-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathindex.html
1532 lines (1461 loc) · 95.1 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
@ -0,0 +1,40 @@
<!DOCTYPE html>
<html>
<head>
<title>Rights Exercising with DPV</title>
<meta http-equiv='Content-Type' content='text/html;charset=utf-8' />
<script src="https://www.w3.org/Tools/respec/respec-w3c" class="remove" defer></script>
<script type="text/javascript" class="remove">
var respecConfig = {
title: "Rights Exercising with DPV",
subtitle: "",
shortName: "rights",
specStatus: "unofficial",
latestVersion: "https://besteves4.github.io/dpv-rights-exercising/",
publishDate: "2024-02-07",
doJsonLd: true,
maxToclevel: 3,
github: "besteves4/dpv-rights-exercising",
includePermalinks: false,
editors: [{
name: "Beatriz Esteves",
url: "https://besteves4.github.io/",
company: "",
companyURL: ""
}],
authors: [{
name: "Beatriz Esteves",
url: "https://besteves4.github.io/",
company: "",
companyURL: ""
}],
};
</script>
<link rel="stylesheet" href="css/style.css">
</head>
<body>
<section id="abstract">
This document provides guidelines and examples on how to express information about the management and exercising of rights,
in particular related to the data subject rights enacted in the GDPR, using the Data Privacy Vocabulary (DPV) and other
semantic standards.
</section>
<section id="overview">
<h2>Overview</h2>
<p>
This document provides guidelines and examples to express information about
</p>
<ul>
<li>associating personal data processes with applicable rights</li>
<li>notifying rights-related activities</li>
<li>recording rights being exercised</li>
<li>automating the execution of GDPR-related rights requests with policies</li>
</ul>
<h3>Namespaces</h3>
<table class="tg">
<thead>
<tr>
<th class="tg-0lax">Prefix</th>
<th class="tg-0lax">Namespace</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tg-0lax">dcat</td>
<td class="tg-0lax"><a href="http://www.w3.org/ns/dcat#" target="_blank">http://www.w3.org/ns/dcat#</a></td>
</tr>
<tr>
<td class="tg-0lax">dcterms</td>
<td class="tg-0lax"><a href="http://purl.org/dc/terms/" target="_blank">http://purl.org/dc/terms/</a></td>
</tr>
<tr>
<td class="tg-0lax">dpv</td>
<td class="tg-0lax"><a href="https://w3id.org/dpv#" target="_blank">https://w3id.org/dpv#</a></td>
</tr>
<tr>
<td class="tg-0lax">eu-gdpr</td>
<td class="tg-0lax"><a href="https://w3id.org/dpv/legal/eu/gdpr#" target="_blank">https://w3id.org/dpv/legal/eu/gdpr#</a></td>
</tr>
<tr>
<td class="tg-0lax">ex</td>
<td class="tg-0lax"><a href="https://example.org/" target="_blank">https://example.org/</a></td>
</tr>
<tr>
<td class="tg-0lax">foaf</td>
<td class="tg-0lax"><a href="http://xmlns.com/foaf/0.1/" target="_blank">http://xmlns.com/foaf/0.1/</a></td>
</tr>
<tr>
<td class="tg-0lax">justifications</td>
<td class="tg-0lax"><a href="https://w3id.org/dpv/justifications#" target="_blank">https://w3id.org/dpv/justifications#</a></td>
</tr>
<tr>
<td class="tg-0lax">legal-eu</td>
<td class="tg-0lax"><a href="https://w3id.org/dpv/legal/eu#" target="_blank">https://w3id.org/dpv/legal/eu#</a></td>
</tr>
<tr>
<td class="tg-0lax">legal-gb</td>
<td class="tg-0lax"><a href="https://w3id.org/dpv/legal/gb#" target="_blank">https://w3id.org/dpv/legal/gb#</a></td>
</tr>
<tr>
<td class="tg-0lax">loc</td>
<td class="tg-0lax"><a href="https://w3id.org/dpv/loc#" target="_blank">https://w3id.org/dpv/loc#</a></td>
</tr>
<tr>
<td class="tg-0lax">oac</td>
<td class="tg-0lax"><a href="https://w3id.org/oac#" target="_blank">https://w3id.org/oac#</a></td>
</tr>
<tr>
<td class="tg-0lax">odrl</td>
<td class="tg-0lax"><a href="http://www.w3.org/ns/odrl/2/" target="_blank">http://www.w3.org/ns/odrl/2/</a></td>
</tr>
<tr>
<td class="tg-0lax">pd</td>
<td class="tg-0lax"><a href="https://w3id.org/dpv/pd#" target="_blank">https://w3id.org/dpv/pd#</a></td>
</tr>
<tr>
<td class="tg-0lax">prov</td>
<td class="tg-0lax"><a href="http://www.w3.org/ns/prov#" target="_blank">http://www.w3.org/ns/prov#</a></td>
</tr>
<tr>
<td class="tg-0lax">skos</td>
<td class="tg-0lax"><a href="http://www.w3.org/2004/02/skos/core#" target="_blank">http://www.w3.org/2004/02/skos/core#</a></td>
</tr>
<tr>
<td class="tg-0lax">time</td>
<td class="tg-0lax"><a href="http://www.w3.org/2006/time#" target="_blank">http://www.w3.org/2006/time#</a></td>
</tr>
<tr>
<td class="tg-0lax">xsd</td>
<td class="tg-0lax"><a href="http://www.w3.org/2001/XMLSchema#" target="_blank">http://www.w3.org/2001/XMLSchema#</a></td>
</tr>
</tbody>
</table>
</section>
<section id="rights">
<h2>Associating processes with rights</h2>
<p>
This section outlines how to indicate existing applicable data subject rights associated with a process,
using DPV and the EU GDPR extension to represent rights available under the GDPR.
