Contributors: (ordered alphabetically) Beatriz Esteves(IDLab, IMEC, Ghent University),
Bud Bruegger(Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein),
David Hickey(Dublin City University),
Eva Schlehahn(Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein),
Georg P. Krog(Signatu AS),
Harshvardhan J. Pandit(ADAPT Centre, Dublin City University),
Paul Ryan(Uniphar PLC),
Rigo Wenning(W3C/ERCIM).
NOTE: The affiliations are informative, do not represent formal endorsements, and may be outdated as this list is generated automatically from existing data.
The EU-GDPR extension extends the [[[DPV]]] to provide concepts such as legal bases, rights, and data transfer tools based on the [[[GDPR]]]. The canonical URL for EU-GDPR extension is https://w3id.org/dpv/legal/eu/gdpr, the namespace for terms is https://w3id.org/dpv/legal/eu/gdpr#, the suggested prefix is eu-gdpr, and this document along with source and releases are available at https://github.com/w3c/dpv.
DPV v2.1-RC feedback/review period until FEB-16 The DPVCG welcomes feedback and review on the v2.1 Release Candidate containing DPV and related specifications until FEB-16, after which, these documents will be published unless unresolved major issues have been identified. Feedback/review can be e.g., suggestions for improvements, fixing grammar/typos, additional information and references, and technical changes to files. The DPVCG shall discuss all submitted feedback and will resolve in through the weekly meetings. To see what is included in v2.1 and a changelog, refer to this link.
DPV Specifications: The [[DPV]] is the core specification within the DPV family, with the following extensions: Personal Data [[PD]], Locations [[LOC]], Risk Management [[RISK]], Technology [[TECH]] and [[AI]], [[JUSTIFICATIONS]], [[SECTOR]] specific extensions, and [[LEGAL]] extensions modelling specific jurisdictions and regulations. A [[PRIMER]] introduces the concepts and modelling of DPV specifications, and [[GUIDES]] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
Introduction
GDPR Extension extending DPV core concepts. Blue boxes are placeholders for concepts that are further detailed. See corresponding section in this document for more information. Click here to open diagram in new window.
The [[EU-GDPR]] extension provides concepts extending the [[DPV]] to represent information requirements from the [[GDPR]]. It enables the use of DPV to represent use-cases that are regulated by the GDPR, such as using specific legal bases defined in the GDPR, or to represent the applicability of rights, or requirements for conducting data protection impact assessments. It also enables representing practicalities such as organisations and their 'establishments' in the EU, data breach reporting and impact assessments, and data transfer tools. In particular, the [[EU-GDPR]] extension provides the following:
Legal Bases for processing personal data as defined in Articles 6 and 9 (special categories of personal data) and 45-49 (data transfer)
Data Protection Impact Assessment (DPIA) information as defined in Article 35, such as necessity to conduct a DPIA, indicating the findings of DPIA in terms of risk levels and impacts, and the outcomes of DPIAs regarding continuation of processing
Data Breach information such as types of breaches, notices, reporting requirements, and risk levels
Establishment & Authorities to indicate aspects such as 'main' establishment of an organisation, and to indicate role of DPAs as 'lead' supervisory authority
Compliance to express whether the specific process or context is compliant with the GDPR
Mapping GDPR concepts to DPV
This draft mapping table shows how the DPV and EU-GDPR extension represents specific concepts within the GDPR.
GDPR Article 6 specifies that it is mandatory for every processing to have one (or more) legal basis that justifies its compliance. These are represented as Core Legal Basis concepts by extending relevant dpv:LegalBasis concepts, such as for consent or contract. Similarly, Article 9 legal basis are represented as Special Category Legal Basis, and those from Articles 45, 46, and 49 are represented as instances of dpv:DataTransferLegalBasis to create Data Transfer Legal Basis.
These concepts represent the Article 6-1 legal bases from GDPR. They are defined by extending dpv:LegalBasis and can be indicated by using dpv:hasLegalBasis.
eu-gdpr:A6-1-b: Legal basis based on performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
go to full definition
eu-gdpr:A6-1-b-contract-performance: Legal basis based on performance of a contract to which the data subject is party
go to full definition
eu-gdpr:A6-1-b-enter-into-contract: Legal basis based on taking steps at the request of the data subject prior to entering into a contract
go to full definition
eu-gdpr:A6-1-c: Legal basis based on compliance with a legal obligation to which the controller is subject
go to full definition
eu-gdpr:A6-1-d: Legal basis based on protecting the vital interests of the data subject or of another natural person
go to full definition
eu-gdpr:A6-1-d-data-subject: Legal basis based on protecting the vital interests of the data subject
go to full definition
eu-gdpr:A6-1-d-natural-person: Legal basis based on protecting the vital interests of another natural person that is not the data subject
go to full definition
eu-gdpr:A6-1-e: Legal basis based on performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
go to full definition
eu-gdpr:A6-1-e-official-authority: Legal basis based on the exercise of official authority vested in the controller
go to full definition
eu-gdpr:A6-1-e-public-interest: Legal basis based on performance of a task carried out in the public interest
go to full definition
eu-gdpr:A6-1-f: Legal basis based on the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
go to full definition
eu-gdpr:A6-1-f-controller: Legal basis based on the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
go to full definition
eu-gdpr:A6-1-f-third-party: Legal basis based on the purposes of the legitimate interests pursued by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
go to full definition
eu-gdpr:Consent: Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
go to full definition
eu-gdpr:A6-1-a: Legal basis based on data subject's given consent to the processing of his or her personal data for one or more specific purposes
go to full definition
eu-gdpr:A6-1-a-explicit-consent: Legal basis based on data subject's given explicit consent to the processing of his or her personal data for one or more specific purposes
go to full definition
eu-gdpr:A6-1-a-non-explicit-consent: Legal basis based on data subject's given non-explicit express consent to the processing of his or her personal data for one or more specific purposes
go to full definition
eu-gdpr:A6-1-a-explicit-consent: Legal basis based on data subject's given explicit consent to the processing of his or her personal data for one or more specific purposes
go to full definition
eu-gdpr:A6-1-a-non-explicit-consent: Legal basis based on data subject's given non-explicit express consent to the processing of his or her personal data for one or more specific purposes
go to full definition
Special Category (Art.9)
GDPR Legal Bases for processing personal data of special category extending DPV's core concept LegalBasis
These concepts represent the Article 9-2 legal bases from GDPR regarding processing of special category personal data as defined in Article 9-1. They are defined by extending dpv:LegalBasis and can be indicated by using dpv:hasLegalBasis. The [[[PD]]] extension provides an indication of whether its concepts belong to the special categories as defined in GDPR, which may be of interest here.
