Data Privacy Vocabularies and Controls Community Group
Skip to toolbar

Community & Business Groups

Data Privacy Vocabularies and Controls Community Group

The mission of the W3C Data Privacy Vocabularies and Controls CG (DPVCG) is to develop a taxonomy of privacy and data protection related terms, which include in particular terms from the new European General Data Protection Regulation (GDPR), such as a taxonomy of personal data as well as a classification of purposes (i.e., purposes for data collection), and events of disclosures, consent, and processing such personal data.

The DPVCG was created as an outcome of the W3C Workshop on Data Privacy Controls and Vocabularies in Vienna in 2017, and started on 25th May 2018 – the date of the enforcement of GDPR. Since then, the DPVCG has worked to fulfil its aims and objectives, and produced the Data Privacy Vocabulary (DPV) as a deliverable.

Membership to the group is open to all interested individuals and organisations. To join the group, you need a valid W3C account – which is free to get and can be requested here. The group meets usually through online meeting calls, details of which, including past minutes, can be found here. The group also interacts through a mailing list regarding topics, discussions, sharing of agendas, actions, and other relevant items. The resources and work relevant to the group is hosted on the GitHub platform under the DPVCG name.

The group is currently chaired by:

Previously, it was chaired by:

Participation in Group Activities

The working of the group is fairly open and transparent in its process, with most of the information present on the wiki. For past work, actions, issues, and records – please refer to the wiki and threads on the mailing list. Anyone can use the mailing list to ask questions, suggest topics, raise issues, and offer solutions. Non-members might receive an automated reply asking them to authenticate their email or email address for posting.

Similarly, calls are usually open to attend, with the agenda shared on the public mailing list. Call details may be shared on the internal mailing lists accessible to only members for security purposes – so it may be best to ask the chair(s) or a member for attending a call.

General questions regarding what the group considers in scope can be determined from the aims and objectives. Specific queries or propositions should be conveyed to the mailing list. For issues regarding the DPV, including addition of concepts or a query or other relevant topics – you can use the mailing list or the issues feature in a GitHub repo.

Data Privacy Vocabulary (DPV)

The DPV is a vocabulary (terms) and an ontology (relationships) serialised using semantic-web standards to represent concepts associated with privacy and data protection, primarily derived from GDPR. It enables representation of which personal data categories are undergoing a what kind of processing by a specific data controller and/or transferred to some recipient for a particular purpose, based on a specific legal basis (e.g., consent, or other legal grounds such as legitimate interest, etc.), with specified technical and organisational measures and restrictions (e.g., storage locations and storage durations) in place.

The DPV is useful as a machine-readable representation of personal data processing and can be adopted in relevant use-cases such as legal compliance documentation and evaluation, policy specification, consent representation and requests, taxonomy of legal terms, and annotation of text and data.

The DPV is an evolving vocabulary – as the DPVCG continues to work on updating it with broader concepts as well as enriching its hierarchy of concepts. For this, we invite contributions of concepts, use-cases, requirements, and applications.

w3c/dpv
Group's public email, repo and wiki activity over time

Note: Community Groups are proposed and run by the community. Although W3C hosts these conversations, the groups do not necessarily represent the views of the W3C Membership or staff.

Final reports / licensing info

Date Name Commitments
Guide for using DPV in OWL2 Licensing commitments
Primer Licensing commitments
DPV-PD: Extended Personal Data categories for DPV Licensing commitments
DPV-GDPR: GDPR Extension for DPV Licensing commitments
Data Privacy Vocabulary (DPV) Licensing commitments

Chairs, when logged in, may publish draft and final reports. Please see report requirements.

DPV v1 Release

Summary

The DPVCG has published final reports consisting of three vocabularies, a Primer, and a usage guide:

These are complemented by ongoing efforts to in draft form:

The vocabularies and documents are available at GitHub under w3c/dpv – which also enables providing feedback and raising issues.

What are the DPV vocabularies?

the Data Privacy Vocabulary (DPV) Specification, which provides a vocabulary and ontology for expressing information related to processing of personal data, entities involved and their roles, details of technologies utilised, relation to laws and legal justifications permitting its use, and other relevant concepts based on privacy and data protection. While it uses the EU’s General Data Protection Regulation (GDPR) as a guiding source for the creation and interpretation of concepts, the ambition and scope of DPV is to provide a broad globally useful vocabulary that can be extended to jurisdiction or domain specific applications. People, organisations, laws, and use-cases have different perspectives and interpretations of concepts and requirements which cannot be modelled into a single coherent universal vocabulary. The aim of DPV is to act as a core framework of ‘common concepts’ that can be extended to represent specific laws, domains, or applications. This lets any two entities agree that a term, for example, PersonalData, refers to the same semantic concept, even though they might interpret or model it differently within their own use-cases.

The motivation of DPV is to provide a ‘data model’ or a ‘taxonomy’ of concepts that act as a vocabulary for the interoperable representation and exchange of information about personal data and its processing. For this, the DPV specification represents an abstract model of concepts and relationships that can be implemented and applied using technologies appropriate to the use-case’s requirements.

The following is an illustrative, but non-exhaustive list of applications possible with the DPV:

  • Document annotation – identifying and annotating concepts within documents such as privacy policies, legal compliance documentation, web pages;
  • Representing Policies – expressing policies for how personal data should be ‘handled’, policies for describing an use-cases’ use of personal data;
  • Representing Rules – creating and utilising rules for expressing requirements, constraints, or obligations regarding the necessity or optionality on the use of personal data, and for checking conformance with obligations such as for legal compliance.