</p>
<p>
A process can be used to express information regarding the what, how, where, who, and why personal data
is being processed, as well as what rights exist.
For indicating applicable GDPR rights, DPV's
<a href="https://w3id.org/dpv/legal/eu/gdpr" target="_blank">EU GDPR extension</a>
provides a mapping between legal bases and the applicable data subject rights.
This pattern can be followed by data controllers
to express which rights are applicable, including rights beyond the ones in the GDPR, e.g.,
<a href="https://w3id.org/dpv/legal/eu/rights" target="_blank">EU's fundamental rights</a>
and the rights depicted in other EU regulations or in other jurisdictions.
</p>
<aside class="example" id="eu-rights" title="Associate process with applicable rights">
<p>
Example of a process where the data controller uses the data subject's email address
for the provision of services based on GDPR consent and indicates the applicable
GDPR data subject rights.
</p>
<div>
<pre class="nohighlight">
ex:ProcessEmailForServiceProvision a dpv:Process ;
dpv:hasDataController ex:DataController ;
dpv:hasPersonalData pd:EmailAddress ;
dpv:hasProcessing dpv:Use ;
dpv:hasPurpose dpv:ServiceProvision ;
dpv:hasLegalBasis eu-gdpr:A6-1-a ;
dpv:hasRight eu-gdpr:A7-3, eu-gdpr:A13, eu-gdpr:A14, eu-gdpr:A15, eu-gdpr:A16,
eu-gdpr:A17, eu-gdpr:A18, eu-gdpr:A20, eu-gdpr:A22, eu-gdpr:A77 .
ex:DataController a dpv:DataController .
</pre>
</div>
</aside>
<aside class="example" id="eu-gb-rights" title="Associate process with applicable rights from different jurisdictions">
<p>
Example of a process where the data controller uses the data subject's email address
for the provision of services based on GDPR consent and indicates the applicable
EU and GB data subject rights.
</p>
<div>
<pre class="nohighlight">
ex:ProcessEmailForServiceProvision a dpv:Process ;
dpv:hasDataController ex:DataController ;
dpv:hasPersonalData pd:EmailAddress ;
dpv:hasProcessing dpv:Use ;
dpv:hasPurpose dpv:ServiceProvision ;
dpv:hasScope [
dpv:hasLegalBasis eu-gdpr:A6-1-a ;
dpv:hasJurisdiction loc:EU ;
dpv:hasApplicableLaw legal-eu:law-GDPR ;
dpv:hasRight eu-gdpr:A7-3, eu-gdpr:A13, eu-gdpr:A14, eu-gdpr:A15, eu-gdpr:A16,
eu-gdpr:A17, eu-gdpr:A18, eu-gdpr:A20, eu-gdpr:A22, eu-gdpr:A77
] ;
dpv:hasScope [
dpv:hasLegalBasis ex:GB-GDPR-consent ;
dpv:hasJurisdiction loc:GB ;
dpv:hasApplicableLaw legal-gb:law-GDPR, legal-gb:law-DPA ;
dpv:hasRight ex:RightOfAccess # not complete, other rights exist
] .
ex:RightOfAccess a dpv:Right ;
skos:broader dpv:DataSubjectRight ;
dcterms:description "Right of access to personal data related to the data subject" ;
dpv:hasApplicableLaw legal-gb:law-GDPR .
ex:GB-GDPR-consent a dpv:LegalBasis ;
skos:broader dpv:Consent ;
dcterms:description "Consent given by the data subject" ;
dpv:hasApplicableLaw legal-gb:law-GDPR .
</pre>
</div>
</aside>
</section>
<section id="notices">
<h2>Notifying rights-related activities</h2>
<p>
This section outlines how to provide notices related with rights exercising management.
Generic <a href="https://w3id.org/dpv#RightNotice" target="_blank">right notices</a>
can be provided to indicate which rights exist, when and where they are applicable, and other relevant information.
