This document provides additional details and examples for entity concepts in the Data Privacy Vocabulary [DPV], and is a companion to the [DPV] specification.
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
GitHub Issues are preferred for
discussion of this specification.
1. DPV and Related Resources
Data Privacy Vocabulary (DPV) Specification: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH], and [AI]. Specific [LEGAL] extensions are also provided which model jurisdiction specific regulations and concepts - see the complete list of extensions. To support understanding and applications of [DPV], various guides and resources [GUIDES] are provided, including a [PRIMER]. A Search Index of all concepts from DPV and extensions is available.
[DPV] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [DPVCG], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.
The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article Data Privacy Vocabulary (DPV) - Version 2, accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes the changes made in DPV v2.
2. Introduction
Entity in DPV refer to the concept of 'entity' as defined in law and society, which can be organisations or individuals, and which is distinct from the technical concept of 'agent'. A LegalEntity specifically refers to entities recognised legally or within legal norms. Expanding on these, DPV provides a taxonomy of entities based on their application within laws and use-cases in the form of Legal roles, such as DataController, DataSubject, and Authority. Later, these concepts are expanded into taxonomies for different kinds of entities categorised under a common concept. For example, categories of Data Subjects such as Adult, User, or Employee; or kinds of Authorities, or categories of Organisations.
The relation hasEntity is used to refer to an entity or associate it with a context, for example to indicate its involvement. More specific relations are provided to indicate legal roles, such as hasDataSubject, hasDataController, hasDataProcessor, and so on.
The relation isImplementedByEntity indicates the entity that implements the specified context e.g. processing operation or process.
dpv:Entity: A human or non-human 'thing' that constitutes as an entity
go to full definition
dpv:LegalEntity: A human or non-human 'thing' that constitutes as an entity and which is recognised and defined in law
go to full definition
dpv:ParentLegalEntity: A legal entity that has one or more subsidiary entities operating under it
go to full definition
dpv:PublicRegisterOfEntities: A publicly available list of entities e.g. to indicate which entities perform a certain activity within a certain location or jurisdiction
go to full definition
dpv:SubsidiaryLegalEntity: A legal entity that operates as a subsidiary of another legal entity
go to full definition
To specify information about entities, DPV provides hasName, hasAddress, hasContact, and hasIdentifier relations which can be used to indicate the name, address, contact, and identifier of the entity respectively. The properties are useful to indicate this information in a succint manner within a context - such as in documentation and records. However, they are not sufficient to represent all relevant information about the entities, and are also not capable of representing complex information - such as alternate or common names, detailed addresses with cities and postcodes, and different kinds of contact information and identifiers. For this, we recommend using other existing vocabularies such as schema.org.
3. Legal Roles
Legal Role is the role taken on by a legal entity based on definitions or criteria from laws, regulations, or other such normative sources. Legal roles assist in representing the role and responsibility of an entity within the context of processing, and from this to determine the requirements and obligations that should apply, and their compliance or conformance.
dpv:DataController: The individual or organisation that decides (or controls) the purpose(s) of processing personal data.
go to full definition
dpv:JointDataControllers: A group of Data Controllers that jointly determine the purposes and means of processing
go to full definition
dpv:DataExporter: An entity that 'exports' data where exporting is considered a form of data transfer
go to full definition
dpv:DataProtectionOfficer: An entity within or authorised by an organisation to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for data subjects and the supervisory authority.
go to full definition
dpv:DataImporter: An entity that 'imports' data where importing is considered a form of data transfer
go to full definition
dpv:DataProcessor: A ‘processor’ means a natural or legal person, public authority, agency or other body which processes data on behalf of the controller.
go to full definition
dpv:DataSubProcessor: A 'sub-processor' is a processor engaged by another processor
go to full definition
dpv:ThirdParty: A ‘third party’ means any natural or legal person other than - the entities directly involved or operating under those directly involved in a process
go to full definition
dpv:ServiceConsumer: The entity that consumes or receives the service
go to full definition
A DataController is the entity responsible for the determination of processing of personal data. The exact meaning of 'responsible' and 'determination' varies across jurisdictions and laws. For example, [GDPR] defines a controller as the entity that determines 'means' and 'purposes' of processing personal data i.e. the entity that not only determine which data is being processed, but also the why and how of it. DPV does not prescribe to any particular jurisdictional definition, and the term 'Controller' here is analogous to the ISO term 'PII Controller'.
To indicate the name, address, and contact details for a controller, the properties hasName, hasAddress, and hasContact are provided. Other properties can also be used to provide this as well as additional details, such as FOAF Vocabulary Specification 0.99 (Paddington Edition) or Schema.org.