eu-gdpr:A9-2-a: explicit consent with special categories of data
go to full definition
eu-gdpr:A9-2-b: employment and social security and social protection law
go to full definition
eu-gdpr:A9-2-d: legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
go to full definition
eu-gdpr:A9-2-e: data manifestly made public by the data subject
go to full definition
eu-gdpr:A9-2-f: establishment, exercise or defence of legal claims / courts acting in their judicial capacity
go to full definition
eu-gdpr:A9-2-g: substantial public interest, on the basis of Union or Member State law
go to full definition
eu-gdpr:A9-2-h: preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
go to full definition
eu-gdpr:A9-2-j: public interest, scientific or historical research purposes or statistical purposes based on Union or Member State law
go to full definition
Data Transfer (Art.45-49)
GDPR Legal Bases for data transfer to third countries extending DPV's core concept LegalBasis
These concepts represent the legal bases from GDPR Articles 45 (adequacy decisions), 46 (data transfer tools), and 49 (consent, contract, etc.). They are defined by extending dpv:DataTransferLegalBasis and can be indicated by using dpv:hasLegalBasis. The Article 45 adequacy decisions between EU and other jurisdictions are provided as concepts for use with DPV in [[[LOC]]].
eu-gdpr:A45-3: Personal data can flow freely from the EU to a third country with an Adequacy Decision without any further safeguard being necessary.
go to full definition
eu-gdpr:AdequacyDecision: An adequacy decision as per GDPR Art.45(3) for the transfer of data to a third country or an international organisation
go to full definition
eu-gdpr:A46-2-a: A legally binding and enforceable instrument between public authorities or bodies
go to full definition
eu-gdpr:A46-2-b: ‘Binding Corporate Rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity
go to full definition
eu-gdpr:A46-2-c: Standard data protection clauses adopted by the Commission
go to full definition
eu-gdpr:A46-2-d: Standard data protection clauses adopted by a Supervisory Authority
go to full definition
eu-gdpr:A46-2-e: An approved code of conduct pursuant to GDPR Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals´ rights
go to full definition
eu-gdpr:A46-2-f: An approved certification mechanism pursuant to GDPR Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals` rights
go to full definition
eu-gdpr:A46-3-a: Contractual clauses with controller, processor or recipient of the personal data in the third country or the international organisation.
go to full definition
eu-gdpr:A46-3-b: Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights
go to full definition
eu-gdpr:A49-1-a: The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
go to full definition
eu-gdpr:A49-1-b: The transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject´s request.
go to full definition
eu-gdpr:A49-1-c: The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject and controller and another natural or legal person.
go to full definition
eu-gdpr:A49-1-d: The transfer is necessary for important reasons of public interest.
go to full definition
eu-gdpr:A49-1-e: The transfer is necessary for the establishment, exercise or defence of legal claims.
go to full definition
eu-gdpr:A49-1-f: The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the person is physically or legally incapable of giving consent.
go to full definition
eu-gdpr:A49-1-g: The transfer is made from a register which according to Union or Member State law is intended to provide information to the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
go to full definition
eu-gdpr:A49-2: The transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by controller which are not overridden by the interests or rights and freedoms of the data subject, and controller has assessed all the circumstances surrounding the data transfer and have on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
go to full definition
Principles, as defined in GDPR Article 5, are represented as concepts by extending the concept dpv:Principle, which is a type of organisational measure in [[DPV]]. How these principles are used or applied or evaluated is not defined in this extension. These concepts can be used as part of compliance assessments, for example with dpv:ComplianceStatus or dpv:Lawfulness, to indicate whether the principle has been fulfilled or violated.
eu-gdpr:AccountabilityPrinciple: Principle stating the controller shall be responsible for, and be able to demonstrate compliance with the other principles (from Art.5-1)
go to full definition
eu-gdpr:AccuracyPrinciple: Principle stating personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay used for
go to full definition
eu-gdpr:DataMinimisationPrinciple: Principle stating personal data must be processed adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
go to full definition
eu-gdpr:FairnessPrinciple: Principle stating personal data must be processed processed fairly in relation to the data subject
go to full definition
eu-gdpr:IntegrityConfidentialityPrinciple: Principle stating personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
go to full definition
eu-gdpr:LawfulnessPrinciple: Principle stating personal data must be processed processed in a lawful manner in relation to the data subject
go to full definition
eu-gdpr:PurposeLimitationPrinciple: Principle stating personal data collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
go to full definition
eu-gdpr:StorageLimitationPrinciple: Principle stating personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject
go to full definition
eu-gdpr:TransparencyPrinciple: Principle stating personal data must be processed processed in a transparent manner in relation to the data subject
go to full definition
Rights and Impact on Rights
Data Subject Rights
Data Subject Rights as defined by GDPR extending DPV's core concept "Right"
GDPR provides several rights to the data subject, whose applicability depends on the context and nature of processing taking place. DPV lists these rights at an abstract level as concepts along with their origin in specific clauses of the GDPR.
In addition to DPV's concepts regarding exercise of rights, EU-GDPR provides additional concepts specific to the implementation of its rights. For example, [=SARNotice=] refers to the information provided in fulfilment of [=A15=] Right of Access, or using [=dcat:Resource=] to represent the dataset provided in fulfilment of [=A20=] Right to Data Portability.
eu-gdpr:A13: information to be provided where personal data is directly collected from data subject
go to full definition
eu-gdpr:A14: information to be provided where personal data is collected from other sources
go to full definition
eu-gdpr:A22: Right not to be subject to a decision based solely on automated processing including profiling, and for the data subject to obtain human intervention on the part of the controller for the contested or objected activity, and for the data subject to express his or her point of view, and for the data subject to contest the decision
go to full definition
eu-gdpr:A22-3-a: Right of the data subject to obtain human intervention on the part of the controller for the contested or objected activity
go to full definition
eu-gdpr:A22-3-b: Right of the data subject to express his or her point of view
go to full definition
eu-gdpr:A22-3-c: Right of the data subject to contest the decision
go to full definition
eu-gdpr:A77: Right to lodge a complaint with a supervisory authority
go to full definition
eu-gdpr:A78: Right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning natural or legal person
go to full definition
eu-gdpr:A79: Right to an effective judicial remedy where the data subject considers that his or her rights have been infringed as a result of the processing of his or her personal data
go to full definition
eu-gdpr:DirectDataCollectionNotice: A Notice provided in fulfilment of GDPR's Art.13 regarding information to be provided where personal data are collected from the data subject
go to full definition
eu-gdpr:IndirectDataCollectionNotice: A Notice provided in fulfilment of GDPR's Art.14 regarding information to be provided where personal data are not collected from the data subject
go to full definition
eu-gdpr:RightsRecipientsNotice: A Notice provided in fulfilment of GDPR's Art.19 regarding Recipients to whom a rights exercise has been communicated, such as regarding rectification (A.16) or erasure of personal data (A.17) or restriction of processing (A.18)
go to full definition
eu-gdpr:SARNotice: A Notice provided in fulfilment of GDPR's Art.15 regarding information to be provided for Right of Access or Subject Access Request (SAR)
go to full definition
Rights Impacts
[=GDPRRightsImpact=], a specialised form of `risk:RightsImpact`, represents an impact on right(s) within the GDPR. Further concepts are defined by extending this for each right within the GDPR, such as [=A20-Impact=] for impacts on [=A20=] Right to Data Portability. These concepts are provided to aid in risk and impact assessments, particularly those associated with impacts on rights, and are to be used along with the relevant concepts and properties from [[DPV]] and [[RISK]] vocabularies.