Notices can be associated with specific processes or activities using the
<a href="https://w3id.org/dpv#hasNotice" target="_blank">hasNotice</a> property.
<code>dcterms:issued</code> and <code>dcterms:valid</code> can be used to indicate temporal information
related to notices, i.e., when it was issued and until when it is valid.
Descriptions and identifiers of the notices and their creators/publishers can be recorded using
<a href="http://purl.org/dc/terms/" target="_blank">DCMI Metadata Terms</a>.
The notices should also include information about the data controller as well as the entity implementing the notice,
which can be the data controller or another entity acting on behalf of the data controller,
using <code>dpv:hasDataController</code> and <code>dpv:isImplementedByEntity</code>, respectively.
<code>foaf:page</code> can be used to indicate a document, e.g., Webpage, containing the contents of the
notice and further functionalities.
</p>
<aside class="example" id="right-notice" title="Notice with applicable rights">
<p>
Example of a notice that details the applicable rights under EU's GDPR, <code>issued</code> on
December 1st, 2024, and <code>valid</code> until December 31st, 2024.
The notice has information about the data controller as well as the entity implementing it.
The webpage available at <code>https://example.org/DataController/RightNotice</code>
can be consulted for a human-readable version of the notice.
</p>
<div>
<pre class="nohighlight">
ex:RightNotice a dpv:RightNotice ;
dcterms:description "Rights notice of data controller, valid until the end of December 2024"^^xsd:string ;
dcterms:issued "2024-01-01"^^xsd:date ;
dcterms:valid "2024-12-31"^^xsd:date ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
dpv:hasApplicableLaw legal-eu:law-GDPR ;
dpv:hasRight eu-gdpr:A7-3, eu-gdpr:A13, eu-gdpr:A14, eu-gdpr:A15, eu-gdpr:A16,
eu-gdpr:A17, eu-gdpr:A18, eu-gdpr:A20, eu-gdpr:A22, eu-gdpr:A77 ;
foaf:page <https://example.org/DataController/RightNotice> .
</pre>
</div>
</aside>
<p>
<a href="https://w3id.org/dpv#RightExerciseNotice" target="_blank">Right exercise notices</a>
should be used to notify data subjects on where and how to exercise an active right,
which information is required, or to provide updates on an exercised right request.
Beyond the previously mentioned properties,
DPV's <a href="https://w3id.org/dpv#isExercisedAt" target="_blank">isExercisedAt</a> property
can be used to associate rights with specific right exercise points, i.e., through right exercise notices,
and information required to exercise a right through the association with a process, using
DPV's <a href="https://w3id.org/dpv#hasProcess" target="_blank">hasProcess</a> property.
The <a href="https://w3id.org/dpv#hasRecipient" target="_blank">hasRecipient</a>,
<a href="https://w3id.org/dpv#hasStatus" target="_blank">hasStatus</a>, and
<a href="https://w3id.org/dpv#hasJustification" target="_blank">hasJustification</a>
properties can be used to provide updates to the data subject on the status of a specific right exercising
activity, including a justification to why such right is being exercised.
</p>
<aside class="example" id="exercise-notice" title="Right exercise notice with information to be provided by the data subject">
<p>
Example of a rights exercise notice that details the rights, under EU's GDPR, that can be exercised
at <code>https://example.org/DataController/RightExercisePoint</code>.
To exercise such rights, the data subject's account identifier needs to be provided to the data controller
to collect and store, for the purpose of identity verification.
</p>
<div>
<pre class="nohighlight">
ex:RightExercisePoint a dpv:RightExerciseNotice ;
dcterms:description "Exercise notice of data controller, valid until the end of December 2024"^^xsd:string ;
dcterms:issued "2024-01-01"^^xsd:date ;
dcterms:valid "2024-12-31"^^xsd:date ;
dpv:hasRight eu-gdpr:A7-3, eu-gdpr:A15, eu-gdpr:A16, eu-gdpr:A17, eu-gdpr:A20 ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
foaf:page <https://example.org/DataController/RightExercisePoint> ;
dpv:hasProcess [
dpv:hasPurpose dpv:IdentityVerification ;
dpv:hasPersonalData pd:AccountIdentifier ;
dpv:hasProcessing dpv:Collect, dpv:Store ;
dpv:hasRecipientDataController ex:DataController ] .
# Associating specific rights with specific exercise notices
ex:RightToErasure a eu-gdpr:A17 ;
dpv:isExercisedAt ex:RightExercisePoint .
</pre>
</div>
</aside>
<aside class="example" id="exercise-update" title="Providing an update on an exercised right to erasure">
<p>
Example of a right exercise update notice that contains the status of the exercised right,
that can be consulted in human-readable format at <code>https://example.org/DataController/UpdateRightToErasure</code>.
The justification used by the data subject to initiate the request to erasure is based on
the data processing not being necessary.