To indicate an entity acting as the representative of the controller, the concept Representative and relation hasRepresentative are provided. Representatives can be present to maintain presence in multiple jurisdictions without the controller having to open new units in those divisions. The location or jurisdiction of representatives can be expressed by using the DPV concepts e.g. hasLocation and hasJurisdiction.
3.2 Data Processor
A Data Processor is an entity which processes personal data on behalf of the controller i.e. the controller provides instructions to the processor for what processing activities to perform. The processor is only responsible for carrying out the processing as stipulated by the controller. The term 'Processor' is analogous to the ISO term 'PII Processor'. Name, address, and contact details of a processor can be specified using the same properties as that of a controller. Similarly, representatives of a processor can also be indicated by using the Representative and hasRepresentative concepts.
The instructions from a Controller to a Processor typically take the form of a ControllerProcessorAgreement which is a contract between the two entities. The contract can specify which entity takes on which role, what activities are to be performed by whom, and any other pertinent details regarding processing of personal data.
3.3 Data Recipient
Recipient represents the entity that receives data i.e. is the recipient for data. Recipients receive data through processing operations such as collect, share, and transfer. The relation hasRecipient indicates the entity that receives data. Recipients can be the controller, processor, or third party in use-cases. Processors are defined as a subcategory of Recipient as they need to receive data in order to process it. To explicitly denote that the recipient is a controller, the relation hasRecipientDataController is provided. It is useful in situations such as clarifying where the data controller receives data, or to indicate recipients in a joint controller relationships. To indicate a third party is the recipient, the relation hasRecipientThirdParty is provided.
3.4 Third Party
A ThirdParty is an entity other than the data subject, data controller, data processor, or authority associated with a context or process. The nature of third parties' roles in such contexts are not defined in DPV.
3.5 Data Protection Officer
A DataProtectionOfficer (DPO) is an entity within or authorised by an organisation to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for data subjects and the supervisory authority. It is indicated by using the relation hasDataProtectionOfficer. A DPO is a legal entity and a representative of the organisation, and their name, address, and contact details can be specified using the same properties as any other representative or legal entity.
3.6 Data Importer/Exporter
When data is being transferred, especially across jurisdictions, the entity sending the data is called the DataExporter and the entity receiving it is called the DataImporter. When the exporter and importer are in different jurisdictions, the data transfer is indicated to be CrossBorderDataTransfer. Exporters and Importers are indicated by using the relations hasDataExporter and hasDataImporter.
4. Authorities
The concept Authority is a specific Governmental Organisation authorised to enforce a law or regulation. Authorities can be associated with a specific domain, topic, or jurisdiction. DPV currently defines regional authorities for NationalAuthority, RegionalAuthority, and SupraNationalAuthority, and DataProtectionAuthority represents authorities associated with data protection and privacy. To associate authorities with concepts, the relations hasAuthority and isAuthorityFor are provided.
dpv:Authority: An authority with the power to create or enforce laws, or determine their compliance.
go to full definition
dpv:DataProtectionAuthority: An authority tasked with overseeing legal compliance regarding privacy and data protection laws.
go to full definition
dpv:NationalAuthority: An authority tasked with overseeing legal compliance for a nation
go to full definition
dpv:RegionalAuthority: An authority tasked with overseeing legal compliance for a region
go to full definition
dpv:SupraNationalAuthority: An authority tasked with overseeing legal compliance for a supra-national union e.g. EU
go to full definition
4.1 Data Protection Authority
A DataProtectionAuthority (DPA) is responsible for regulating laws associated with data protection and privacy. It is associated by using the relation hasAuthority. The [LEGAL] extensions provide authorities for jurisdictions, such as the DPAs responsible for enforcing [GDPR] in EU. For jurisdictional aspects such as 'lead' supervisory authority, see [EU-GDPR] extension.
5. Organisation
Organisation taxonomy allows expressing the category of kind of organisation an entity is. For example, GovernmentalOrganisation for government departments and units, NonGovernmentalOrganisation for NGOs, and so on. As these categories are fixed i.e. an entity cannot easily switch between them, the relation to indicate them is rdf:type.
dpv:Organisation: A general term reflecting a company or a business or a group acting as a unit
go to full definition
dpv:AcademicScientificOrganisation: Organisations related to academia or scientific pursuits e.g. Universities, Schools, Research Bodies
go to full definition
dpv:ForProfitOrganisation: An organisation that aims to achieve profit as its primary goal
go to full definition
dpv:GovernmentalOrganisation: An organisation managed or part of government
go to full definition
dpv:IndustryConsortium: A consortium established and comprising on industry organisations
go to full definition
dpv:InternationalOrganisation: An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
go to full definition
dpv:NonGovernmentalOrganisation: An organisation not part of or independent from the government
go to full definition
dpv:NonProfitOrganisation: An organisation that does not aim to achieve profit as its primary goal
go to full definition
dpv:OrganisationalUnit: Entity within an organisation that does not constitute as a separate legal entity
go to full definition
5.1 Organisational Units
An OrganisationalUnit is a unit or department or division within an organisation which does not have its own separate legal identity. Such units enable accurately representing how an organisation functions and where the responsibility and accountability within an organisation is located. To indicate an organisation has a unit, the relations hasOrganisationalUnit and isOrganistionalUnitOf are used.