The scope of each rights impact concept is to represent the impact at a broad level without providing specifics on the nature or category of impact. For example, [=A13-Impact=] only represents an impact on [=A13=] and doesn't state what the impact is or what it implies. While the [[RISK]] extension provides a taxonomy of consequences and impacts which could be used to represent the nature of the impact, the DPVCG is currently exploring whether more contextual and appropriate concepts can be represented for the specific impacts associated with a right. For this, the [=A13-Impact=] is experimentally extended to represent categories of impact, e.g. A13 incorrectly being considered as not being applicable as [=A13-Denied=]. This follows a similar exercise for modelling impacts on EU Fundamental Rights and Freedoms in the [[EU-RIGHTS]] extension.
eu-gdpr:GDPRRightsImpact: Something that acts as or is considered as an impact on one or more rights defined by GDPR
go to full definition
eu-gdpr:A13-Impact: Something that acts as or is considered as an impact on A13 Right to be Informed
go to full definition
eu-gdpr:A13-Denied: A denial that A13 applied to the situation
go to full definition
eu-gdpr:A13-Eroded: Erosion of A13 obligation to provide information e.g. by repeatedly and systematically limited or denying it
go to full definition
eu-gdpr:A13-ExercisePrevented: The prevention of A13 obligation to provide information e.g. by preventing the data subject from obtaining this information
go to full definition
eu-gdpr:A13-Limited: A limited fulfillment of A13 obligation to provide information e.g. not providing all required information
go to full definition
eu-gdpr:A13-Obstructed: Obstruction of A13 obligation to provide information e.g. asking for unnecessary identity verification and making it difficult to obtain information
go to full definition
eu-gdpr:A13-Unfulfilled: Non-fulfillment of A13 obligation to provide required information
go to full definition
eu-gdpr:A13-Violated: A violation of A13 obligation regarding providing information
go to full definition
eu-gdpr:A14-Impact: Something that acts as or is considered as an impact on A14 Right to be Informed
go to full definition
eu-gdpr:A15-Impact: Something that acts as or is considered as an impact on A15 Right of Access
go to full definition
eu-gdpr:A16-Impact: Something that acts as or is considered as an impact on A16 Right to Rectification
go to full definition
eu-gdpr:A17-Impact: Something that acts as or is considered as an impact on A17 Right to Erasure
go to full definition
eu-gdpr:A18-Impact: Something that acts as or is considered as an impact on A18 Right to Restrict Processing
go to full definition
eu-gdpr:A19-Impact: Something that acts as or is considered as an impact on A19 Right to Rectification Notification
go to full definition
eu-gdpr:A20-Impact: Something that acts as or is considered as an impact on A20 Right to Data Portability
go to full definition
eu-gdpr:A21-Impact: Something that acts as or is considered as an impact on A21 Right to object
go to full definition
eu-gdpr:A22-Impact: Something that acts as or is considered as an impact on A22 Right to object to automated decision making
go to full definition
eu-gdpr:A7-3-Impact: Something that acts as or is considered as an impact on A7-3 Right to Withdraw Consent
go to full definition
eu-gdpr:A77-Impact: Something that acts as or is considered as an impact on A77 Right to Complaint
go to full definition
Mapping: Legal Basis × Rights
To support the effective implementation of GDPR, the [[EU-GDPR]] extension provides a mapping between legal bases and data subject rights to indicate which right should be provided based on the selected legal basis. This information is represented in machine-readable form within the [[EU-GDPR]] extension by using the relation dpv:hasRight between instances of GDPR legal basis and rights.
Legal Basis (rows), Right (columns)
A13 Right to be Informed
A14 Right to be Informed
A15 Right of Access
A16 Right to Rectification
A17 Right to Erasure
A18 Right to Restrict Processing
A19 Right to Rectification Notification
A20 Right to Data Portability
A21 Right to object
A22 Right to object to automated decision making
A22 Right to human intervention
A22 Right to express point of view
A22 Right to contest decision
A7-3 Right to Withdraw Consent
A77 Right to Complaint
A78 Right to an effective judicial remedy against a supervisory authority
A79 Right to an effective judicial remedy against a controller or processor
GDPR defines instances for where right exercise can be denied, delayed, or be put on hold while more information or activities are required. For example, GDPR Art.12-3 states that fulfilling a rights exercise request may be delayed if it is sufficiently complex and/or there are a large number of requests to be handled at that time. These are modelled as [=JustificationA12Complexity=] and [=JustificationA12HighVolume=] respectively, which are instances of `dpv:Justification` and can be associated using the relation `dpv:hasJustification`. The justification concepts expand broader concepts in the [[JUSTIFICATIONS]] extension and are defined for interpretation in the context of specific rights. The below list provides a list of justifications derived from the GDPR for each specific right (click to expand).
