Rights Management

concepts in Data Privacy Vocabulary (DPV)

Final Community Group Report

This version:
https://www.w3.org/community/reports/dpvcg/CG-FINAL-dpv-20240128/
Latest published version:
https://w3id.org/dpv/dpv/modules/rights
Latest editor's draft:
https://dev.dpvcg.org/dpv/modules/rights
Editor:
Harshvardhan J. Pandit (ADAPT Centre, Dublin City University)
Feedback:
GitHub w3c/dpv (pull requests, new issue, open issues)
This Release
https://w3id.org/dpv/2.0
Previous Release
https://w3id.org/dpv/1.0
Key Publications
Data Privacy Vocabulary (DPV) -- Version 2 (2024)

Abstract

This document provides additional details and examples for rights and rights excercise concepts used in the Data Privacy Vocabulary [DPV], and is a companion to the [DPV] specification.

Status of This Document

This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Final Specification Agreement (FSA) other conditions apply. Learn more about W3C Community and Business Groups.

Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.

GitHub Issues are preferred for discussion of this specification.

Data Privacy Vocabulary (DPV) Specification: is the base/core specification for the 'Data Privacy Vocabulary', which is extended for Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH], and [AI]. Specific [LEGAL] extensions are also provided which model jurisdiction specific regulations and concepts - see the complete list of extensions. To support understanding and applications of [DPV], various guides and resources [GUIDES] are provided, including a [PRIMER]. A Search Index of all concepts from DPV and extensions is available.

[DPV] and related resources are published on GitHub. For a general overview of the Data Protection Vocabularies and Controls Community Group [DPVCG], its history, deliverables, and activities - refer to DPVCG Website. For meetings, see the DPVCG calendar.

The peer-reviewed article “Creating A Vocabulary for Data Privacy” presents a historical overview of the DPVCG, and describes the methodology and structure of the DPV along with describing its creation. An open-access version can be accessed here, here, and here. The article Data Privacy Vocabulary (DPV) - Version 2, accepted for presentation at the 23rd International Semantic Web Conference (ISWC 2024), describes the changes made in DPV v2.

2. Introduction

Figure 1

The concept Right represents a normative concept for what is permissible or necessary in accordance with a system such as laws. To associate rights with concepts that are relevant or within which those rights occur, the relation hasRight is used. Rights can be passive, which means they are always applicable without requiring anything to be done, or active where they require some action to be taken to initiate or exercise them. To represent these concepts, DPV uses PassiveRight and ActiveRight respectively. Rights can be applicable to different contexts or entities. To differentiate rights applicable or afforded to data subjects, the concept DataSubjectRight is used.

3. Rights Notices

The information provided regarding a right is called a 'Rights Notice'. It may be used to describe which rights exist, when they are applicable, how to exercise them, and other pertinent details. As with other notices in DPV, a rights notice is associated by using the dpv:hasNotice relation. The concept RightExerciseNotice represents specifically notices associated with exercising of rights - such as to indicate where and how to exercise it (expressed using isExercisedAt relation), or what information is required for the exercise, or to provide updates on an exercised rights request. For expressing contextual information, other existing concepts should be reused e.g. Process to group related information together into a 'process', with hasPurpose and IdentityVerification to indicate the right exercise will involve identity verification.

To indicate information about whether a rights exercise has been fulfilled or cannot be fulfilled - such as when additional information is needed, the concepts RightFulfilmentNotice and RightNonFulfilmentNotice are provided.

4. Rights Exercise

A RightExerciseActivity represents a concrete instance of a right being exercised. It can include contextual information such as timestamps, durations, entities, etc. that can be part of record-keeping. An activity can be a single step related to rights exercise -- such as the initial request to exercise that right, or its acknowledgement, or the final step taken to fulfil the right (e.g. provide some information), or it can also be a single activity describing the entire rights exercise process(es). To collate related activities associated with a rights exercise (e.g. associated with a specific data subject or a specific request), the concept RightExerciseRecord is useful.

5. Rights Records

To indicate contextual information about Right Exercise activities, DPV suggests reuse of existing relations, such as those from DPV itself and DCMI Metadata Terms (DCT). For example, dct:accessRights can be used to specify constraints or requirements regarding access (e.g. log in required), or dct:hasPart and dct:isPartOf to express records and its contents, dct:valid to express validity constraints on the exercising being made available, foaf:page to specify the location or provision of notice, and hasStatus with RequestStatus to represent the status of a rights exercise activity.