</p>
<div>
<pre class="nohighlight">
ex:UpdateRightToErasure a dpv:RightExerciseNotice ;
dcterms:description "Exercise notice update provided to the data subject"^^xsd:string ;
dcterms:issued "2024-08-24"^^xsd:date ;
dpv:hasRight ex:RightToErasure ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
foaf:page <https://example.org/DataController/UpdateRightToErasure> ;
dpv:hasRecipient ex:DataSubject ;
dpv:hasStatus dpv:RequestInitiated ;
dpv:hasJustification justifications:NonNecessityObjection .
ex:DataSubject a dpv:DataSubject .
</pre>
</div>
</aside>
<p>
Specific notices to inform of the
<a href="https://w3id.org/dpv#RightFulfilmentNotice" target="_blank">fulfilment</a>,
<a href="https://w3id.org/dpv#RightFulfilmentNotice" target="_blank">towards fulfilment</a> or about the
<a href="https://w3id.org/dpv#RightNonFulfilmentNotice" target="_blank">non-fulfilment</a>
of a right are also provided.
Required actions that need to be performed by entities towards the fulfilment of a certain rights-related
request, that cannot be sufficiently detailed using DPV, e.g., issuance of payment terms, can be attached
to notices using policy languages such as
<a href="https://www.w3.org/TR/odrl-model/" target="_blank">Open Digital Rights Language (ODRL)</a>.
The period of time the entities have to execute the required actions can also be expressed using ODRL
constraints and/or can be included in the notices using DPV's
<a href="https://w3id.org/dpv#Duration" target="_blank">Duration</a> concepts.
</p>
<aside class="example" id="fulfillment-notice" title="Notice of fulfillment related to an exercised right to erasure">
<p>
Example of a notice of fulfillment related to an exercised right to erasure,
that can be consulted in human-readable format at <code>https://example.org/DataController/FulfilRightToErasure</code>.
</p>
<div>
<pre class="nohighlight">
ex:FulfilRightToErasure a dpv:RightFulfilmentNotice ;
dcterms:description "Notice of fulfillment related to the exercised right to erasure"^^xsd:string ;
dcterms:issued "2024-08-27"^^xsd:date ;
dpv:hasRight ex:RightToErasure ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
foaf:page <https://example.org/DataController/FulfilRightToErasure> ;
dpv:hasRecipient ex:DataSubject ;
dpv:hasStatus dpv:RequestFulfilled .
</pre>
</div>
</aside>
<aside class="example" id="towards-fulfillment" title="Notice of required action towards the fulfillment of an exercised right to erasure">
<p>
Example of a notice with information towards the fulfillment of an exercised right to erasure,
that can be consulted in human-readable format at <code>https://example.org/DataController/PaymentRightToErasure</code>.
In this case, the data controller requires the data subject to make a payment as the data subject's
request as been deemed excessive by the data controller.
The terms of the payment are described in the ODRL policy identified in
<code>https://example.org/DataController/PaymentRightToErasure/terms></code>.
</p>
<div>
<pre class="nohighlight">
ex:PaymentRightToErasure a dpv:RightFulfilmentNotice ;
dcterms:description "Notice of needed payment towards the fulfillment of the exercised right to erasure"^^xsd:string ;
dcterms:issued "2024-08-29"^^xsd:date ;
dpv:hasRight ex:RightToErasure ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
foaf:page <https://example.org/DataController/PaymentRightToErasure> ;
dpv:hasRecipient ex:DataSubject ;
dpv:hasStatus dpv:RequestRequiresAction ;
dpv:hasJustification justifications:ProcessExcessive ;
odrl:hasPolicy ex:PaymentRequired .
ex:PaymentRequired a odrl:Policy ;
odrl:uid <https://example.org/DataController/PaymentRightToErasure/terms>
odrl:obligation [
odrl:assigner ex:DataController ;
odrl:assignee ex:DataSubject ;
odrl:action [
rdf:value odrl:compensate ;
odrl:refinement [
odrl:leftOperand odrl:payAmount ;
odrl:operator odrl:eq ;
odrl:rightOperand "100.00"^^xsd:decimal ;
odrl:unit <http://dbpedia.org/resource/Euro>
]
] ;
odrl:constraint [
odrl:leftOperand odrl:elapsedTime ;
odrl:operator odrl:eq ;
odrl:rightOperand "P14D"^^xsd:duration
]
] .
</pre>
</div>
</aside>
<aside class="example" id="nonfulfillment-notice" title="Notice of non-fulfillment related to an exercised right to erasure">
<p>
Example of a notice of non-fulfillment related to an exercised right to erasure,
that can be consulted in human-readable format at <code>https://example.org/DataController/RejectRightToErasure</code>.
The request will not be fulfilled since it would interfere with the right of freedom of expression and information
of others, as indicated by the <code>FreedomOfExpressionImpaired</code> justification.
