Contributors: (ordered alphabetically) Beatriz Esteves(IDLab, IMEC, Ghent University),
Georg P. Krog(Signatu AS),
Harshvardhan J. Pandit(ADAPT Centre, Dublin City University).
NOTE: The affiliations are informative, do not represent formal endorsements, and may be outdated as this list is generated automatically from existing data.
The EU-DGA extension extends the [[[DPV]]] to provide concepts such as entities, rights, and other relevant concepts based on the [[[DGA]]]. The canonical URL for the EU-DGA extension is https://w3id.org/dpv/legal/eu/dga, the namespace for EU-DGA terms is https://w3id.org/dpv/legal/eu/dga#, the suggested prefix is eu-dga, and this document along with source and releases are available at https://github.com/w3c/dpv.
DPV v2.1-RC feedback/review period until FEB-16 The DPVCG welcomes feedback and review on the v2.1 Release Candidate containing DPV and related specifications until FEB-16, after which, these documents will be published unless unresolved major issues have been identified. Feedback/review can be e.g., suggestions for improvements, fixing grammar/typos, additional information and references, and technical changes to files. The DPVCG shall discuss all submitted feedback and will resolve in through the weekly meetings. To see what is included in v2.1 and a changelog, refer to this link.
DPV Specifications: The [[DPV]] is the core specification within the DPV family, with the following extensions: Personal Data [[PD]], Locations [[LOC]], Risk Management [[RISK]], Technology [[TECH]] and [[AI]], [[JUSTIFICATIONS]], [[SECTOR]] specific extensions, and [[LEGAL]] extensions modelling specific jurisdictions and regulations. A [[PRIMER]] introduces the concepts and modelling of DPV specifications, and [[GUIDES]] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
Introduction
This extension provides concepts relevant for the implementation of EU's [[[DGA]]]. The DGA promotes availability of data and encourages its sharing and reuse through novel mechanisms such as 'data intermediaries' and 'data altruism'. It also provides specific rights, and requires implementation details such as specific technical measures in order to ensure such sharing and altruistic (re-)uses of data are compliant with existing regulations, such as [[GDPR]], and respect rights and freedoms.
This extension provides the following concepts defined or required by the DGA:
Entities in the [[DGA]] are defined by extending the dpv:LegalEntity concept, and are associated with using the relation dpv:hasEntity. DGA's entities are different from 'legal roles' in GDPR's use of 'controllers' and 'processors' as the DGA entities are established with a specific role and purpose. For example, a 'Data Co-operative' is a legal entity which is established to provide the data co-operative services - namely for intermediation and exercise of rights.
eu-dga:DataAltruismAuthority: An authority tasked with overseeing the activity of data altruism organisations and maintaining a public register of said entities
go to full definition
eu-dga:DataAltruismOrganisation: An non-profit organisation who collects and shares data for altruistic purposes
go to full definition
eu-dga:DataHolder: An entity who has the right to grant access to or to share certain personal data or non-personal data
go to full definition
eu-dga:DataIntermediationAuthority: An authority tasked with overseeing the activity of data intermediation service providers and maintaining a public register of said entities
go to full definition
eu-dga:DataReuseAssistant: An entity designated by the Member State to provide technical support and guidance to public sector bodies regarding access and reuse of data and for requesting consent and permissions
go to full definition
eu-dga:DataUser: An entity who has access and the right to use personal or non-personal data for commercial or non-commercial purposes
go to full definition
eu-dga:DISP: An entity who establishes commercial relationships for the data sharing between data subjects and data holders on the one hand and data users on the other
go to full definition
eu-dga:DataCooperative: An entity constituted by data subjects, one-person undertakings or SMEs who provides data intermediation services and supports its members in the exercise of their data-related rights
go to full definition
eu-dga:DISPForDataHolder: An entity who makes data holders' data available for potential data users, including bilateral or multilateral exchanges of data and platforms and databases for the joint exploitation of data
go to full definition
eu-dga:DISPForDataSubject: An entity who makes data subjects' personal data available for potential data users
go to full definition
eu-dga:EuropeanDataInnovationBoard: An authority tasked with overseeing the activities of data intermediation service providers and data altruism organisations
