Extensions

Extensions reflect additional concepts that extend the core concepts present in DPV and also provide a way to group related concepts that relate to the same topic. Currently, the following extensions are provided. A 'draft' status represents evolving modelling and concepts as they are actively being refined.

[[[PD]]] ([[PD]]) provides additional concepts that extend the DPV's personal data taxonomy based on an opinionated structure contributed by R. Jason Cronk from EnterPrivacy. This separation is to enable adopters to decide whether the extension's concepts are useful to them, or to use other external vocabularies, or define their own.

[[[LOC]]] ([[LOC]]) provides additional concepts regarding locations such as countries and regions based on the ISO 3166 standards.

[[[RISK]]] ([[RISK]]) extends [[DPV]]'s risk assessment concepts based on ISO standards and provides taxonomies relevant to impact assessments.

[[[TECH]]] ([[TECH]]) extends the DPV's terms to represent further specific details regarding technologies, their management, and relevance to actual real-world tools and systems. The [[[AI]]] ([[AI]]) extension further extends [[TECH]] to provide concepts specifically regarding AI techniques, capabilities, risks, data and documentation.

[[[JUSTIFICATIONS]]] ([[JUSTIFICATIONS]]) provides concepts for use as 'justifications' with DPV. For example, where a right cannot be fulfilled, a justification such as 'identity could not be verified' is represented using a specific concept.

[[[LEGAL]]] ([[LEGAL]]) provides concepts to represent laws, authorities, and other legal concepts in various jurisdictions. It is structured to create a separate namespace for each country or jurisdiction by using the ISO 3166-2 code, for example IE represents Ireland and EU represents the European Union. Within this namespace, the specific laws and authorities for that jurisdiction are defined.

Within [[LEGAL]], the following Members States of the European Union are defined in their individual namespaces, with [[LEGAL-EU]] as an additional namespace for representing laws and concepts at EU-level: [[LEGAL-AT]] for Austria, [[LEGAL-BE]] for Belgium, [[LEGAL-BG]] for Bulgaria, [[LEGAL-CY]] for Cyprus, [[LEGAL-CZ]] for Czech Republic, [[LEGAL-DE]] for Germany, [[LEGAL-DK]] for Denmark, [[LEGAL-EE]] for Estonia, [[LEGAL-ES]] for Spain, [[LEGAL-FI]] for Finland, [[LEGAL-FR]] for France, [[LEGAL-GR]] for Greece, [[LEGAL-HR]] for Croatia, [[LEGAL-HU]] for Hungary, [[LEGAL-IE]] for Ireland, [[LEGAL-IS]] for Iceland, [[LEGAL-IT]] for Italy, [[LEGAL-LI]] for Liechtenstein, [[LEGAL-LT]] for Lithuania, [[LEGAL-LU]] for Luxembourg, [[LEGAL-LV]] for Latvia, [[LEGAL-MT]] for Malta, [[LEGAL-NL]] for Netherlands, [[LEGAL-NO]] for Norway, [[LEGAL-PL]] for Poland, [[LEGAL-PT]] for Portugal, [[LEGAL-RO]] for Romania, [[LEGAL-SE]] for Sweden, [[LEGAL-SI]] for Slovenia, [[LEGAL-SK]] for Slovakia. [[LEGAL]] also contains the following jurisdictions: [[LEGAL-GB]] for Great Britain and Northern Ireland, [[LEGAL-HK]] for Hong Kong, [[LEGAL-IN]] for India, [[LEGAL-JP]] for Japan, [[LEGAL-KR]] for Republic of Korea, [[LEGAL-MO]] for Macao, [[LEGAL-MY]] for Malaysia, [[LEGAL-PH]] for the Philippines, [[LEGAL-SG]] for Singapore, [[LEGAL-TH]] for Thailand, [[LEGAL-TW]] for Taiwan, [[LEGAL-US]] for United States of America.

Laws are modelled as extensions within the namespace of their respective jurisdictions. The following are extensions part of [[LEGAL-EU]]: [[[EU-GDPR]]] ([[EU-GDPR]]), [[[EU-DGA]]] ([[EU-DGA]]), [[[EU-NIS2]]] ([[EU-NIS2]]), [[[EU-AIAct]]] ([[EU-AIAct]]), [[[EU-EHDS]]] ([[EU-EHDS]]), [[[EU-RIGHTS]]] ([[EU-RIGHTS]]).

