mechanism also capable of providing relevant information in future (e.g. exercised rights), the DPV's receipts are instead a 'wrapper' around a consent record.

10.3 Examples

Issue: Proposal to create receipt schemas to provide specific information as per each of GDPR Art.13/Art.14/Art.15/etc.

11. Considerations

This section is non-normative.

11.1 Security and Privacy

Security considerations are extremely important in the implementation of consent records and receipts, with ISO-27560 Annex E providing guidance for implementations. Consent records are intended to be maintained internally by an entity, and require measures to ensure they maintain their consistency and correctness, and are not tampered with. This includes best practices for information management such as using cryptographic hashes to ensure information has not changed, or using access control to ensure only authorised modifications are permitted. Current internationals standards such as Decentralized Identifiers (DIDs) v1.0 and Verifiable Credentials Data Model v2.0 allow for implementations compatible with the implementation of ISO-27560 using DPV as all are based on interoperable semantic web standards.

For consent receipts to be utilised in a verifiable and trustworthy manner, the information provided within the receipt may require cryptographic measures to provide assurance to prove its immutability and non-repudiation. Further, receipts are intended to be information provided or exchanged between different entities, which may necessitate a mechanism to demonstrably verify the provenance (e.g. a receipt was provided by A to B) and its immutability (e.g. receipt contained X exactly). Cryptography techniques such as digital signatures and certificates can support such applications based on their current utilisation in internet-enabled applications and documentations. Prior work such as Consent Receipts for a Usable And Auditable Web of Personal Data by Jesus and Pandit (2022) and project outcomes such as NGI funded Privacy as Expected: Consent Gateway have explored such considerations, but effective implementation requires consensus amongst stakeholders to create an interoperable ecosystem.

Given the role of consent records and receipts in demonstrating consent decisions, they may end up with potentially sensitive information. ISO-27560 recommends not putting such information directly in records and receipts, and if necessary then implementations should utilise techniques such as information masking or pseudonymisation to avoid directly exposing sensitive information. - though this has to be balanced with the purpose of receipts in providing data subjects with information about their consent.

11.2 Supporting GDPR and DGA

Using ISO-27560 and ISO-29184 within the EU legal framework: ISO-27560 and ISO-29184 are developed and governed by the International Standards Organisation (ISO), and are not specific to EU’s regulations and terminology. To support their use in the legal frameworks, they need to be approved as ‘Euronorm’ (EN) through an EU standardisation body such as CEN, CENELEC, or ESO. At the moment, ISO-29184 has already been approved as EN, and we are working on a proposal with the Irish and Swedish national bodies to recommend the adoption of ISO-27560 as EN. Further, we have also submitted a proposal to the relevant ISO committees to make ISO-27560 standard freely accessible as its guidance is valuable for responsible innovation.

Having these standards as EN provides a strong framework for their utilisation in regulations, such as for notice and consent under GDPR. However, merely adopting the standards on an ‘as-is’ basis will not be sufficient. For example, the terminology in 29184 and GDPR has crucial differences which must be identified and appropriate guidance developed to enable using ISO-29184 with GDPR. Similarly, to address current issues regarding consent and further studies are required to assess the extent of these standards in solving existing issues and what additional measures need to be adopted beyond conformance with the standards.

Demonstrating consent under GDPR: GDPR Article 7-1 creates an obligation for data controllers to maintain consent information and to keep it up to date with the goal of demonstrating where consent was given, refused, or withdrawn. ISO-27560 provides a standard for a common technical structure to support implementing this obligation. In addition to this, GDPR Article 13 and Article 14, amongst others, also require record keeping for what information was provided to individuals in order to implement informed consent. ISO-29184 provides a standard for describing privacy notices, and together with ISO-27560 enables maintaining records of what information was provided and the resulting consent decisions. Based on the analysis provided in this article that demonstrates applicability of ISO-27560 and ISO-29184 to GDPR, we recommend authorities to suggest using these standards to support GDPR compliance.

Receipts to support rights under GDPR: ISO-27560 contains fields for acknowledging which rights exist, and with DPV we can express how/where to exercise them and what information will be required (e.g. identity verification). Further, consent decisions (e.g. given, withdrawn) are themselves also personal data about the data subject, and therefore subject to rights such as Art.20 data portability. This can be a way to enable the use of receipts under GDPR even where it is not explicitly defined as a concept by considering consent information as personal data. Considering consent information as personal data makes it subject to the right to data portability under Article 20 which requires providing information “in a structured, commonly used and machine-readable format”. Further, Article 20 also allows “ the right to transmit those data to another controller”, which can be utilised to transfer consent decisions from one controller to another - a crucial mechanism for the implementation of data reuse and altruism under DGA.