go to full definition
eu-dga:LegalRepresentative: Legal Representative' means a natural or legal person established in the Union explicitly designated to act on behalf of a data intermediation services provider or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in addition to or instead of the data intermediation services provider or entity with regard to the obligations under this Regulation, including with regard to initiating enforcement proceedings against a non-compliant data intermediation services provider or entity not established in the Union
go to full definition
eu-dga:PublicLawGovernedBody: Public Law Governed Body' or 'Body Governed by Public Law' means bodies that have the following characteristics: (a) they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character; (b) they have legal personality; (c) they are financed, for the most part, by the State, regional or local authorities, or other bodies governed by public law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies governed by public law;
go to full definition
eu-dga:PublicSectorBody: ‘Public Sector Body’ means the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities, or one or more such bodies governed by public law
go to full definition
eu-dga:SIPProvider: An entity who is responsible for receiving and transmitting requests for the reuse of public data
go to full definition
eu-dga:EUSIPProvider: An entity who is responsible for receiving and transmitting requests for the reuse of public data in the EU
go to full definition
eu-dga:LocalSIPProvider: A local entity who is responsible for receiving and transmitting requests for the reuse of public data
go to full definition
eu-dga:NationalSIPProvider: A national entity who is responsible for receiving and transmitting requests for the reuse of public data
go to full definition
eu-dga:RegionalSIPProvider: A regional entity who is responsible for receiving and transmitting requests for the reuse of public data
go to full definition
eu-dga:SectorialSIPProvider: An entity who is responsible for receiving and transmitting requests for the reuse of public data for a particular sector
go to full definition
Legal Bases
Legal bases in the [[DGA]] relate to specific activities such as processing of non-personal data ([=A2-6-Permission=]) and data transfers ([=A5-12-Adequacy-Decision=]). These are defined by extending dpv:LegalBasis and its subtypes, and are indicated by using the relation dpv:hasLegalBasis.
eu-dga:A12-e-Exchange-Approval: Explicit request or approval of the data subject or data holder to utilise additional specific tools for the purposes of facilitating exchange of data
go to full definition
eu-dga:A2-6-Permission: The legal basis justifying processing of non-personal data based on the permission of an entity
go to full definition
eu-dga:A31-2-Transfer-Agreement: Data Transfer International Agreement
go to full definition
eu-dga:A31-3-Third-Country-Judgement: Data Transfer Third Country Judgement
go to full definition
eu-dga:A5-12-Adequacy-Decision: Adequacy Decision permitting the transfer of data
go to full definition
eu-dga:A5-9-Transfer-Permission: The legal basis justifying processing of non-personal data based on the permission of an entity to transfer data
go to full definition
Rights under DGA
The [[DGA]] provides several rights to the data subject and data holders whose applicability depends on the context and nature of processing taking place. Since these rights are applicable for both data subjects and non-data subjects (data holders), they are represented by extending dpv:Right instead of dpv:DataSubjectRight. To indicate a right is applicable or available, the relation dpv:hasRight is used.
eu-dga:A27: Right of natural and legal persons to lodge a complaint
go to full definition
eu-dga:A28: Right of affected natural and legal persons to an effective judicial remedy
go to full definition
eu-dga:A28-3: Right of natural and legal persons to get a review by an impartial body with the appropriate expertise
go to full definition
eu-dga:A9-2: Right of redress for a natural or legal person directly affected by a decision regarding reuse (A9-1), in the Member State where the relevant body is located
go to full definition
Rights Impacts
[=DGARightsImpact=], a specialised form of `risk:RightsImpact`, represents an impact on right(s) within the DGA. Further concepts are defined by extending this for each right within the DGA, such as [=A27-Impact=] for impacts on [=A27=] Right to Complaint. These concepts are provided to aid in risk and impact assessments, particularly those associated with impacts on rights, and are to be used along with the relevant concepts and properties from [[DPV]] and [[RISK]] vocabularies.