A13 Right to be Informed (5 justifications)
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
[=JustificationA13EntityAlreadyInformed=] Justification that A13 obligations for providing information do not apply as the data subject already has the information
A14 Right to be Informed (13 justifications)
[=JustificationA12IdentityFailure=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification
[=JustificationA12IdentityRequired=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
[=JustificationA12InformationRequired=] Justification that the request under A14-21 could not be fulfilled due to additional information being required
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
[=JustificationA14ConfidentialityCompromised=] Justification that A14 obligations for providing information cannot be fulfilled as the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy
[=JustificationA14DisproportionateEffort=] Justification that A14 obligations for providing information will require a disproportionate effort to fulfill
[=JustificationA14EntityAlreadyInformed=] Justification that A14 obligations for providing information do not apply as the data subject already has the information
[=JustificationA14FulfilmentImpossible=] Justification that A14 obligations for providing information are impossible to fulfill
[=JustificationA14LegallyExempted=] Justification that A14 obligations for providing information is legally exempted
[=JustificationA14ObjectivesImpaired=] Justification that A14 obligations for providing information will (seriously) impair the objectives of the processing
A15 Right of Access (10 justifications)
[=JustificationA12Complexity=] Justification that the request under A15-A22 is delayed due to complexity in fulfilling it
[=JustificationA12Delay=] Justification that the request under A15-A22 is delayed
[=JustificationA12HighVolume=] Justification that the request under A15-A22 is delayed due to high volume of similar requestes required to be fulfilled
[=JustificationA12IdentityFailure=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification
[=JustificationA12IdentityRequired=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
[=JustificationA12InformationRequired=] Justification that the request under A14-21 could not be fulfilled due to additional information being required
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
A16 Right to Rectification (10 justifications)
[=JustificationA12Complexity=] Justification that the request under A15-A22 is delayed due to complexity in fulfilling it
[=JustificationA12Delay=] Justification that the request under A15-A22 is delayed
[=JustificationA12HighVolume=] Justification that the request under A15-A22 is delayed due to high volume of similar requestes required to be fulfilled
[=JustificationA12IdentityFailure=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification
[=JustificationA12IdentityRequired=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
[=JustificationA12InformationRequired=] Justification that the request under A14-21 could not be fulfilled due to additional information being required
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
A17 Right to Erasure (23 justifications)
[=JustificationA12Complexity=] Justification that the request under A15-A22 is delayed due to complexity in fulfilling it
[=JustificationA12Delay=] Justification that the request under A15-A22 is delayed
[=JustificationA12HighVolume=] Justification that the request under A15-A22 is delayed due to high volume of similar requestes required to be fulfilled
[=JustificationA12IdentityFailure=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification
[=JustificationA12IdentityRequired=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
[=JustificationA12InformationRequired=] Justification that the request under A14-21 could not be fulfilled due to additional information being required
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
[=JustificationA17Archiving=] Justification that the A17 right to erasure or to be forgotten could not be completed due to
[=JustificationA17ChildData=] Justification that the A17 right to erasure or to be forgotten is being exercised as the personal data of a child have been collected for information society services referred to in A8(1)
[=JustificationA17FreedomOfExpression=] Justification that the A17 right to erasure or to be forgotten could not be completed as the processing is necessary for exercising the right of freedom of expression and information
[=JustificationA17LegalClaims=] Justification that the A17 right to erasure or to be forgotten could not be completed due to
[=JustificationA17LegalErasure=] Justification that the A17 right to erasure or to be forgotten is being exercised as the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
[=JustificationA17LegallyRequired=] Justification that the A17 right to erasure or to be forgotten could not be completed as the processing is required for compliance with a legal obligation
[=JustificationA17NoLegalBasis=] Justification that the A17 right to erasure or to be forgotten is being exercised as the corresponding consent has been withdrawn and there is no other legal basis for the processing
[=JustificationA17NonNecessity=] Justification that the A17 right to erasure or to be forgotten is being exercised as the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
[=JustificationA17ObjectA21=] Justification that the A17 right to erasure or to be forgotten is being exercised through A21 right to object where there are no overriding legitimate grounds for the processing (A21-1) or as an objection to direct marketing (A21-2)
[=JustificationA17OfficialAuthority=] Justification that the A17 right to erasure or to be forgotten could not be completed due to
[=JustificationA17PublicHealth=] Justification that the A17 right to erasure or to be forgotten could not be completed due to
[=JustificationA17PublicInterest=] Justification that the A17 right to erasure or to be forgotten could not be completed due to
[=JustificationA17UnlawfulProcessing=] Justification that the A17 right to erasure or to be forgotten is being exercised as the personal data have been unlawfully processed
A18 Right to Restrict Processing (10 justifications)
[=JustificationA12Complexity=] Justification that the request under A15-A22 is delayed due to complexity in fulfilling it
[=JustificationA12Delay=] Justification that the request under A15-A22 is delayed
[=JustificationA12HighVolume=] Justification that the request under A15-A22 is delayed due to high volume of similar requestes required to be fulfilled
[=JustificationA12IdentityFailure=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification
[=JustificationA12IdentityRequired=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
[=JustificationA12InformationRequired=] Justification that the request under A14-21 could not be fulfilled due to additional information being required
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
A19 Right to Rectification Notification (10 justifications)
[=JustificationA12Complexity=] Justification that the request under A15-A22 is delayed due to complexity in fulfilling it
[=JustificationA12Delay=] Justification that the request under A15-A22 is delayed
[=JustificationA12HighVolume=] Justification that the request under A15-A22 is delayed due to high volume of similar requestes required to be fulfilled
[=JustificationA12IdentityFailure=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification
[=JustificationA12IdentityRequired=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
[=JustificationA12InformationRequired=] Justification that the request under A14-21 could not be fulfilled due to additional information being required
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
A20 Right to Data Portability (10 justifications)
[=JustificationA12Complexity=] Justification that the request under A15-A22 is delayed due to complexity in fulfilling it
[=JustificationA12Delay=] Justification that the request under A15-A22 is delayed
[=JustificationA12HighVolume=] Justification that the request under A15-A22 is delayed due to high volume of similar requestes required to be fulfilled
[=JustificationA12IdentityFailure=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification
[=JustificationA12IdentityRequired=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
[=JustificationA12InformationRequired=] Justification that the request under A14-21 could not be fulfilled due to additional information being required
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
A21 Right to object (10 justifications)
[=JustificationA12Complexity=] Justification that the request under A15-A22 is delayed due to complexity in fulfilling it
[=JustificationA12Delay=] Justification that the request under A15-A22 is delayed
[=JustificationA12HighVolume=] Justification that the request under A15-A22 is delayed due to high volume of similar requestes required to be fulfilled
[=JustificationA12IdentityFailure=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification
[=JustificationA12IdentityRequired=] Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
[=JustificationA12InformationRequired=] Justification that the request under A14-21 could not be fulfilled due to additional information being required
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
A22 Right to object to automated decision making (7 justifications)
[=JustificationA12Complexity=] Justification that the request under A15-A22 is delayed due to complexity in fulfilling it
[=JustificationA12Delay=] Justification that the request under A15-A22 is delayed
[=JustificationA12HighVolume=] Justification that the request under A15-A22 is delayed due to high volume of similar requestes required to be fulfilled
[=JustificationA12LackOfIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
[=JustificationA12MaliciousIntent=] Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyExcessive=] Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
[=JustificationA12ManifestlyUnfounded=] Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
Data Transfer Tools
GDPR's tools for data transfers to third countries extending DPV's core concept "OrganisationalMeasure"
GDPR regulates data transfers outside the EU/EEA based on jurisdictions the transfer is occurring within and the guarantees available regarding the protection of personal data and fundamental rights. To indicate the sufficiency of a data transfer being compatible and adherent to these requirements, the European Commission provides various 'data transfer tools' based on the legal bases provided within the GDPR. EU-GDPR models these as follows.