When rights require the provision of information which beyond a static common notice, for example a document personalised to the individual's information, or a dataset containing the individual's data, DPV recommends using Data Catalog Vocabulary (DCAT) to model the contents as a dcat:Resource or other relevant concepts from [DCAT] and [DCT] such as dct:format, dct:accessRights, and dct:valid.

6. Vocabulary Index

6.1 Classes

6.1.1 Active Right

Term ActiveRight Prefix dpv
Label Active Right
IRI https://w3id.org/dpv#ActiveRight
Type rdfs:Class, skos:Concept, dpv:Right
Broader/Parent types dpv:Right
Subject of relation dpv:isExercisedAt
Object of relation dpv:hasRight
Definition The right(s) applicable, provided, or expected that need to be (actively) exercised
Usage Note Active rights require the entity to expressly exercise them. For example, a Data Subject exercising their right to withdraw their consent.
Date Created 2022-10-22
Contributors Harshvardhan J. Pandit, Beatriz Esteves, Georg P. Krog, Paul Ryan
See More: section RIGHTS in DPV

6.1.2 Data Subject Right

Term DataSubjectRight Prefix dpv
Label Data Subject Right
IRI https://w3id.org/dpv#DataSubjectRight
Type rdfs:Class, skos:Concept, dpv:Right
Broader/Parent types dpv:Right
Object of relation dpv:hasRight
Definition The rights applicable or provided to a Data Subject
Usage Note Based on use of definitions, the notion of 'Data Subject Right' can be equivalent to 'Individual Right' or 'Right of a Person'
Date Created 2020-11-18
Contributors Beatriz Esteves, Georg P. Krog, Harshvardhan J. Pandit
See More: section RIGHTS in DPV

6.1.3 Passive Right

Term PassiveRight Prefix dpv
Label Passive Right
IRI https://w3id.org/dpv#PassiveRight
Type rdfs:Class, skos:Concept, dpv:Right
Broader/Parent types dpv:Right
Object of relation dpv:hasRight
Definition The right(s) applicable, provided, or expected that are always (passively) applicable
Usage Note Passive rights do not require the entity to request or exercise them. They are considered to be always applicable. For example, the Right to Privacy (in EU) does not require an exercise for it to be fulfilled.
Date Created 2022-10-22
Contributors Harshvardhan J. Pandit, Beatriz Esteves, Georg P. Krog, Paul Ryan
See More: section RIGHTS in DPV

6.1.5 Right Exercise Activity

Term RightExerciseActivity Prefix dpv
Label Right Exercise Activity
IRI https://w3id.org/dpv#RightExerciseActivity
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Subject of relation dct:isPartOf, foaf:page, dpv:hasJustification, dpv:hasRecipient, dpv:hasStatus, dpv:isAfter, dpv:isBefore, dpv:isImplementedByEntity
Object of relation dct:hasPart, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure, dpv:isAfter, dpv:isBefore
Definition An activity representing an exercising of an active right
Usage Note There may be multiple activities associated with exercising and fulfilling rights. See the RightExerciseRecord concept for record-keeping of such activities in a cohesive manner.
Examples dex:E0059 :: Exercising the right to rectification with contesting accuracy of information as justification
Date Created 2022-11-02
Contributors Harshvardhan J. Pandit, Beatriz Esteves, Georg P. Krog, Paul Ryan
See More: section RIGHTS in DEX

6.1.6 Right Exercise Notice

Term RightExerciseNotice Prefix dpv
Label Right Exercise Notice
IRI https://w3id.org/dpv#RightExerciseNotice
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:RightNoticedpv:Noticedpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure, dpv:isExercisedAt
Definition Information associated with exercising of an active right such as where and how to exercise the right, information required for it, or updates on an exercised rights request
Usage Note This concept is intended for providing information regarding a right exercise. For specific instances of such exercises, see RightExerciseActivity and RightExerciseRecord.
Date Created 2022-10-22
Contributors Harshvardhan J. Pandit, Beatriz Esteves, Georg P. Krog, Paul Ryan
See More: section RIGHTS in DPV