The scope of each rights impact concept is to represent the impact at a broad level without providing specifics on the nature or category of impact. For example, [=A27-Impact=] only represents an impact on [=A27=] and doesn't state what the impact is or what it implies. While the [[RISK]] extension provides a taxonomy of consequences and impacts which could be used to represent the nature of the impact, the DPVCG is currently exploring whether more contextual and appropriate concepts can be represented for the specific impacts associated with a right. For examples of this, see experimental impacts on rights modelling in [[EU-GDPR]] and [[EU-RIGHTS]] extensions.
eu-dga:DGARightsImpact: Something that acts as or is considered as an impact on one or more rights defined by DGA
go to full definition
eu-dga:A27-Impact: Something that acts as or is considered as an impact on Right of natural and legal persons to lodge a complaint
go to full definition
eu-dga:A28-3-Impact: Something that acts as or is considered as an impact on Right of natural and legal persons to get a review by an impartial body with the appropriate expertise
go to full definition
eu-dga:A28-Impact: Something that acts as or is considered as an impact on Right of affected natural and legal persons to an effective judicial remedy
go to full definition
eu-dga:A28-3-Impact: Something that acts as or is considered as an impact on Right of natural and legal persons to get a review by an impartial body with the appropriate expertise
go to full definition
eu-dga:A9-2-Impact: Something that acts as or is considered as an impact on Right of redress for a natural or legal person directly affected by a decision regarding reuse (A9-1), in the Member State where the relevant body is located
go to full definition
Services
The [[DGA]] defines and regulates several 'services', such as those for data intermediation and altruism. To represent these, the concept dpv:Service is extended. Services can be associated using the relation dpv:hasService.
eu-dga:DataIntermediationService: Service of data intermediation which aims to facilitate the sharing of data between Data Subjects, Data Holders and Data Users
go to full definition
eu-dga:DataCooperativeService: Service provided by a data cooperative
go to full definition
eu-dga:DataIntermediationServiceBetweenHoldersUsers: Data intermediation service for data shared between Data Holders and Data Users
go to full definition
eu-dga:DataIntermediationServiceBetweenSubjectsUsers: Data intermediation service for data shared between Data Subjects, Natural Persons who are Data Holders and Data Users
go to full definition
eu-dga:SingleInformationPoint: Service responsible for receiving and transmitting requests for the re-use of public data
go to full definition
Registers
The [[DGA]] requires the creation and maintenance of specific registers or registries, such as those for data altruistic organisations. These are represented by extending the concept dpv:PublicRegisterOfEntities. Membership of the registry can be expressed using the concept dpv:hasEntity, or even through use of [[SKOS]] collections.
eu-dga:DAORegister: Registry containing list of recognised data altruism organisations
go to full definition
eu-dga:DAORegisterEU: Registry maintained by EU containing list of recognised data altruism organisations
go to full definition
eu-dga:DAORegisterNational: Registry maintained at National level containing list of recognised data altruism organisations
go to full definition
eu-dga:DISPRegister: Document that contains a publicly available list of data intermediation service providers
go to full definition
Tech/Org Measures
The specific technical and organisational measures defined or implied in the [[DGA]] are defined by extending the dpv:TechnicalOrganisationalMeasure concepts. These can be associated by using the relations dpv:hasTechnicalMeasure and dpv:hasOrganisationalMeasure. In addition to these, if a measure has legal enforcement, then the concept dpv:LegalMeasure and relation dpv:hasLegalMeasure can be used.
eu-dga:DataAltruismAnnualReport: Document containing the annual activities reported by a Data Altruism organisation
go to full definition
eu-dga:DataAltruismNotice: Notice providing information regarding the processing of data for data altruistic purposes
go to full definition
eu-dga:DataAltruismRecord: Document that logs the activity of the data altruism organisation
go to full definition
eu-dga:DataAssetList: Searchable asset list which contains available data resources including their data format and size and the conditions for their re-use
go to full definition
eu-dga:DataIntermediationRecord: Document that logs the activity of the data intermediation service provider
go to full definition
eu-dga:DataReuseRequest: Procedure to handle requests and provide data for reuse via single information point
go to full definition
eu-dga:DISPEUApproval: Confirmation and approval by a competent authority for the Data Intermediation Service Provider's compliance with Article 11 and Article 12 of the DGA
go to full definition
eu-dga:DISPNotice: Notification by a Data Intermediation Service Provider to a competent authority concerning changes to details regarding its Data Intermediation Service
go to full definition
eu-dga:EUDataAltruismConsentForm: A form provided by the European Commission for collecting consent
go to full definition
eu-dga:NationalDataAltruismPolicy: A Policy established at National level regarding Data Altruism
go to full definition
eu-dga:PersonalDataReuseNotice: Notice for data subjects to provide consent based on information and advise regarding intended use of data, exercise of rights, and applicable terms and conditions
go to full definition
eu-dga:SecureProcessingEnvironment: Physical or virtual environment to ensure compliance with EU law and allow the entity providing the secure processing environment to determine and supervise all data processing actions
go to full definition
eu-dga:ThirdCountryDataRequestNotice: Notice regarding a request of a third-country administrative authority to access data
go to full definition
Compliance
The concepts in this section reflect the status of processing operations being in compliance with DGA, by extending the ComplianceStatus from DPV for DGA. It does not define the requirements for compliance itself. To indicate these, the relation dpv:hasLawfulness can be used.