</p>
<div>
<pre class="nohighlight">
ex:RejectRightToErasure a dpv:RightNonFulfilmentNotice ;
dcterms:description "Notice of non-fulfillment related to an exercised right to erasure"^^xsd:string ;
dcterms:issued "2024-09-06"^^xsd:date ;
dpv:hasRight ex:RightToErasure ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
foaf:page <https://example.org/DataController/RejectRightToErasure> ;
dpv:hasRecipient ex:DataSubject ;
dpv:hasStatus dpv:RequestUnfulfilled ;
dpv:hasJustification justifications:FreedomOfExpressionImpaired .
</pre>
</div>
</aside>
<p>
For GDPR-specific notices, the
<a href="https://w3id.org/dpv/legal/eu/gdpr" target="_blank">EU GDPR extension</a>
provides concepts for
<a href="https://w3id.org/dpv/legal/eu/gdpr#DirectDataCollectionNotice" target="_blank">direct</a> and
<a href="https://w3id.org/dpv/legal/eu/gdpr#IndirectDataCollectionNotice" target="_blank">indirect</a>
data collection notices, required by GDPR's Articles 13 and 14, respectively,
<a href="https://w3id.org/dpv/legal/eu/gdpr#SARNotice" target="_blank">Subject Access Request (SAR) notices</a>
to fulfil GDPR Right of Access, and
<a href="https://w3id.org/dpv/legal/eu/gdpr#RightsRecipientsNotice" target="_blank">recipient notices</a>
to fulfil GDPR's Art.19 notification requirements, regarding the recipients to whom a rights exercise
has been communicated, such as the right to rectification (Art.16), right to erasure (Art.17) or right to restriction
of processing (Art.18).
</p>
<p>
In the case of GDPR's Articles 13 and 14, the data subject should be notified of the identity and contacts of the
data controller and of the controller's representative if applicable, as well as receive notice of the contact details
of the controller's data protection officer. The notice should also include the purposes and legal basis for data
processing, and, in case such basis is the legitimate interests pursued by the controller or by a third party, said
interests should be specified. Data subjects should also be made aware of any recipients or categories of recipients
of the personal data, and, if applicable, about transfers of personal data to a third country or international
organisation, including the existence or absence of an adequacy decision for said country and applicable safeguards.
Furthermore, data subjects should be notified with regards to the data storage period, as well as their existing rights,
namely the rights to withdraw consent and to lodge a complaint and the rights of access, rectification, erasure,
restriction of processing, object and data portability.
In case the provision of personal data is necessary for statutory or contractual obligations or there is automated
decision-making, it should also be disclosed to the data subject.
Beyond the previously mentioned information, GDPR's Article 14 also requires the data subject to be notified about
processed categories of data and their respective sources.
</p>
<div class="note" title="Connection with privacy notices">
How does it related with the ISO/IEC 29184 Privacy Notice standard? Also see issue at
<a href="https://github.com/w3c/dpv/issues/91" target="_blank">https://github.com/w3c/dpv/issues/91</a>.
</div>
<p>
In the case of the SAR notice, a DPV process can be used to notify the data subject about the type of personal data
being processed, the purpose for the processing, and to which recipients it was disclosed.
The storage period of the data is also indicated, as well as the existence of other data subject rights
and the source of the data if not collected from the data subject.
In case there is automated decision-making, it should also be disclosed to the data subject.
</p>
<div class="issue" title="What constitutes a valid legitimate interest?">
Is there a list of legitimate interests validated by authorities/case law?
</div>
<div class="issue" title="Modelling of categories of recipients">
According to GDPR's Articles 13, 14, and 15, in the case data is shared with any recipients, these can be notified to the
data subject by their category type instead of naming each recipient individually. DPV currently does not have
such a taxonomy. Can we reuse an existent one or should we define one in DPV itself?
</div>
<div class="issue" title="Modelling of information related to automated decision-making and logic involved">
According to GDPR's Articles 13, 14, and 15, in the case of the existence of automated decision-making,
including profiling, the data subject must be informed about it when exercising its right of access.
While DPV already includes concepts to model automation and decision-making, work still needs to be done to
come up with a model to represent information <i>"about the logic involved, as well as the significance and
the envisaged consequences of such processing for the data subject"</i>.
</div>
<aside class="example" id="collection-notice" title="Notice of direct data collection related to GDPR's Article 13">
<p>
Example of a notice of direct data collection related to GDPR's Article 13, that can be consulted
in human-readable format at <code>https://example.org/DataController/DataCollection</code>.
Identity and contact details of the data controller and its representative and DPO are provided.
The collected data was used for <code>ServiceProvision</code>, under GDPR's Article 6.1(a) legal basis,
and it was disclosed to <code>CompanyX</code>, <code>CompanyY</code>, and <code>CompanyZ</code>.
The data was collected from the data subject, from January 1st, 2023 to December 31st, 2023.