The EU-GDPR's concepts for transfer tools are currently symbolic, and do not provide a way to actually implement those tools. For example, to represent the information contained within a SCC or BCR. The DPVCG is interested in providing such implementations, and welcomes discussions and contributions for the same.
eu-gdpr:DataTransferTool: A legal instrument or tool intended to assist or justify data transfers
go to full definition
eu-gdpr:AdHocContractualClauses: Contractual Clauses not drafted by the EU Commission, e.g. by the Controller
go to full definition
eu-gdpr:BindingCorporateRules: ‘Binding Corporate Rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity
go to full definition
eu-gdpr:CertificationMechanismsForDataTransfers: Certification and its binding or specified mechanisms intended to provide sufficient safeguards for data transfers
go to full definition
eu-gdpr:CodesOfConductForDataTransfers: Codes of Conduct that outline sufficient safeguards for carrying out data transfers
go to full definition
eu-gdpr:SCCByCommission: Standard contractual clauses adopted by the Commission in accordance with the examination procedure referred to in GDPR Article 93(2)
go to full definition
eu-gdpr:SCCBySupervisoryAuthority: Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in GDPR Article 93(2)
go to full definition
eu-gdpr:StandardContractualClauses: Standard Contractual Clauses (SCCs) are pre-approved clauses by the EU for ensuring appropriate data protection safeguards intended for data transfers from the EU to third countries
go to full definition
eu-gdpr:SCCByCommission: Standard contractual clauses adopted by the Commission in accordance with the examination procedure referred to in GDPR Article 93(2)
go to full definition
eu-gdpr:SCCBySupervisoryAuthority: Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in GDPR Article 93(2)
go to full definition
eu-gdpr:SupplementaryMeasure: Supplementary measures are intended to additionally provide safeguards or guarantees to bring the resulting protection in line with EU requirements
go to full definition
DPIA
[[GDPR]] Article 35 specifies the conditions and requirements associated with Data Protection Impact Assessments. EU-GDPR expands on the DPIA concept defined as an Organisational Measure within DPV by considering a DPIA as consisting of the following iterative process, and providing statuses for documenting their progression and outputs:
Identifying activities for which a DPIA is to be undertaken (represented using DPV and EU-GDPR)
Checking whether a DPIA is needed as per GDPR Art.35 and other jurisdictional requirements: the activity is [=DPIANecessityAssessment=] and its output is denoted using [=DPIANecessityStatus=]
Conducting the DPIA to identify risks and impacts: the activity is [=DPIAProcedure=] and its output is denoted using [=DPIARiskStatus=]
Determining the outcome based on risk mitigation: the activity is [=DPIAOutcome=] and its output is denoted using [=DPIAOutcomeStatus=]
Determining whether processing should be permitted to continue or be carried out, with the outcome being denote using [=DPIAProcessingRecommendation=]
Assessing whether processing is carried out in conformance with the DPIA, with the outcome being denoted using [=DPIAConformity=]
In addition to DPV's concepts for representing information about processing of personal data, EU-GDPR also recommends using [[[DCT]]] concepts to represent relevant metadata, such as dates, identifiers, validity, etc.
The DPVCG is working on updating the [[[GUIDE-GDPR-DPIA]]] based on recent updates in DPV and EU-GDPR. In addition to these, we are also working on providing concepts for expressing impacts and risk management within [[[RISK]]].
eu-gdpr:DPIAOutcome: Process representing determining outcome of a DPIA
go to full definition
eu-gdpr:DPIAOutcomeStatus: Status reflecting the outcomes of a DPIA
go to full definition
eu-gdpr:DPIAOutcomeDPAConsultation: DPIA outcome status indicating a DPA consultation is required
go to full definition
eu-gdpr:DPIAOutcomeHighResidualRisk: DPIA outcome status indicating high residual risk which are not acceptable for continuation
go to full definition
eu-gdpr:DPIAOutcomeRisksAcceptable: DPIA outcome status indicating residual risks remain and are acceptable for continuation
go to full definition
eu-gdpr:DPIAOutcomeRisksMitigated: DPIA outcome status indicating (all) risks have been mitigated
go to full definition
eu-gdpr:DPIAProcedure: Process representing carrying out a DPIA
go to full definition
eu-gdpr:DPIAProcessingRecommendation: Recommendation from the DPIA regarding processing
go to full definition
eu-gdpr:DPIARecommendsProcessingContinue: Recommendation from a DPIA that the processing may continue
go to full definition
eu-gdpr:DPIARecommendsProcessingNotContinue: Recommendation from a DPIA that the processing should not continue
go to full definition
eu-gdpr:DPIARiskStatus: Status reflecting the status of risk associated with a DPIA
go to full definition
eu-gdpr:DPIAIndicatesHighRisk: DPIA identifying high risk levels
go to full definition
eu-gdpr:DPIAIndicatesLowRisk: DPIA identifying low risk levels
go to full definition
eu-gdpr:DPIAIndicatesNoRisk: DPIA identifying no risk is present
go to full definition
Data Breach
[[GDPR]] defines several obligations regarding the handling of data breach incidents, and authoritative guidance establishes the categories of data breach based on how it affects data. To support implementation of these, the [[EU-GDPR]] extension provides concepts that extend the [[DPV]] to define GDPR specific requirements.
[=DataBreach=] is a specific concept that reflects the GDPR's definition of data breaches, and is separate from a general data breach incident (such as that defined within the [[RISK]] extension) in terms of its involvement of personal data as well the use of GDPR 'processing' definition. Under GDPR, data breaches are categorised based on the CIA information security model as [=ConfidentialityBreach=] for disclosures e.g. accidentally sharing data, [=IntegrityBreach=] for alterations e.g. maliciously overwriting data, and [=AvailabilityBreach=] for loss or destruction e.g. erasing all data on disk. In addition to these, GDPR also requires awareness of when a breach affects multiple jurisdictions either due to involvement of data subjects from multiple EU countries or because the processing of personal data involves multiple locations spread across EU. Such breaches are categorised as [=CrossBorderDataBreach=].
[=DataBreachNotice=] represents the communication of information regarding a data breach to another entity, such as reporting it to the authority or sending communications to data subjects. Specific notice concepts are defined to reflect the recipients, for example [=ControllerBreachNotice=] is a notice sent to the controller and [=DataSubjectBreachNotice=] is a notice sent to the data subject. For reporting data breaches to authorities, there are multiple types of notifications at various stages of investigations - these are represented by [=DPABreachNotice=] with additional concepts for initial notice sent within 72 hours, as well as 'phased' notices which are sent as information becomes available.
To represent status of GDPR obligations regarding data breach notifications, the concept [=DataBreachNoticeRequirement=] provides specific outcomes which can be documented. For example, [=BreachNotificationNotNeeded=] indicates that notifications are not needed, and [=DPABreachNotificationNeeded=] represents a notification to the authority is needed.
To support the documentation of data breaches, the concept [=DataBreachReport=] represents a report associated with the breach, which can contain information on how the breach was discovered, the duration and coverage of the breach, what measures were taken to handle it, and what notifications were sent as part of the data breach handling processes. Specific concepts are provided to represent different reports required for fulfilling GDPR requirements, for example [=DataBreachDetectionReport=] as a report regarding the detection of a data breach and [=DataBreachPreliminaryReport=] as a preliminary report (e.g. within 72 hours) when an investigation is underway.
[=DataBreachJustification=] represents a `dpv:Justification` defined in the context of a data breach handling procedure, with specific concepts defined based on the provisions defined in the GDPR. For example, [=JustificationA33NotificationDelay=] represents the justification for why a data breach notification was delayed - which would require additional information for that particular instance, and [=JustificationA33RiskUnlikely=] represents the specific justification that a notification was deemed to not be necessary as the risk level was found to be low or unlikely (while this doesn't require more information to describe the justification, it is good practice to associate the risk/impact assessment with this for record keeping).