eu-dga:DGALawfulness: Status or state associated with being lawful or legally compliant regarding DGA
go to full definition
eu-dga:DGAComplianceUnknown: State where lawfulness or compliance with DGA is unknown
go to full definition
eu-dga:DGACompliant: State of being lawful or legally compliant for DGA
go to full definition
eu-dga:DGANonCompliant: State of being unlawful or legally non-compliant for DGA
go to full definition
Right of affected natural and legal persons to an effective judicial remedy
Usage Note
The right is scoped to legally binding decisions referred to in Article 14 taken by the competent authorities for data intermediation services in the management, control and enforcement of the notification regime for data intermediation services providers and legally binding decisions referred to in Articles 19 and 24 taken by the competent authorities for the registration of data altruism organisations in the monitoring of recognised data altruism organisations
Something that acts as or is considered as an impact on Right of natural and legal persons to get a review by an impartial body with the appropriate expertise
Right of redress for a natural or legal person directly affected by a decision regarding reuse (A9-1), in the Member State where the relevant body is located
Something that acts as or is considered as an impact on Right of redress for a natural or legal person directly affected by a decision regarding reuse (A9-1), in the Member State where the relevant body is located
An entity constituted by data subjects, one-person undertakings or SMEs who provides data intermediation services and supports its members in the exercise of their data-related rights
An entity designated by the Member State to provide technical support and guidance to public sector bodies regarding access and reuse of data and for requesting consent and permissions
An entity who establishes commercial relationships for the data sharing between data subjects and data holders on the one hand and data users on the other
An entity who makes data holders' data available for potential data users, including bilateral or multilateral exchanges of data and platforms and databases for the joint exploitation of data
Notification by a Data Intermediation Service Provider to a competent authority concerning changes to details regarding its Data Intermediation Service
Legal Representative' means a natural or legal person established in the Union explicitly designated to act on behalf of a data intermediation services provider or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations in addition to or instead of the data intermediation services provider or entity with regard to the obligations under this Regulation, including with regard to initiating enforcement proceedings against a non-compliant data intermediation services provider or entity not established in the Union
Notice for data subjects to provide consent based on information and advise regarding intended use of data, exercise of rights, and applicable terms and conditions
Public Law Governed Body' or 'Body Governed by Public Law' means bodies that have the following characteristics: (a) they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character; (b) they have legal personality; (c) they are financed, for the most part, by the State, regional or local authorities, or other bodies governed by public law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies governed by public law;
‘Public Sector Body’ means the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities, or one or more such bodies governed by public law
Physical or virtual environment to ensure compliance with EU law and allow the entity providing the secure processing environment to determine and supervise all data processing actions
DPV uses the following terms from [[RDF]] and [[RDFS]] with their defined meanings:
rdf:type to denote a concept is an instance of another concept
rdfs:Class to denote a concept is a Class or a category
rdfs:subClassOf to specify the concept is a subclass (subtype, sub-category, subset) of another concept
rdf:Property to denote a concept is a property or a relation
The following external concepts are re-used within DPV:
External
Funding Acknowledgements
Funding Sponsors
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
Funding Acknowledgements for Contributors
The contributions of Beatriz Esteves have received funding through the PROTECT ITN Project from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813497. Beatriz Esteves is funded by SolidLab Vlaanderen (Flemish Government, EWI and RRF project VV023/10), and by the imec.icon project PACSOI (HBC.2023.0752) which was co-financed by imec and VLAIO.
The contributions of Harshvardhan J. Pandit and Dave Lewis have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.