The Data Privacy Vocabulary (DPV) provides terms (classes and properties) to describe and represent information related to processing of personal data. This extension extends the DPV and provides concepts specific to the obligations and requirements of the General Data Protection Regulation (GDPR). More specifically, it provides a taxonomy of legal bases and rights as defined within the GDPR.
The namespace for terms for Legal Bases under GDPR is http://www.w3.org/ns/dpv-gdpr#
The suggested prefix for the GDPR Legal Bases namespace is dpv-gdpr
The DPV-GDPR ontology and its documentation is available on GitHub.
This document is published by the Data Privacy Vocabularies and Controls Community Group (DPVCG) as a deliverable and report of its work in creating and maintaining the Data Privacy Vocabulary (DPV) and its extensions.
Contributing to the DPV and its extensions The DPVCG welcomes participation regarding the DPV, including expansion or refinement of its terms, addressing open issues, and welcomes suggestions on their resolution or mitigation.
While we welcome participation via any and all mediums - e.g., via Github pull requests or issues, emails, papers, or reports - the formal resolution of contributions takes place only through the DPVCG meeting calls and mailing lists. We therefore suggest joining the group to participate in these discussions for formal approval.
For contributions to the DPV, please see the section on GitHub. For DPV-GDPR specific contributions, please see the section on GitHub. The current list of open issues and their discussions to date can be found at DPVCG issue tracker as well as GitHub issues for DPV and DPV-GDPR.
The Data Privacy Vocabulary provides terms (classes and properties) to annotate and categorize instances of legally compliant personal data handling. In particular, the vocabulary provides LegalBasis and DataSubjectRight as top-level concepts representing the various legal bases for justifying processing of personal data and rights provided to the data subject respectively. Since these concepts are specifically defined within the scope of jurisdictional laws, their implementation is provided as a separate vocabulary that extends the DPV, thereby permitting continued usage of DPV as a jurisdiction-agnostic and generic vocabulary.
This vocabulary, termed as DPV-GDPR, extends the concepts within DPV regarding legal bases and data subject rights with those provided by the GDPR. It provides a compatible extension to be used in combination with the DPV to represent GDPR-specific information.
The namespace for DPV-GDPR vocabulary is http://www.w3.org/ns/dpv-gdpr#. The table below indicates the full list of namespaces and prefixes used in this document.
| Prefix | Namespace |
|---|---|
dct
|
http://purl.org/dc/terms/
|
dpv
|
http://www.w3.org/ns/dpv#
|
dpv-gdpr
|
http://www.w3.org/ns/dpv-gdpr#
|
odrl
|
http://www.w3.org/ns/odrl/2/
|
owl
|
http://www.w3.org/2002/07/owl#
|
rdf
|
http://www.w3.org/1999/02/22-rdf-syntax-ns#
|
rdfs
|
http://www.w3.org/2000/01/rdf-schema#
|
skos
|
http://www.w3.org/2004/02/skos/core#
|
spl
|
http://www.specialprivacy.eu/langs/usage-policy#
|
svd
|
http://www.specialprivacy.eu/vocabs/data#
|
svdu
|
http://www.specialprivacy.eu/vocabs/duration#
|
svl
|
http://www.specialprivacy.eu/vocabs/locations#
|
svpu
|
http://www.specialprivacy.eu/vocabs/purposes#
|
svpr
|
http://www.specialprivacy.eu/vocabs/processing#
|
svr
|
http://www.specialprivacy.eu/vocabs/recipients
|
xsd
|
http://www.w3.org/2001/XMLSchema#
|
Regulations such as the GDPR specify certain legal basis for carrying out the processing of personal data, which makes it mandatory for every processing to have one (or more) legal basis that justifies their compliance. DPV provides a list of legal bases as per the GDPR under the separate namespace of dpv-gdpr. Additional legal bases can be declared by subclassing dpv:LegalBasis.
The taxonomy lists the legal bases as provided by GDPR Article 6 regarding processing of personal data, those defined in GDPR Article 9 regarding processing of special categories of personal data, and those provided by GDPR Articles 45, 46, and 49 in connection with transfer of personal data. The legal basis of ‘consent’ as defined in Article 6(1)(a) has been declared using the terms ‘explicit’ and ‘non-explicit’ to differentiate the requirements of the two in accordance of their requirements of compliance. Furthermore, legal basis provided by Article 6 apply to processing involving personal data whereas those in Article 9 apply specifically to processing involving special categories of personal data.