For more concrete uses, see the community maintained Listing of DPV adoption and applications in its wiki. For more information about DPV, start with the Primer.

What does v1 mean?

The DPVCG was created as an outcome of the SPECIAL H2020 project, which organised the W3C Workshop on Data Privacy Controls and Vocabularies in Vienna in 2017, and initiated the DPVCG on 25th May 2018 – the date of the enforcement of GDPR. Since then, the DPVCG has worked to fulfil its aims and objectives, and produced numerous vocabularies in draft form. In the 5 years of its operation, the community has worked on building a large corpus of terms and arranging them into useful vocabularies and specifications that are accompanied with documentations and descriptions. In this time, the specifications have undergone both major and minor changes with the intention to polish and refine the work. With the v1 release, the DPVCG wishes to indicate that its outputs should be considered relatively stable and are ready for use and wider adoption.

It should be noted that a v1 release does not indicate completeness, as there are several topics not currently covered in DPV (e.g. Data Transfers, Data Breaches) and there are important extensions that are currently being worked on. Similarly, a v1 release should also not be assumed to be completely stable – as there will be errors and changes based on future developments. Instead, the v1 indicates that what the DPVCG does not foresee major changes or challenges to the outputs in its current form.

Ongoing Work

While the DPV, DPV-GDPR, and DPV-PD outputs have been published as v1, they are by no means considered complete. Work will continue on refining these. Specifically, the group is considering the following (non-exhaustive) list of topics:

  • Data Transfers – providing the necessary concepts to represent data transfer documentations and assessments
  • Data Breach – providing the necessary concepts to document data breach preparation plans and recording instances of a data breach along with its response activities (e.g. notifications and impacts)
  • Privacy Notices – providing the necessary concepts to represent notices in machine-readable form using DPV concepts in line with established standards
  • Finalising Risk Extension – providing the necessary concepts to represent risk assessment and risk management information in line with established standards, and providing taxonomies for detrimental impacts and benefits
  • Finalising Legal Extension – aligning DPV’s outputs with existing standards for representing locations and jurisdictional arrangements (such as EUROVOC), and providing taxonomies of laws and authorities related to data protection and privacy
  • Finalising Technology Extension – providing the necessary concepts to describe how various technologies (e.g. databases, servers, algorithms) are used in an implementation, and providing taxonomies for Information Technology
  • Finalising Rights Extension – providing concepts that describe rights, exercise of rights, impact to rights, and assist in discovering and associating implementations with fundamental rights
  • Guidance documentations, such as those describing Consent Records, DPIAs, ROPAs, and other practical necessities where DPV can be used to automate and improve workflows

Future Work

The DPVCG chose GDPR as a focal point to influence the development of DPV and aligned vocabularies based on its then influence in changing how laws regard personal data processing and its impacts. Since that time, there have been several important developments across the globe, both as laws as well as standards and guidelines, that are aligned with GDPR’s ethos in terms of requirements and compliance considerations. At the same time, the EU has embarked on an ambitious regime of producing a regulatory framework consisting of several wide reaching laws related to Data. The DPVCG is interested in extending its vocabularies and efforts to also address these developments. It welcomes contributions that add concepts or extend existing vocabularies for jurisdiction specific norms (for example, creating DPV-CCPA for California’s CCPA similar to DPV-GDPR). The existing members have expressed an interest in considering the following for immediate consideration:

Contributing and Geting Involved

Participating with the DPVCG is open and free to all who are interested. For more information and joining, see https://www.w3.org/community/dpvcg/. While contribution is welcome from everyone regardless of membership status, such as via the mailing list or GitHub, decision making is restricted to membership forums.

Community & Acknowledgements

The DPVCG is a community group based on voluntary contributions. As such, the outputs produced bear thanks to the efforts of the community and its members, as well as to several external contributors, all of whom have engaged with the group, offered their expertise, taken on work, and delivered to enable this milestone. We thank each and all of them. We also thank the various funding sources which have directly enabled work on the DPVCG as well as indirectly helped by funding the members and contributors.

Data Privacy Vocabularies and Controls Community Group (DPVCG)

The mission of the W3C Data Privacy Vocabularies and Controls CG (DPVCG) is to develop a taxonomy of privacy and data protection related terms, which include in particular terms from the new European General Data Protection Regulation (GDPR), such as a taxonomy of personal data as well as a classification of purposes (i.e., purposes for data collection), and events of disclosures, consent, and processing such personal data.

Continue reading

Data Protection Aspects of Online Shopping – A Use Case

By Bud P. Bruegger (ULD) , Eva Schlehahn (ULD), Harald Zwingelberg (ULD)

When illustrating concepts pertaining to data protection, it is often useful to have a concrete use case at hand. The following post therefore provides such a use case. Namely, it describes the various aspects of the processing activities of an online shop. In particular, the aspects include the involved entities, the purposes pursued by the processing, the legal bases for the processing, the data necessary to fulfill the purposes, as well as the storage period necessary for this data.

It is hoped that this use case can facilitate discussions on how to best describe data protection aspects of processing activities. In that sense, it is regarded a contribution to the Data Privacy Vocabulary Community Group.

Continue reading

Call for Participation in Data Privacy Vocabularies and Controls Community Group

The Data Privacy Vocabularies and Controls Community Group has been launched:


The mission of the W3C Data Privacy Vocabularies and Controls CG (DPVCG) is to develop a taxonomy of privacy terms, which include in particular terms from the new European General Data Protection Regulation (GDPR), such as a taxonomy of personal data as well as a classification of purposes (i.e., purposes for data collection), and events of disclosures, consent, and processing such personal data.

Continue reading