GDPR requires carrying out an impact assessment to determine the level of risk associated with the data breach, in particular on the processing of personal data and on the rights and freedoms of the data subjects. To represent this, the concept [=DBIARiskStatus=] is provided with specific outcomes. For example, [=DBIAIndicatesHighRisk=] indicates the data breach has a 'high-risk' status.
eu-gdpr:DataBreach: Data Breach' or ‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
go to full definition
eu-gdpr:AvailabilityBreach: A data breach where there is an accidental or unauthorised loss of access to or destruction of personal data
go to full definition
eu-gdpr:ConfidentialityBreach: A data breach where there is an unauthorised or accidental disclosure of or access to personal data
go to full definition
eu-gdpr:CrossBorderDataBreach: A data breach involving cross-border data subjects or processing operations
go to full definition
eu-gdpr:IntegrityBreach: A data breach where there is an unauthorised or accidental alteration of personal data
go to full definition
eu-gdpr:DataBreachJustification: A Justification used in the context of data breach related processes and communications
go to full definition
eu-gdpr:JustificationA33BreachedDataIneffective: Justification that the personal data breach was not communicated to the data subject as the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption i.e. the breached data cannot be effectively used
go to full definition
eu-gdpr:JustificationA33DisproportionateEffort: Justification that the personal data breach was not communicated to the data subject as it would involve disproportionate effort, and that a public communication or similar measure whereby the data subjects are informed in an equally effective manner has been deployed
go to full definition
eu-gdpr:JustificationA33NotificationDelay: Justification for why the notification about personal data breach to the authority was not communicated within 72 hours after having become aware of it
go to full definition
eu-gdpr:JustificationA33RiskMitigated: Justification that the personal data breach was not communicated to the data subject as the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
go to full definition
eu-gdpr:JustificationA33RiskUnlikely: Justification that the notification about personal data breach was not communicated to the authority as it is unlikely to result in a risk to the rights and freedoms of natural persons
go to full definition
eu-gdpr:DataBreachNotice: Notice associated with data breach providing information in compliance with GDPR
go to full definition
eu-gdpr:ControllerBreachNotice: Notice regarding a data breach to the Controller
go to full definition
eu-gdpr:DataSubjectBreachNotice: Notice regarding a data breach to the Data Subject
go to full definition
eu-gdpr:DPABreachNotice: Notice regarding a data breach to the DPA
go to full definition
eu-gdpr:DPABreachInitialNotice: Notice sent by a Controller within 72 hours of becoming aware of a personal data breach to the competent DPA, with justifications provided where the notice is made after 72 hours
go to full definition
eu-gdpr:DPABundledBreachNotice: Notice sent by a Controller to the DPA regarding multiple data breaches concerning the same type of personal data
go to full definition
eu-gdpr:DPAPhasedBreachNotice: Notice sent to a DPA in phases i.e. by providing incremental information as it becomes available or is requested following previously submitted notifications
go to full definition
eu-gdpr:ProcessorBreachNotice: Notice regarding a data breach to the Processor
go to full definition
eu-gdpr:DataBreachNoticeRequirement: Whether a Data Breach notification is required
go to full definition
eu-gdpr:BreachNotificationNotNeeded: Data Breach notifications to DPA or Data Subjects are not required
go to full definition
eu-gdpr:ControllerBreachNotificationNeeded: Data Breach notification to the Controller is required
go to full definition
eu-gdpr:DataSubjectBreachNotificationNeeded: Data Breach notification to the Data Subject is required
go to full definition
eu-gdpr:DPABreachNotificationNeeded: Data Breach notification to the DPA is required
go to full definition
eu-gdpr:ProcessorBreachNotificationNeeded: Data Breach notification to the Processor is required
go to full definition
eu-gdpr:DataBreachRegister: Register of data breaches containing facts relating to the personal data breach, its effects and the remedial action taken
go to full definition
eu-gdpr:DataBreachReport: Documented information about a data breach incident, its handling, assessments, and notifications
go to full definition
eu-gdpr:DataBreachConcludingReport: Documented information about a concluded data breach incident
go to full definition
eu-gdpr:DataBreachDetectionReport: Documented information about a data breach being detected
go to full definition
eu-gdpr:DataBreachOngoingReport: Documented information about an ongoing data breach
go to full definition
eu-gdpr:DataBreachPreliminaryReport: Documented information about preliminary assessment regarding a data breach
go to full definition
eu-gdpr:DBIARiskStatus: Status reflecting the status of risk associated with a DBIA regarding rights and freedoms of natural persons
go to full definition
eu-gdpr:DBIAIndicatesHighRisk: DBIA identifying high risk levels regarding rights and freedoms of natural persons
go to full definition
eu-gdpr:DBIAIndicatesLowRisk: DBIA identifying low risk levels regarding rights and freedoms of natural persons
go to full definition
eu-gdpr:DBIAIndicatesNoRisk: DBIA identifying no risk is present regarding rights and freedoms of natural persons
go to full definition
Establishment and Authorities
Establishment
The concept 'establishment' is defined in the GDPR in Article 4-16 as 'main establishment' which is used to determine who will be the 'lead' supervisory authority responsible. An establishment in this context can be a subsidiary, a division or branch, or other forms of corporate structures through which multi-national corporations and organisations operate. To support representation of this, [[EU-GDPR]] defines the concept [=Establishment=], and extends it as [=MainEstablishment=] to indicate which establishment is the 'main'. To indicate that there is only a single establishment and no other locations are involved, the concept [=SingleEstablishment=] is provided.
Establishments are indicated by using the relation [=hasEstablishment=]. Main establishment is associated by using the relation [=isMainEstablishmentFor=], or the main establishment can be indicated using [=hasMainEstablishment=]. To represent organisation structures such as subsidiaries, the relation dpv:hasSubsidiary and dpv:isSubsidiaryOf can be reused.
eu-gdpr:Establishment: Establishment is a Legal Entity which implies the effective and real exercise of activities through stable arrangements (with a presumed parent or primary establishment)
go to full definition
eu-gdpr:MainEstablishment: Main Establishment' means as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
go to full definition
eu-gdpr:SingleEstablishment: A legal entity that is established in only one Member State
go to full definition
Authorities
GDPR has a cross-border procedure for handling of compliance and investigations as the authorities are defined at a national level (in addition to supra- and intra- authorities). As part of this, an investigation involving multiple authorities requires establishing which authority is the 'lead' with the others categorised as 'concerned' authorities. The 'lead' authority may be different from the 'local' authority which is defined based on where the organisation is established or has its main establishment. To represent these cases, the [[EU-GDPR]] defines [=LeadSupervisoryAuthority=], [=ConcernedSupervisoryAuthority=], and [=LocalSupervisoryAuthority=] concepts. To associate them, the relations [=hasLeadSA=], [=hasConcernedSA=], and [=hasLocalSA=] are provided.