5.2 Subsidiaries
SubsidiaryLegalEntity is a company (organisation) owned or controller by another company (organisation). To indicate a subsidiary for an entity, the relations hasSubsidiary and isSubsidiaryOf are used. For jurisdictional aspects associated with subsidiaries such as 'establishments' under the GDPR, see the [EU-GDPR] extension.
dpv:VulnerableDataSubject: Data Subjects which should be considered 'vulnerable' and therefore would require additional measures and safeguards
go to full definition
A 'child' is a natural legal person who is below a certain legal age depending on the legal jurisdiction.
Usage Note
The legality of age defining a child varies by jurisdiction. In addition, 'child' is distinct from a 'minor'. For example, the legal age for consumption of alcohol can be 21, which makes a person of age 20 a 'minor' in this context. In other cases, 'minor' and 'child' are used interchangeably to refer to a person below some legally defined age.
An entity that 'exports' data where exporting is considered a form of data transfer
Usage Note
The term 'Data Exporter' is used by the EU-EDPB as the entity that transfer data across borders. While the EDPB refers to the jurisdictional border of EU, the term within DPV can be used to denote any 'export' or transfer or transmission of data and is thus a broader concept than the EDPB's definition.
An entity that 'imports' data where importing is considered a form of data transfer
Usage Note
The term 'Data Importer' is used by the EU-EDPB as the entity that receives transferred data across borders. While the EDPB refers to the jurisdictional border of EU, the term within DPV can be used to denote any 'import' or reception of transfer or transmission of data and is thus a broader concept than the EDPB's definition.
An entity within or authorised by an organisation to monitor internal compliance, inform and advise on data protection obligations and act as a contact point for data subjects and the supervisory authority.
The individual (or category of individuals) whose personal data is being processed
Usage Note
The term 'data subject' is specific to the GDPR, but is functionally equivalent to the term 'individual associated with data' and the ISO/IEC term 'PII Principle'
An organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
A group of Data Controllers that jointly determine the purposes and means of processing
Usage Note
While Joint Data Controllers operate together, they are made up of individually distinct legal entities. To indicate the membership of this group, hasDataController should be used to denote each Data Controller. The concept of Joint Data Controllers also allows specifying a single group as the 'Controller' and to specify role and responsibilities within that group for each entity using DPV's concepts (e.g. isImplementedByEntity)
Data Subjects which should be considered 'vulnerable' and therefore would require additional measures and safeguards
Usage Note
This concept denotes a Data Subject or a group are vulnerable, but not what vulnerability they possess or its context. This information can be provided additionally as comments, or as separate concepts and relations. Proposals for this are welcome.
DPV uses the following terms from [RDF] and [RDFS] with their defined meanings:
rdf:type to denote a concept is an instance of another concept
rdfs:Class to denote a concept is a Class or a category
rdfs:subClassOf to specify the concept is a subclass (subtype, sub-category, subset) of another concept
rdf:Property to denote a concept is a property or a relation
The following external concepts are re-used within DPV:
8. Contributors
The following people have contributed to this vocabulary. The names are ordered alphabetically. The affiliations are informative do not represent formal endorsements. Affiliations may be outdated. The list is generated automatically from the contributors listed for defined concepts.
Arthit Suriyawongkul (ADAPT Centre, Trinity College Dublin)
Axel Polleres (Vienna University of Economics and Business)
Beatriz Esteves (IDLab, IMEC, Ghent University)
Bud Bruegger (Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein)
Damien Desfontaines ()
David Hickey (Dublin City University)
Delaram Golpayegani (ADAPT Centre, Trinity College Dublin)
Elmar Kiesling (Vienna University of Technology)
Fajar Ekaputra (Vienna University of Technology)
Georg P. Krog (Signatu AS)
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University)
Javier Fernández (Vienna University of Economics and Business)
Julian Flake (University of Koblenz)
Mark Lizar (OpenConsent/Kantara Initiative)
Maya Borges ()
Paul Ryan (Uniphar PLC)
Piero Bonatti (Università di Napoli Federico II)
Rana Saniei (Universidad Politécnica de Madrid)
Rob Brennan (University College Dublin)
Rudy Jacob (Proximus)
Simon Steyskal (Siemens)
Steve Hickman ()
Funding Acknowledgements
Funding Sponsors
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
Funding Acknowledgements for Contributors
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.