</p>
<div>
<pre class="nohighlight">
ex:DataCollection_Notice a eu-gdpr:DirectDataCollectionNotice ;
dcterms:description "Notice of direct data collection related to GDPR's Article 13"^^xsd:string ;
dcterms:issued "2024-08-01"^^xsd:date ;
dpv:hasRight eu-gdpr:A13 ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
foaf:page <https://example.org/DataController/DataCollection> ;
dpv:hasRecipient ex:DataSubject ;
dpv:hasProcess [
dpv:hasPurpose dpv:ServiceProvision ;
dpv:hasLegalBasis eu-gdpr:A6-1-a ;
dpv:hasRecipient ex:CompanyX, ex:CompanyY, ex:CompanyZ ;
dpv:hasDuration [
time:hasBeginning "2023-01-01"^^xsd:date ;
time:hasEnd "2023-12-31"^^xsd:date
] ;
dpv:hasRight A7-3, eu-gdpr:A15, eu-gdpr:A16, eu-gdpr:A17, eu-gdpr:A18,
eu-gdpr:A20, eu-gdpr:A21, eu-gdpr:A77 ;
# In case it is an dpv:IndirectDataCollectionNotice data type and source should also be present
dpv:hasDataSource dpv:ThirdPartyDataSource ;
dpv:hasPersonalData pd:EmailAddress
] .
ex:DataController a dpv:DataController ;
dpv:hasName "Data Controller Y"^^xsd:string ;
dpv:hasAddress "Address of Data Controller Y"^^xsd:string ;
dpv:hasContact "mailto:datacontrollery@mail.com"^^xsd:string ;
dpv:hasRepresentative ex:DataControllerRep ;
dpv:hasDataProtectionOfficer ex:DataControllerDPO .
</pre>
</div>
</aside>
<aside class="example" id="SAR-notice" title="Notice of fulfillment related to GDPR's Right of Access">
<p>
Example of a notice of fulfillment related to an exercised GDPR's Right of Access, that can be consulted
in human-readable format at <code>https://example.org/DataController/SARFulfilled_Notice</code>.
<code>EmailAddress</code> was used for <code>ServiceProvision</code> and it was disclosed to <code>CompanyX</code>.
The data was sourced from the data subject and collected from January 1st, 2022 to December 31st, 2022.
</p>
<div>
<pre class="nohighlight">
ex:SARFulfilled_Notice a eu-gdpr:SARNotice ;
dcterms:description "Notice of fulfillment related to GDPR's Right of Access"^^xsd:string ;
dcterms:issued "2024-08-07"^^xsd:date ;
dpv:hasRight eu-gdpr:A15 ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
foaf:page <https://example.org/DataController/SARFulfilled_Notice> ;
dpv:hasRecipient ex:DataSubject ;
dpv:hasStatus dpv:RequestFulfilled ;
dpv:hasProcess [
dpv:hasPurpose dpv:ServiceProvision ;
dpv:hasPersonalData pd:EmailAddress ;
dpv:hasRecipient ex:CompanyX ;
dpv:hasDuration [
time:hasBeginning "2022-01-01"^^xsd:date ;
time:hasEnd "2022-12-31"^^xsd:date
] ;
dpv:hasRight eu-gdpr:A16, eu-gdpr:A17, eu-gdpr:A18, eu-gdpr:A21, eu-gdpr:A77 ;
dpv:hasDataSource dpv:DataSubjectDataSource
] .
</pre>
</div>
</aside>
<aside class="example" id="recipients-notice" title="Notice of recipients to whom an exercised right to erasure was communicated">
<p>
Example of a notice of recipients to whom an exercised right to erasure was communicated, that can be consulted
in human-readable format at <code>https://example.org/DataController/Recipients_Notice</code>.
<code>dpv:hasProcess</code> is used to effectively communicate which right was exercised by the data subject receiving the notice -
<code>eu-gdpr:A17</code> in the example - and the recipients to whom the personal data have been disclosed -
<code>ex:CompanyX, ex:CompanyY, ex:CompanyZ</code> in the example.
</p>
<div>
<pre class="nohighlight">
ex:Recipients_Notice a eu-gdpr:RightsRecipientsNotice ;
dcterms:description "Notice of recipients to whom an exercised right to erasure was communicated"^^xsd:string ;
dcterms:issued "2024-08-08"^^xsd:date ;
dpv:hasRight eu-gdpr:A19 ;
dpv:hasRecipient ex:DataSubject ;
dpv:hasDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataController ;
foaf:page <https://example.org/DataController/Recipients_Notice> ;
dpv:hasProcess [
dpv:hasRight eu-gdpr:A17 ;
dpv:hasRecipient ex:CompanyX, ex:CompanyY, ex:CompanyZ
] .
ex:CompanyX a dpv:Recipient ;
dpv:hasName "Company X"^^xsd:string ;
dpv:hasAddress "Address of Company X"^^xsd:string ;
dpv:hasContact "mailto:companyy@mail.com"^^xsd:string .