eu-gdpr:DataProtectionAuthority: ‘Supervisory Authority’ or 'Data Protection Authority' means an independent public authority which is established by a Member State pursuant to Article 51
go to full definition
eu-gdpr:ConcernedSupervisoryAuthority: Concerned Supervisory Authority' or 'supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority
go to full definition
eu-gdpr:LeadSupervisoryAuthority: Authority with the primary responsibility for dealing with a cross-border data processing activity
go to full definition
eu-gdpr:LocalSupervisoryAuthority: Authority associated with the main or local establishment of an organisation
go to full definition
Compliance
The concepts in this section reflect the status of processing operations being in compliance with GDPR, by extending the ComplianceStatus from DPV for GDPR. It does not define the requirements for compliance itself. To indicate these, the relation dpv:hasLawfulness can be used.
eu-gdpr:GDPRLawfulness: Status or state associated with being lawful or legally compliant regarding GDPR
go to full definition
eu-gdpr:GDPRComplianceUnknown: State where lawfulness or compliance with GDPR is unknown
go to full definition
eu-gdpr:GDPRCompliant: State of being lawful or legally compliant for GDPR
go to full definition
eu-gdpr:GDPRNonCompliant: State of being unlawful or legally non-compliant for GDPR
go to full definition
Misc. Concepts
These concepts are additionally defined in the EU-GDPR extension, but are not placed within the sections described earlier.
eu-gdpr:BiometricData: ‘Biometric Data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
go to full definition
eu-gdpr:CrossBorderProcessing: ‘Cross-Border Processing’ means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State
go to full definition
eu-gdpr:GeneticData: ‘Genetic Data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
go to full definition
eu-gdpr:HealthData: Health Data' or 'data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
go to full definition
eu-gdpr:InformationSocietyService: Information Society Service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council
go to full definition
eu-gdpr:PersonalData: Personal Data' means any information relating to an identified or identifiable natural person (‘Data Subject’)
go to full definition
eu-gdpr:Processing: ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
go to full definition
eu-gdpr:Profiling: ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
go to full definition
eu-gdpr:Pseudonymisation: Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
go to full definition
A violation of A13 obligation regarding providing information
Usage Note
What constitutes as a violation of A13 depends on the particulars of the situation, therefore we suggest first representing the impact using the appropriate category of impact (e.g. denied, limited) and then assessing whether it constitutes as a violation
Right not to be subject to a decision based solely on automated processing including profiling, and for the data subject to obtain human intervention on the part of the controller for the contested or objected activity, and for the data subject to express his or her point of view, and for the data subject to contest the decision
A legally binding and enforceable instrument between public authorities or bodies
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
‘Binding Corporate Rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
Standard data protection clauses adopted by the Commission
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
Standard data protection clauses adopted by a Supervisory Authority
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority
An approved code of conduct pursuant to GDPR Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals´ rights
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
An approved certification mechanism pursuant to GDPR Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards individuals` rights
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Third country has appropriate safeguards. Transfer does not require specific authorisation from a Supervisor Authority.
Contractual clauses with controller, processor or recipient of the personal data in the third country or the international organisation.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards exist. Transfer does requires specific authorisation from a Supervisor Authority.
Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards exist. Transfer does requires specific authorisation from a Supervisor Authority.
The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist.
The transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject´s request.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist.
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject and controller and another natural or legal person.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist.
The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the person is physically or legally incapable of giving consent.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist.
The transfer is made from a register which according to Union or Member State law is intended to provide information to the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Usage Note
Transfer from EU to a third country. Third country has not Adequacy Decision. Appropriate safeguards do not exist.
The transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by controller which are not overridden by the interests or rights and freedoms of the data subject, and controller has assessed all the circumstances surrounding the data transfer and have on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
Usage Note
Transfer from EU to a third country. Third country has no Adequacy Decision. Appropriate safeguards do not exist and no other options apply.
Legal basis based on data subject's given explicit consent to the processing of his or her personal data for one or more specific purposes
Usage Note
Valid consent in this case would have requirements for being 'explicit' in addition to requirements defined by A4-11. This is also mentioned in the Article 29 Working Party document "Guidelines on Consent under Regulation 2016/679 (wp259rev.01)"
Legal basis based on data subject's given non-explicit express consent to the processing of his or her personal data for one or more specific purposes
Usage Note
Definition of consent: A data subject's unambiguous/clear affirmative action that signifies an agreement to process their personal data (Rigo Wenning) . What is referred to as 'non-explicit consent' here is also termed as 'regular' consent in the Article 29 Working Party document "Guidelines on Consent under Regulation 2016/679 (wp259rev.01)". This is the legal basis that requires consent but not at the level of being 'explicit'.
Legal basis based on performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Legal basis based on the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Legal basis based on the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Legal basis based on the purposes of the legitimate interests pursued by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Right to an effective judicial remedy where the data subject considers that his or her rights have been infringed as a result of the processing of his or her personal data
legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3
Principle stating personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay used for
‘Binding Corporate Rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity
Usage Note
Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises.
‘Biometric Data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
Concerned Supervisory Authority' or 'supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority
Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
‘Cross-Border Processing’ means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State
Data Breach' or ‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Usage Note
GDPR's notion of data breach includes any incident that affects the confidentiality, integrity, and availability of personal data and its processing without distinguishing between internal or external actors involved in the incident
Principle stating personal data must be processed adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
‘Supervisory Authority’ or 'Data Protection Authority' means an independent public authority which is established by a Member State pursuant to Article 51
Data Subject' means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Notice sent by a Controller within 72 hours of becoming aware of a personal data breach to the competent DPA, with justifications provided where the notice is made after 72 hours
Notice sent to a DPA in phases i.e. by providing incremental information as it becomes available or is requested following previously submitted notifications
Establishment is a Legal Entity which implies the effective and real exercise of activities through stable arrangements (with a presumed parent or primary establishment)
‘Genetic Data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
Health Data' or 'data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
Information Society Service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council
Principle stating personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
‘International Organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
Justification that the request under A15-A22 is delayed
Usage Note
The justification is for when the initial process, which is to be completed within one month of receipt of the request, is delayed with Art.12-3 stating a duration of two further months where necessary taking into account the complexity and number of the requests. In such cases, the controller is needed to inform the data subject of the extension within one month of receipt of the request together with the reasons for the delay - which is done through this extension. Information about expected duration of response can be provided through use of dpv:hasDuration. The specific nature of delay can be expressed through use of eu-gdpr:A12ComplexityOfRequest or eu-gdpr:A12HighVolumeOfRequest
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that a request under A14-21 could not be fulfiled due to lack of identity verification, and therefore requires additional information to complete the identity verification request
Usage Note
If the purpose of this justification is to ask for identity verification, then it requires information on what information is considered as an accepable form of identity, which can ideally be expressed through dpv:Process and relevant dpv:PersonalData categories, or through a comment or description for the justification
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that the request under A14-21 could not be fulfilled due to additional information being required
Usage Note