Art 45(3) |
Art 46(2-a) |
Art 46(2-b) |
Art 46(2-c) |
Art 46(2-d) |
Art 46(2-e) |
Art 46(2-f) |
Art 46(3-a) |
Art 46(3-b) |
Art 49(1-a) |
Art 49(1-b) |
Art 49(1-c) |
Art 49(1-d) |
Art 49(1-e) |
Art 49(1-f) |
Art 49(1-g) |
Art 49(2) |
Art 6(1-a) explicit consent |
Art.6(1-a) non-explicit consent |
Art 6(1-b) |
Art 6(1-c) |
Art 6(1-d) |
Art 6(1-e) |
Art 6(1-f) |
Art 9(2-a) |
Art 9(2-b) |
Art 9(2-c) |
Art 9(2-d) |
Art 9(2-e) |
Art 9(2-f) |
Art 9(2-g) |
Art 9(2-h) |
Art 9(2-i) |
Art 9(2-j) |
| Term: | A45-3 |
| Description: | Personal data can flow freely from the EU to a third country with an Adequacy Decision without any further safeguard being necessary. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.45-3 |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A46-2-a |
| Description: | A legally binding and enforceable instrument between public authorities or bodies |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.46-2a |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A46-2-b |
| Description: | Binding corporate rules |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.46-2b |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A46-2-c |
| Description: | Standard data protection clauses adopted by the Commission |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.46-2c |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A46-2-d |
| Description: | Standard data protection clauses adopted by a Supervisory Authority |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.46-2d |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A46-2-e |
| Description: | An approved code of conduct pursuant to GDPR Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals´ rights |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.46-2e |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A46-2-f |
| Description: | An approved certification mechanism pursuant to GDPR Article 42 together with binding and enforceable commitments of the controller or processor in the third country to appy the appropriate safeguards, including as regards individuals` rights |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.46-2f |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A46-3-a |
| Description: | Contractual clauses with controller, processor or recipient of the personal data in the third country or the international organisation. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.46-3a |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A46-3-b |
| Description: | Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.46-3b |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A49-1-a |
| Description: | The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.49-1a |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A49-1-b |
| Description: | The transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject´s request. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.49-1b |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A49-1-c |
| Description: | The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject and controller and another natural or legal person. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.49-1c |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A49-1-d |
| Description: | The transfer is necessary for important reasons of public interest. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.49-1d |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A49-1-e |
| Description: | The transfer is necessary for the establishment, exercise or defence of legal claims. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.49-1e |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A49-1-f |
| Description: | The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the person is physically or legally incapable of giving consent. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.49-1f |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A49-1-g |
| Description: | The transfer is made from a register which according to Union or Member State law is intended to provide information to the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.49-1g |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A49-2 |
| Description: | The transfer is not repetetive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by controller which are not overridden by the interests or rights and freedoms of the data subject, and controller has assessed all the circumstances surrounding the data transfer and have on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.49-2 |
| Created: | |
| Contributor(s): | Georg P Krog |
| Term: | A6-1-a-explicit-consent |
| Description: | explicit' consent of the data subject |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.6-1a |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn, Harshvardhan J. Pandit, Rigo Wenning |
| Term: | A6-1-a-non-explicit-consent |
| Description: | consent of the data subject |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.6-1a |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn, Harshvardhan J. Pandit, Rigo Wenning |
| Term: | A6-1-b |
| Description: | performance of a contract |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.6-1b |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A6-1-c |
| Description: | compliance with a legal obligation |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.6-1c |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A6-1-d |
| Description: | protection of the vital interests |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.6-1d |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A6-1-e |
| Description: | public interest or official authority |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.6-1e |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A6-1-f |
| Description: | legitimate interests |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.6-1f |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-a |
| Description: | explicit consent with special categories of data |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2a |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-b |
| Description: | employment and social security and social protection law |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2b |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-c |
| Description: | protection of the vital interests |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2c |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-d |
| Description: | legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2d |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-e |
| Description: | data manifestly made public by the data subject |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2e |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-f |
| Description: | establishment, exercise or defence of legal claims / courts acting in their judicial capacity |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2f |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-g |
| Description: | substantial public interest, on the basis of Union or Member State law |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2g |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-h |
| Description: | preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2h |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-i |
| Description: | public interest in public health |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2i |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
| Term: | A9-2-j |
| Description: | public interest, scientific or historical research purposes or statistical purposes based on Union or Member State law |
| Subclass Of: | dpv:LegalBasis |
| Source: | GDPR Art.9-2j |
| Created: | |
| Contributor(s): | Bud Bruegger, Eva Schlehahn |
GDPR provides several rights to the data subject, whose applicability depends on the context and nature of processing taking place. DPV lists these rights at an abstract level as concepts along with their origin in specific clauses of the GDPR.
A13 Right to be Informed |
A14 Right to be Informed |
A15 Right of Access |
A16 Right to Rectification |
A17 Right to Erasure |
A18 Right to Restrict Processing |
A19 Right to Rectification |
A20 Right to Data Portability |
A21 Right to object |
A22 Right to object to automated decision making |
A7-3 Right to Withdraw Consent |
A77 Right to Complaint |
| Term: | A13 |
| Description: | information to be provided where personal data is directly collected from data subject |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.13 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A14 |
| Description: | information to be provided where personal data is collected from other sources |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.14 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A15 |
| Description: | Right of access |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.15 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A16 |
| Description: | Right to rectification |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.16 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A17 |
| Description: | Right to erasure ('Right to be forgotten') |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.17 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A18 |
| Description: | Right to restriction of processing |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.18 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A19 |
| Description: | Right to be notified in case of rectification or erasure of personal data or restriction of processing |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.19 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A20 |
| Description: | Right to data portability |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.20 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A21 |
| Description: | Right to object to processing of personal data |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.21 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A22 |
| Description: | Right not to be subject to a decision based solely on automated processing including profiling |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.22 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A7-3 |
| Description: | Right to withdraw consent |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.7-3 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |
| Term: | A77 |
| Description: | Right to lodge a complaint with a supervisory authority |
| Subclass Of: | dpv:DataSubjectRight |
| Source: | GDPR Art.77 |
| Created: | |
| Contributor(s): | Beatriz Esteves, Georg Krog, Harshvardhan J. Pandit |