</pre>
</div>
</aside>
</section>
<section id="records">
<h2>Recording rights being exercised</h2>
<p>
This section outlines the information that needs to be recorded and maintained when a concrete
instance of a right was or is being exercised. Keeping such records is of interest to data controllers
to have machine-readable information about the status and fulfillment of requests, which can be used,
e.g., by auditors. To represent concrete records of rights being exercised, the
<a href="https://w3id.org/dpv#RightExerciseRecord" target="_blank">RightExerciseRecord</a> concept,
a subclass of DPV's <a href="https://w3id.org/dpv#Record" target="_blank">Record</a>,
can be used to associate a particular request, or even distinct requests from the same data subject,
with corresponding activities exercised by entities towards fulfilling such requests, modelled as
<a href="https://w3id.org/dpv#RightExerciseActivity" target="_blank">RightExerciseActivity</a>.
</p>
<h3>Rights exercise activities</h3>
<p>
A <a href="https://w3id.org/dpv#RightExerciseActivity" target="_blank">RightExerciseActivity</a>
represents an instantiation of an activity being performed towards the exercising of a right.
Such activity instances should include metadata, e.g., timestamps, duration, or involved
entities, to track the provenance of a particular right exercising process, from the request itself to
its acknowledgement by the data controller and to the fulfilment or non-fulfilment of the right.
For easy record-keeping, each activity should be modelled as a
<a href="https://w3id.org/dpv#RightExerciseActivity" target="_blank">RightExerciseActivity</a> instance,
which can be connected with other instances using DPV's
<a href="https://w3id.org/dpv#isBefore" target="_blank">isBefore</a> and
<a href="https://w3id.org/dpv#isAfter" target="_blank">isAfter</a> concepts.
</p>
<p>
In order to justify a certain right exercise activity, DPV contains a
<a href="https://w3id.org/dpv/justifications" target="_blank">Justification</a> extension to
<i>"enable representing specific justifications associated with non-fulfilment, non-requirement,
delays, and exercising reasons involved in processes"</i>, which can be used to justify the
non-fulfilment, non-requirement, delays, and exercising of rights.
</p>
<div class="issue" title="Associate justification with GDPR provision">
How to connect a justification associated with a right exercising activity with the the GDPR
provision that inspired its definition?
The <code>dcterms:source</code> property can be used:
<pre class="nohighlight">
ex:RightExerciseActivity a dpv:RightExerciseActivity ;
...
dpv:hasJustification ex:Justification .
ex:Justification a justifications:FreedomOfExpressionImpaired ;
dcterms:source "GDPR Article 17.3(a)"^^xsd:string .
</pre>
</div>
<p>
Additionally, to track the status of rights exercising activities, DPV's
<a href="https://w3id.org/dpv#RequestStatus" target="_blank">RequestStatus</a> concepts, including
<a href="https://w3id.org/dpv#RequestAccepted" target="_blank">RequestAccepted</a>
for a request being accepted towards fulfilment,
<a href="https://w3id.org/dpv#RequestRejected" target="_blank">RequestRejected</a>
for a request being rejected towards non-fulfilment or
<a href="https://w3id.org/dpv#RequestRequiresAction" target="_blank">RequestRequiresAction</a>
for a request requiring an action to be performed from another party.
<a href="#status">Figure 1</a> illustrates the sequence in which these concepts occur. Once the request
is initiated, it should be then acknowledged by the entity implementing it and either accepted towards fulfilment
or rejected towards non-fulfilment. Additionally, after being rejected, the entity fulfilling the
request can also require further action from the requester (e.g., request additional data to be able
to fulfil the request), which can delay the acceptance or rejection of the request, and after the
required action is performed, the request can either be accepted towards fulfilment or get rejected
again towards non-fulfilment or towards asking again for further action.
</p>
<figure>
<img id="status" src="./img/request-status.png" alt="Lifecycle of DPV's concepts to model the status of a request" width="80%">
<figcaption>Lifecycle of DPV's concepts to model the status of a request.</figcaption>
</figure>
<p>
DPV's concepts can be used in conjunction with the
<a href="https://www.w3.org/TR/prov-o/" target="_blank">W3C's PROV-O recommendation</a>
to track the provenance of a right exercising activity instance. Using this
standard, provenance information, regarding the entities whom the activity is associated with, i.e.,
<a href="http://www.w3.org/ns/prov#wasAssociatedWith" target="_blank">prov:wasAssociatedWith</a>,
or what data/notice was generated, i.e.,
<a href="http://www.w3.org/ns/prov#generated" target="_blank">prov:generated</a>,
by the right exercise activity, can be represented.