6.1.7 Right Exercise Record

Term RightExerciseRecord Prefix dpv
Label Right Exercise Record
IRI https://w3id.org/dpv#RightExerciseRecord
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:Recorddpv:Obtaindpv:Processing
Subject of relation dct:hasPart
Object of relation dct:isPartOf, dpv:hasProcessing
Definition Record of a Right being exercised
Usage Note This concept represents a record of one or more right exercise activities, such as those associated with a single data subject or service or entity
Examples dex:E0057 :: Expressing GDPR Right to Data Portability could not be fulfilled due to Identity Verification failure
Date Created 2022-11-02
Contributors Harshvardhan J. Pandit, Beatriz Esteves, Georg P. Krog, Paul Ryan
See More: section RIGHTS in DEX

6.1.8 Right Fulfilment Notice

Term RightFulfilmentNotice Prefix dpv
Label Right Fulfilment Notice
IRI https://w3id.org/dpv#RightFulfilmentNotice
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:RightExerciseNoticedpv:RightNoticedpv:Noticedpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure, dpv:isExercisedAt
Definition Notice provided regarding fulfilment of a right
Usage Note This notice is associated with situations where information is provided with the intention of progressing the fulfilment of a right. For example, a notice asking for more information regarding the scope of the right, or providing information on where to access the data provided under a right.
Date Created 2022-11-02
Contributors Harshvardhan J. Pandit, Beatriz Esteves
See More: section RIGHTS in DPV

6.1.9 Right Non-Fulfilment Notice

Term RightNonFulfilmentNotice Prefix dpv
Label Right Non-Fulfilment Notice
IRI https://w3id.org/dpv#RightNonFulfilmentNotice
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:RightExerciseNoticedpv:RightNoticedpv:Noticedpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure, dpv:isExercisedAt
Definition Notice provided regarding non-fulfilment of a right
Usage Note This notice is associated with situations where information is provided with the intention of communicating non-fulfilment of a right. For example, to provide justifications on why a right could not be fulfilled or providing information about another entity who should be approached for exercising this right.
Examples dex:E0058 :: Expressing a right exercise request is delayed due to high volume of requests
dex:E0061 :: Associating justifications with right exercise non-fulfilment
Date Created 2022-11-02
Contributors Harshvardhan J. Pandit, Beatriz Esteves
See More: section RIGHTS in DEX

6.1.10 Right Notice

Term RightNotice Prefix dpv
Label Right Notice
IRI https://w3id.org/dpv#RightNotice
Type rdfs:Class, skos:Concept, dpv:OrganisationalMeasure
Broader/Parent types dpv:Noticedpv:OrganisationalMeasuredpv:TechnicalOrganisationalMeasure
Object of relation dpv:hasNotice, dpv:hasOrganisationalMeasure, dpv:hasTechnicalOrganisationalMeasure
Definition Information associated with rights, such as which rights exist, when and where they are applicable, and other relevant information
Usage Note This concept also covers information about rights exercise, with dpv:RightExerciseNotice specifically representing information provided in connection with exercising of rights. Both notices may be needed, e.g. RightNotice for providing information about existence and exercise of rights, and RightExerciseNotice for providing additional information specifically about exercise of rights - such as to request more information or provide updates on an exercised rights request
Date Created 2024-06-16
Contributors Harshvardhan J. Pandit
See More: section RIGHTS in DPV

6.2 Properties

6.2.1 has justification

Term hasJustification Prefix dpv
Label has justification
IRI https://w3id.org/dpv#hasJustification
Type rdf:Property, skos:Concept
Domain includes dpv:RightExerciseActivity
Range includes dpv:Justification
Definition Indicates a justification for specified concept or context
Usage Note Also used for specifying a justification for non-fulfilment of Right Exercise
Examples dex:E0057 :: Expressing GDPR Right to Data Portability could not be fulfilled due to Identity Verification failure
dex:E0058 :: Expressing a right exercise request is delayed due to high volume of requests
dex:E0059 :: Exercising the right to rectification with contesting accuracy of information as justification
dex:E0061 :: Associating justifications with right exercise non-fulfilment
dex:E0062 :: Using justifications across categories
dex:E0063 :: Expressing data breach notifications to data subjects are not required using a justification
Date Created 2022-06-15
Contributors Harshvardhan J. Pandit
See More: section CONTEXT in DEX , section RIGHTS in DEX