Common consent form under DGA: Article 25 of the DGA requires the Commission to produce a common consent form that will provide information in both human- and machine-readable forms. ISO-27560 with ISO-29184, based on the analysis in this article demonstrating their usefulness to meet GDPR requirements, should be used to define what information should be present in these forms. ISO-29184 as the standard for privacy notices provides the human-oriented representation of information in the consent form, and ISO-27560 and the DPV implementation provide the machine-readable representation. The advantage of using these standards is that the resulting solution would be useful not only in EU but globally due to the global scope of ISO. The advantage of using DPV here is in providing common semantics based on W3C standards that support extensions for specific jurisdictions (like EU with GDPR and DGA) and its extensive taxonomy supporting practical use-cases which promote interoperability. Through direct meetings, we have presented this work to the EU Commission’s Unit G.1 which looks after GDPR and DGA implementations.

Data Intermediaries under DGA: We are also working on further implementations to support DGA by developing specific technical specifications that define how data intermediaries should maintain consent records and issue receipts, and support them in their duties by providing a way to express data reuse requests in a machine-readable form that can be matched with the consent to ensure the purposes are compatible in accordance with the GDPR. This will be based on existing work that utilises the W3C Open Digital Rights Language [ODRL-model] standard for representing policies and agreements, and using it in combination with DPV to create DGA specific offers for data subjects and data intermediaries to indicate which data is available for reuse and under what conditions, requests for data users to indicate what data they are looking for, and agreements to represent the conditions under which data reuse has been approved. We have already demonstrated the feasibility of using ODRL and DPV for such an approach in a manner that improves both technical and organisational processes for the use-case of sharing genomic health datasets.

Data Reuse and Altruism under DGA: To support the DGA’s goals of reusing data for altruism, we are working on creating a taxonomy of altruistic purposes within DPV and developing a framework to express them in a manner that is compatible with GDPR’s requirements for consent and information keeping based on ISO-27560. We are also working on novel approaches such as assessing the compatibility of ISO-27560 defined consent records with information required in a Data Protection Impact Assessment (DPIA), through which we aim to enable data subjects or data intermediaries to conduct their own DPIAs based on a common registry of risks and mitigations provided through the DPV. Through this we aim to establish responsible practices while promoting data reuse and altruism.

11.3 Using Records and Receipts with eIDAS and EUDI Wallet

Following the launch of projects for using European Digital Identity wallet (EUDI) wallet for travel, health, banking, education and other sectors, CEN TC224 WG20, which is the EU standardisation body’s technical committee for personal identification, has initiated a new standards project to provide guidance on when personal data (attributes) are shared from the wallet in compliance with eIDAS and its proposed revision.

In this, [ISO-27560] and [ISO-29184] can be used to create an interoperable and standards based mechanism to structure information and ensure the mandatory fields needed to comply with GDPR are present. Further, the use of these standards also enables a consistent approach for creating common privacy dashboards that can work across EU. Such privacy dashboards would allow a wallet holder to have an overview of all their consent transactions, including any pending requests as well as provide a centralised mechanism for controlling their rights and withdrawing consent by using the eIDAS and eID mechanisms to establish identity and proof of past engagement.

ISO-27560 and ISO-29184 are also crucial as being the only standards regarding consent records and receipts, and privacy notices respectively. Using the analysis and implementations described in this article, a ISO-27560 solution that is also conformant with the GDPR can be used to store consent records and receipts in wallets, which enables data subjects to have a copy of their decision and agreement to process personal data.

Having this information made available to the data subject in a machine-readable format further enables its use in innovative applications that promote reuse of data while ensuring adequate adherence to the EU’s values and regulations. For example, by looking at past consent records or receipts, preferences can be identified for how the individual makes decisions and these can be used to create a template or pattern that will make future consent decisions more efficient and simpler for the individual. ISO-27560 Annex F provides guidance on how such preferences used as ’privacy signals’ can be represented within consent records and receipts.

Another powerful paradigm is also made possible when combining ISO-27560 with eID, eIDAS, and EUDI - where the data subject initiates the consent process by providing a specific consent to use or reuse their personal data, for example to access a particular service. In this scenario, the data subject decides the extent and limit of what their consent will cover, provides their consent to the service provider, and maintains a consent record within their wallet with a signed receipt provided to the service provider as proof of consent.

11.4 Technical Considerations in Managing Records and Receipts

We can use the Data Catalog Vocabulary (DCAT) - Version 3, a W3C standard, to represent the records as datasets and receipts as a catalogue of records. By doing so, the metadata fields provided by DCAT can be readily used to represent information that supports in maintenance and exchange of consent records and receipts, including using existing infrastructure to manage them. DCAT is a widely used standard that supports implementing (open) data portals and has tooling for discovery and management of information. The EU has developed the DCAT Application Profile for data portals in Europe. Version 2.0.1 [DCAT-AP] which extends DCAT to support the EU Open Data Portals.