If the purpose of this justification is to ask for identity verification, then eu-gdpr:A12IdentityVerificationRequired should be used. The information required can be expressed using dpv:Process, which allows also expressing the purpose for why it is required and relevant dpv:PersonalData categories, or through a comment or description for the justification
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to a lack of intent - and therefore is being charged a fee or is being refused
Usage Note
This justification requires information on why or how the lack of intent was assessed, which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that a request under A13-A22 and A34 is manifestly unfounded - in particular due to malicious intent - and therefore is being charged a fee or is being refused
Usage Note
This justification requires information on why or how the malicious intent was assessed, which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that a request under A13-A22 and A34 is manifestly excessive and therefore is being charged a fee or is being refused
Usage Note
This justification requires information on why or how the assessment of manifestly excessive was made, which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that a process under A13-A22 and A34 is manifestly unfounded and therefore is being charged a fee or is being refused
Usage Note
This justification requires information on why the process was considered manifestly unfounded which can be expressed through the additional concepts provided such as eu-gdpr:A12LackOfIntent or eu-gdpr:A12MaliciousIntent, or which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that A13 obligations for providing information do not apply as the data subject already has the information
Usage Note
This justification requires information on how the data subject was provided the information to satify the assertion, which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that A14 obligations for providing information cannot be fulfilled as the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy
Usage Note
This justification requires information on which legal provision provides the confidentiality obligation, which can be provided as a description of comment, or ideally through dpv:hasApplicableLaw to refer to the specific law or through dpv:hasLegalBasis to refer to the specific legal basis enabling this justification
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that A14 obligations for providing information will require a disproportionate effort to fulfill
Usage Note
This justification requires information on why the effort is considered disproportionate, such as the amount of time or resources required, which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that A14 obligations for providing information do not apply as the data subject already has the information
Usage Note
This justification requires information on how the data subject was provided the information to satify the assertion, which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that A14 obligations for providing information are impossible to fulfill
Usage Note
This justification requires information for why the fulfilment is impossible, such as technical impossibility, which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that A14 obligations for providing information is legally exempted
Usage Note
This justification requires information on which legal provision provides the exemption, which can be provided as a description of comment, or ideally through dpv:hasApplicableLaw to refer to the specific law or through dpv:hasLegalBasis to refer to the specific legal basis enabling this justification
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that A14 obligations for providing information will (seriously) impair the objectives of the processing
Usage Note
This justification requires information on what objectives are being impaired and the nature of impairment, which can be provided as a description of comment
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that the A17 right to erasure or to be forgotten is being exercised as the personal data of a child have been collected for information society services referred to in A8(1)
Justification that the A17 right to erasure or to be forgotten could not be completed as the processing is necessary for exercising the right of freedom of expression and information
Justification that the A17 right to erasure or to be forgotten is being exercised as the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
Justification that the A17 right to erasure or to be forgotten could not be completed as the processing is required for compliance with a legal obligation
Justification that the A17 right to erasure or to be forgotten is being exercised as the corresponding consent has been withdrawn and there is no other legal basis for the processing
Justification that the A17 right to erasure or to be forgotten is being exercised as the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
Justification that the A17 right to erasure or to be forgotten is being exercised through A21 right to object where there are no overriding legitimate grounds for the processing (A21-1) or as an objection to direct marketing (A21-2)
Justification that the personal data breach was not communicated to the data subject as the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption i.e. the breached data cannot be effectively used
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that the personal data breach was not communicated to the data subject as it would involve disproportionate effort, and that a public communication or similar measure whereby the data subjects are informed in an equally effective manner has been deployed
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification for why the notification about personal data breach to the authority was not communicated within 72 hours after having become aware of it
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that the personal data breach was not communicated to the data subject as the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Justification that the notification about personal data breach was not communicated to the authority as it is unlikely to result in a risk to the rights and freedoms of natural persons
Source
Date Created
2024-12-17
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Main Establishment' means as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment; as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
Principle stating personal data collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes
‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not
Representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation
A Notice provided in fulfilment of GDPR's Art.19 regarding Recipients to whom a rights exercise has been communicated, such as regarding rectification (A.16) or erasure of personal data (A.17) or restriction of processing (A.18)
Date Created
2022-11-09
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
Standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in GDPR Article 93(2)
Standard Contractual Clauses (SCCs) are pre-approved clauses by the EU for ensuring appropriate data protection safeguards intended for data transfers from the EU to third countries
Principle stating personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject
‘Third Party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
A dataset or catalogue or any other resource provided in fulfilment of a Right Exercise, such as for GDPR's Art.15 regarding Right of Access or Art.20 regarding Right to Data Portability. The associated properties from DCAT and DCMI DCT vocabularies provide convenient means to express metadata such as URL for accessing the data, its temporal validity and access restrictions, and specific datasets present along with their schemas.
Usage Note
A dataset, data service, or any other resource associated with Right Exercise - such as for providing a copy of data
Date Created
2022-11-02
Contributors
Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
For expressing an existing standard, guideline, or requirements to which the DPIA document or process will be conforming to. This could be external guidelines published by an Authority, or internal guidelines established by the organisation
For expressing coverage (e.g. jurisdictions, products, services) of the DPIA document or process. For temporal coverage, please see dct:temporal. The coverage can be expressed using dpv:Process, or using another concept, or even be a link or reference to a document, or a textual description
Indicates an identifier associated with the DPIA documentation or process. Identifiers may be reused from existing systems, or created for the purposes of record management
For expressing the subject of the DPIA document or process, where subject refers to the point of focus. For expressing what is affected or included within the DPIA, please see dct:coverage
Also used for specifying the temporal validity of an activity associated with Right Exercise. For example, limits on duration for providing or accessing provided information
Usage Note
For expressing the temporal date or range of validity of the DPIA document or process. This refers to the time period for which the DPIA is considered valid, and does not refer to the temporal period associated with processing (see dct:temporal instead). The assumption is that after this period, the DPIA should be re-evaluated or some process should be triggered
Also used to Indicate the status of a Right Exercise Activity
Usage Note
For expressing the status of the DPIA document or process. Here different statuses are used to convey different contextual meanings. For example, dpv:ActivityStatus expresses the state of the activity in terms of whether it is ongoing or completed, and dpv:AuditStatus expresses the state of the audit process in terms of being required, approved, or rejected. These are applied over each step of the DPIA i.e. DPIANecessityAssessment, DPIAProcedure, and DPIAOutcome. Similarly, a process also uses hasStatus with DPIAConformity to indicate adherence to the results of the DPIA process.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
Funding Acknowledgements for Contributors
The contributions of Axel Polleres, Javier Fernandez, Piero Bonatti, and Luigi Sauro to the DPVCG have been funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement N. 731601 (project SPECIAL) until 2019, and that for Piero Bonatti and Luigi Sauro were under grant agreement N. 883464 (project TRAPEZE) from 2020 until 2023.
The contributions of Beatriz Esteves have received funding through the PROTECT ITN Project from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813497. Beatriz Esteves is funded by SolidLab Vlaanderen (Flemish Government, EWI and RRF project VV023/10), and by the imec.icon project PACSOI (HBC.2023.0752) which was co-financed by imec and VLAIO.
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.