6.2.2 has recipient

Term hasRecipient Prefix dpv
Label has recipient
IRI https://w3id.org/dpv#hasRecipient
Type rdf:Property, skos:Concept
Broader/Parent types dpv:hasEntity
Sub-property of dpv:hasEntity
Domain includes dpv:RightExerciseActivity
Range includes dpv:Recipient
Definition Indicates Recipient of Data
Usage Note Also used to indicate the Recipient of a Right Exercise Activity
Source SPECIAL Project
Date Created 2019-04-04
Date Modified 2020-11-04
Contributors Axel Polleres, Javier Fernández, Harshvardhan J. Pandit, Mark Lizar, Bud Bruegger
See More: section ENTITIES-LEGALROLE in DPV , section RIGHTS in DPV

6.2.3 has right

Term hasRight Prefix dpv
Label has right
IRI https://w3id.org/dpv#hasRight
Type rdf:Property, skos:Concept
Range includes dpv:Right
Definition Indicates use or applicability of Right
Examples dex:E0061 :: Associating justifications with right exercise non-fulfilment
dex:E0067 :: Indicating applicable rights
Date Created 2020-11-18
Contributors Harshvardhan J. Pandit
See More: section RIGHTS in DEX

6.2.4 has status

Term hasStatus Prefix dpv
Label has status
IRI https://w3id.org/dpv#hasStatus
Type rdf:Property, skos:Concept
Domain includes dpv:RightExerciseActivity
Range includes dpv:Status
Definition Indicates the status of specified concept
Usage Note Also used to Indicate the status of a Right Exercise Activity
Examples dex:E0069 :: Using DPV and RISK extension to represent incidents
Date Created 2022-05-18
Contributors Harshvardhan J. Pandit
See More: section CONTEXT-STATUS in DEX , section RIGHTS in DEX

6.2.5 is after

Term isAfter Prefix dpv
Label is after
IRI https://w3id.org/dpv#isAfter
Type rdf:Property, skos:Concept
Domain includes dpv:RightExerciseActivity
Range includes dpv:RightExerciseActivity
Definition Indicates the specified concepts is 'after' this concept in some context
Usage Note Also used for specifying a RightExerciseActivity occurs before another RightExerciseActivity
Date Created 2022-03-02
Contributors Georg P. Krog, Harshvardhan J. Pandit, Julian Flake
See More: section CONTEXT in DPV , section RIGHTS in DPV

6.2.6 is before

Term isBefore Prefix dpv
Label is before
IRI https://w3id.org/dpv#isBefore
Type rdf:Property, skos:Concept
Domain includes dpv:RightExerciseActivity
Range includes dpv:RightExerciseActivity
Definition Indicates the specified concepts is 'before' this concept in some context
Usage Note Also used for specifying a RightExerciseActivity occurs before another RightExerciseActivity
Date Created 2022-03-02
Contributors Georg P. Krog, Harshvardhan J. Pandit, Julian Flake
See More: section CONTEXT in DPV , section RIGHTS in DPV

6.2.7 is exercised at

Term isExercisedAt Prefix dpv
Label is exercised at
IRI https://w3id.org/dpv#isExercisedAt
Type rdf:Property, skos:Concept
Domain includes dpv:ActiveRight
Range includes dpv:RightExerciseNotice
Definition Indicates context or information about exercising a right
Date Created 2022-10-22
Contributors Harshvardhan J. Pandit
See More: section RIGHTS in DPV

6.2.8 is implemented by entity

Term isImplementedByEntity Prefix dpv
Label is implemented by entity
IRI https://w3id.org/dpv#isImplementedByEntity
Type rdf:Property, skos:Concept
Domain includes dpv:RightExerciseActivity
Range includes dpv:Entity
Definition Indicates implementation details such as entities or agents
Usage Note Also used to indicate the Entity that implements or performs a Right Exercise Activity
Usage Note The use of 'entity' is inclusive of entities (e.g. Data Processor) as well as 'agent' (e.g. DPO). For indicating technological implementation, the property isImplementedByTechnology should be used.
Examples dex:E0037 :: Indicating type of organisation and involvement of specific orgnisational units
Date Created 2019-05-07
Date Modified 2022-01-26
Contributors Axel Polleres, Harshvardhan J. Pandit, Beatriz Esteves, Paul Ryan, Julian Flake
See More: section PROCESSING-CONTEXT in DEX , section RIGHTS in DEX

6.3 External

DPV uses the following terms from [RDF] and [RDFS] with their defined meanings:

The following external concepts are re-used within DPV:

6.3.1 dcat:Resource

Term dcat:Resource Prefix dcat
Label dcat:Resource
IRI http://www.w3.org/ns/dcat#Resource
Type rdfs:Class, skos:Concept
Usage Note A dataset, data service, or any other resource associated with Right Exercise - such as for providing a copy of data
Date Created 2022-11-02
See More: section RIGHTS in DPV

6.3.2 dct:accessRights

Term dct:accessRights Prefix dct
Label dct:accessRights
IRI http://purl.org/dc/terms/accessRights
Type rdf:Property, skos:Concept
Usage Note Also used for specifying constraints on access associated with Rights Exercising (e.g. User must log in) or access to provided data (e.g. access via link)
See More: section RIGHTS in DPV

6.3.3 dct:format

Term dct:format Prefix dct
Label dct:format
IRI http://purl.org/dc/terms/format
Type rdf:Property, skos:Concept
Usage Note Also used for specifying the format of provided information, for example a CSV dataset
See More: section RIGHTS in DPV

6.3.4 dct:hasPart

Term dct:hasPart Prefix dct
Label dct:hasPart
IRI http://purl.org/dc/terms/hasPart
Type rdf:Property, skos:Concept
Domain includes dpv:RightExerciseRecord
Range includes dpv:RightExerciseActivity
Usage Note Also used for specifying a RightExerciseRecord has RightExerciseActivity as part of its records
See More: section RIGHTS in DPV

6.3.5 dct:isPartOf

Term dct:isPartOf Prefix dct
Label dct:isPartOf
IRI http://purl.org/dc/terms/isPartOf
Type rdf:Property, skos:Concept
Domain includes dpv:RightExerciseActivity
Range includes dpv:RightExerciseRecord
Usage Note Also used for specifying a RightExerciseActivity is part of a RightExerciseRecord
See More: section RIGHTS in DPV

6.3.6 dct:valid

Term dct:valid Prefix dct
Label dct:valid
IRI http://purl.org/dc/terms/valid
Type rdf:Property, skos:Concept
Usage Note Also used for specifying the temporal validity of an activity associated with Right Exercise. For example, limits on duration for providing or accessing provided information
See More: section RIGHTS in DPV

6.3.7 foaf:page

Term foaf:page Prefix foaf
Label foaf:page
IRI http://xmlns.com/foaf/0.1/page
Type rdf:Property, skos:Concept
Domain includes dpv:RightExerciseActivity
Usage Note Also used to indicate a web page or document providing information or functionality associated with a Right Exercise
See More: section RIGHTS in DPV

7. Contributors

The following people have contributed to this vocabulary. The names are ordered alphabetically. The affiliations are informative do not represent formal endorsements. Affiliations may be outdated. The list is generated automatically from the contributors listed for defined concepts.

Funding Acknowledgements

Funding Sponsors

The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.

Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.

The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).

Funding Acknowledgements for Contributors

The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.

A. References

A.1 Informative references

[AI]
AI Technology concepts for DPV. URL: https://w3id.org/dpv/ai
[DCAT]
Data Catalog Vocabulary (DCAT). URL: http://www.w3.org/ns/dcat
[DCT]
DCMI Metadata Terms (DCT). URL: https://www.dublincore.org/specifications/dublin-core/dcmi-terms/
[DPV]
Data Privacy Vocabulary (DPV) Specification. URL: https://w3id.org/dpv
[DPVCG]
W3C Data Privacy Vocabularies and Controls Community Group (DPVCG). URL: https://www.w3.org/community/dpvcg/
[GUIDES]
Guides for DPV. URL: https://w3id.org/dpv/guides
Legal Jurisdiction-relevant concepts for DPV. URL: https://w3id.org/dpv/legal
[LOC]
Location and Geo-Political Membership concepts for DPV. URL: https://w3id.org/dpv/loc
[PD]
Personal Data categories for DPV. URL: https://w3id.org/dpv/pd
[PRIMER]
Primer for Data Privacy Vocabulary. URL: https://w3id.org/dpv/primer
[RDF]
RDF 1.1 Concepts and Abstract Syntax. URL: https://www.w3.org/TR/rdf11-concepts/
[RDFS]
RDF Schema 1.1. URL: https://www.w3.org/TR/rdf-schema/
[RISK]
Risk Assessment and Management concepts for DPV. URL: https://w3id.org/dpv/risk
[TECH]
Technology concepts for DPV. URL: https://w3id.org/dpv/tech