Through these records and receipts can be readily communicated as interoperable datasets between relevant entities - for example controller to data subject, or between controllers and third parties. This is a crucial technical enabler for the principle of increasing data value through utilisation within the Data Governance Act and Data Spaces. In particular, the use of DCAT(-AP) also supports the addition of further policies and measures to support the implementation of data intermediaries which will be required to maintain consent records under the obligations of the DGA.

12. Changelog and Errata

15 August 2024

01 July 2024 First version published

Funding Acknowledgements

Funding Sponsors

The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.

Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.

The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).

Funding Acknowledgements for Contributors

The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.

13. Issue summary

A. References

A.1 Normative references

[AI]
AI Technology concepts for DPV. URL: https://w3id.org/dpv/ai
[DC-TERMS]
Dublin Core Metadata Terms, version 1.1. DCMI Usage Board. DCMI. 11 October 2010. DCMI Recommendation. URL: http://dublincore.org/documents/2010/10/11/dcmi-terms/
[DCT]
DCMI Metadata Terms (DCT). URL: https://www.dublincore.org/specifications/dublin-core/dcmi-terms/
[DPV]
Data Privacy Vocabulary (DPV) Specification. URL: https://w3id.org/dpv
[DPV-27560]
DPV Profile for implementing ISO/IEC TS 27560:2023 Consent Records and Receipts. URL: https://w3id.org/dpv/schema/dpv-27560
[DPV-29184]
DPV Profile for implementing ISO/IEC TS 29184:2020 Privacy Notices. URL: https://w3id.org/dpv/schema/DPV-29184
[DPVCG]
W3C Data Privacy Vocabularies and Controls Community Group (DPVCG). URL: https://www.w3.org/community/dpvcg/
[EU-GDPR]
EU GDPR concepts for DPV. URL: https://w3id.org/dpv/legal/eu/gdpr
[GDPR]
General Data Protection Regulation (GDPR). URL: https://eur-lex.europa.eu/eli/reg/2016/679/oj
[GUIDES]
Guides for DPV. URL: https://w3id.org/dpv/guides
[ISO-27560]
ISO/IEC TS 27560 Privacy technologies — Consent record information structure. URL: https://www.iso.org/standard/80392.html
[ISO-29184]
ISO/IEC 29184:2020 Privacy Notices and Consent. URL: https://www.iso.org/standard/70331.html
[ISO-8601]
ISO 8601 Date and time format. URL: https://www.iso.org/iso-8601-date-and-time-format.html
Legal Jurisdiction-relevant concepts for DPV. URL: https://w3id.org/dpv/legal
[LOC]
Location and Geo-Political Membership concepts for DPV. URL: https://w3id.org/dpv/loc
[odrl-model]
ODRL Information Model 2.2. Renato Iannella; Serena Villata. W3C. 15 February 2018. W3C Recommendation. URL: https://www.w3.org/TR/odrl-model/
[PD]
Personal Data categories for DPV. URL: https://w3id.org/dpv/pd
[PRIMER]
Primer for Data Privacy Vocabulary. URL: https://w3id.org/dpv/primer
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[RISK]
Risk Assessment and Management concepts for DPV. URL: https://w3id.org/dpv/risk
[TECH]
Technology concepts for DPV. URL: https://w3id.org/dpv/tech
[vocab-dcat-3]
Data Catalog Vocabulary (DCAT) - Version 3. Simon Cox; Andrea Perego; Alejandra Gonzalez Beltran; Peter Winstanley; Riccardo Albertoni; David Browning. W3C. 13 June 2024. W3C Proposed Recommendation. URL: https://www.w3.org/TR/vocab-dcat-3/

A.2 Informative references

[DCAT-AP]
DCAT Application Profile for data portals in Europe. Version 2.0.1. European Commission. 8 June 2020. URL: https://joinup.ec.europa.eu/solution/dcat-application-profile-data-portals-europe
[DID-core]
Decentralized Identifiers (DIDs) v1.0. Manu Sporny; Amy Guy; Markus Sabadello; Drummond Reed. W3C. 19 July 2022. W3C Recommendation. URL: https://www.w3.org/TR/did-core/
[ODRL]
Open Digital Rights Language (ODRL) Model. URL: https://www.w3.org/TR/odrl-model/
[VC-data-model-2.0]
Verifiable Credentials Data Model v2.0. Manu Sporny; Ted Thibodeau Jr; Ivan Herman; Michael Jones; Gabe Cohen. W3C. 18 August 2024. W3C Candidate Recommendation. URL: https://www.w3.org/TR/vc-data-model-2.0/