[[SECTOR]] provides extensions modelling specific sectors by using those sector-specific concepts, terms, and modelling which extends the concepts in other DPV extensions. These extensions include: [[SECTOR-EDUCATION]] for Education Sector, [[SECTOR-FINANCE]] for Finance Sector, [[SECTOR-HEALTH]] for Health Sector, [[SECTOR-INFRA]] for (Critical) Infrastructure Sector, [[SECTOR-LAW]] for Law Enforcement & Justice Sector, [[SECTOR-PUBLICSERVICES]] for Public Services Sector.

The [[STANDARDS]] extensions model the core terminologies defined and used within specific forums such as ISO, CEN/CENELEC, NIST, and IEEE so that they can be used with DPV. Currently it provides the extension [[STANDARD-IEEE-7012]] to support the implementation of [[[IEEE-7012]]].

Guides

The [[[GUIDE-Consent-27560]]] [[GUIDE-Consent-27560]] provides implementation of machine-readable consent records and receipts as defined in [[ISO-27560]] by using the Data Privacy Vocabulary (DPV). Additionally, it also provides guidance on using [[ISO-27560]] for meeting [[GDPR]] requirements regarding consent.

As the default semantics in DPV use RDFS and SKOS, the [[[GUIDE-OWL2]]] [[GUIDE-OWL2]] provides guidance for the use of DPV as an OWL2 ontology, and explains how DPV can be easily encoded in a low-complexity profile of OWL2 called OWL2-PL to perform efficient semantic reasoning.

Planned guides in the near future include: ISO-29184 Privacy Notices, GDPR Record of Processing Activities (ROPA), GDPR Data Protection Impact Assessment (DPIA), Data Breach Records and Notifications, Rights Management. Also planned is the [[GUIDE-ODRL]] to provide guidance for the use of DPV concepts with [[[ODRL-MODEL]]] and [[[ODRL-VOCAB]]] which are W3C standards for machine-readable representations of policies and agreements.

Applications

This section provides brief examples of how various DPV concepts and extensions are relevant to specific applications.

• Legal Compliance: In addition to [[DPV]], specific extensions such as the [[EU-GDPR]] for GDPR and [[EU-AIAct]] for the AI Act provides concepts related to the law. The implementation details may require additional extensions such as [[PD]] for personal data categories, [[RISK]] for risk and impact assessments, and [[TECH]] and [[AI]] extensions to model the technologies.
• Consent Management For consent management, the [[DPV]] extension provides key concepts concerning informed consent such as the purposes and data categories, as well as to represent its states (e.g. given). The [[PD]] extension may be relevant to express specific personal data categories, the [[TECH]] extension to denote which technologies might be relevant, and [[RISK]] extensions to specify involved risks. If the consent should meet requirements from a specific law, then the relevant extension should be used for these additional concepts e.g. consent as a legal basis under the GDPR is represented in [[EU-GDPR]] extension.
• Rights Management: [[DPV]] defines the core concept for rights, including those related to exercise and records. Additional concepts require jurisdictional extensions, such as [[EU-GDPR]] for GDPR provided rights, or the [[EU-RIGHTS]] extension for the EU Charter of Fundamental Rights.
• Security & Risk Management: The [[DPV]] provides core concepts regarding risk management, including technical and organisational measures. The [[RISK]] extension provides a larger set of concepts for risk management. Additional risk management concepts may be required based on the use-cases, for example as part of impact assessments required by laws such as [[EU-GDPR]], or to model risk concepts specific to a sector such as [[SECTOR-HEALTH]] for health.
• AI Training and Governance: The [[AI]] extension provides AI-specific concepts, and additionally the [[TECH]] extension provides concepts to represent how technology is provisioned and used. These can be combined with [[DPV]] concepts such as purposes, location, or measures to represent the necessary information.
• Health Data Management: The [[SECTOR-HEALTH]] extension provides concepts focused on Health sector by extending the core concepts defined in [[DPV]]. In addition, jurisdiction-specific concepts are also present which model health-specific requirements, such as the [[EU-EHDS]] extension for EU's Health Data Spaces. Depending on the use-case, core concepts may be chosen from [[DPV]] such as high-level purposes or technical measures, or from [[SECTOR-HEALTH]] such as medical purposes, or concepts defined in laws such as [[EU-EHDS]].