<a href="http://www.w3.org/ns/prov#actedOnBehalfOf" target="_blank">prov:actedOnBehalfOf</a> can also be
used to represent delegation or representation, for instance when a parent exercises a right on behalf of its child.
Similarly to notices, temporal information, descriptions and identifiers of the activities and their
creators/publishers can be recorded using <a href="http://purl.org/dc/terms/" target="_blank">DCMI Metadata Terms</a>.
</p>
<p>
In this section, we include examples of rights exercising activities covering the lifecycle of statuses of requests,
using an exercised GDPR right of access as an example.
</p>
<aside class="example" id="activity-Initiated" title="Data Subject makes a GDPR right of access request">
<p>
Example of a right exercising activity related to a GDPR right of access request. The activity
associated with the start of the request has the status <code>dpv:RequestInitiated</code>,
the data subject is identified using the <code>dpv:hasDataSubject</code> property and the recipient of the request,
a data controller, using <code>dpv:hasRecipientDataController</code>. Furthermore, a process instance
can be used to express what personal data needs to be processed for the fulfilment of the right -
in this case, an account identifier of the data subject will be collected and stored by the data controller
for identity verification purposes. DPV's <code>hasScope</code> can also be used to specify the scope of the
request, e.g., the data subject only wants to access data processed for service provision purposes during 2022.
</p>
<div>
<pre class="nohighlight">
ex:DataSubject a dpv:DataSubject .
ex:DataSubjectUsername a pd:AccountIdentifier ;
dpv:hasDataSubject ex:DataSubject .
ex:SARequest a dpv:RightExerciseActivity, prov:Activity ;
dcterms:description "Data Subject makes a GDPR right of access request"^^xsd:string ;
dpv:hasRight eu-gdpr:A15 ;
dpv:isExercisedAt ex:RightExercisePoint ;
prov:wasAssociatedWith ex:DataSubject ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasRecipientDataController ex:DataController ;
dcterms:created "2023-11-02T11:08:05"^^xsd:dateTime ;
dpv:hasStatus dpv:RequestInitiated ;
dpv:hasProcess [
dpv:hasPurpose dpv:IdentityVerification ;
dpv:hasPersonalData ex:DataSubjectUsername ;
dpv:hasProcessing dpv:Collect, dpv:Store
] ;
dpv:hasScope [
dpv:hasPurpose dpv:ServiceProvision ;
dpv:hasDuration [
time:hasBeginning "2022-01-01T00:00:00"^^xsd:dateTime ;
time:hasEnd "2022-12-31T23:59:59"^^xsd:dateTime
]
] .
</pre>
</div>
</aside>
<aside class="example" id="activity-Acknowledged" title="Data controller acknowledges the request">
<p>
Example of a right exercising activity related to the acknowledgement by the data controller
of a GDPR right of access request. Following the start of the request, the controller acknowledges said request - a
<code>RightExerciseActivity</code> can be modelled with <code>dpv:RequestAcknowledged</code> status, coming from the
the <code>ex:DataSubject</code> that initiated the request. Additionally, if required, the data subject
can receive a notice of said acknowledgement.
</p>
<div>
<pre class="nohighlight">
ex:SARAcknowledged a dpv:RightExerciseActivity, prov:Activity ;
dcterms:description "Data controller acknowledges the request"^^xsd:string ;
dcterms:created "2023-11-02T15:55:10"^^xsd:dateTime ;
prov:wasAssociatedWith ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasStatus dpv:RequestAcknowledged ;
dpv:isAfter ex:SARequest .
</pre>
</div>
</aside>
<aside class="example" id="activity-Rejected" title="Data controller rejects the request due to an identity verification failure">
<p>
Example of a right exercising activity related to the rejection by the data controller of the GDPR
right of access request - the request was rejected due to the data controller not being able to identify
the data subject.
</p>
<div>
<pre class="nohighlight">
ex:SARRejected a dpv:RightExerciseActivity, prov:Activity ;
dcterms:description "Data controller rejects the request due to an identity verification failure"^^xsd:string ;
dcterms:created "2023-11-02T15:57:31"^^xsd:dateTime ;
prov:wasAssociatedWith ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasStatus dpv:RequestRejected ;
dpv:hasJustification justifications:IdentityVerificationFailure ;
dpv:isAfter ex:SARAcknowledged .
</pre>
</div>
</aside>
<aside class="example" id="activity-RequiresAction" title="Data controller requires further action from data subject">
<p>
Example of a right exercising activity where the data controller requires further information from the
data subject to be able to proceed with the request. Such right exercise activity is specified with
the <code>dpv:RequestRequiresAction</code> status and contains a process instance expressing the action
that the data subject needs to fulfil for the right exercise to continue - in this case the data subject must
make available to the data controller an official ID for identity verification purposes.
</p>
<div>
<pre class="nohighlight">
ex:SARRequiresAction a dpv:RightExerciseActivity, prov:Activity ;
dcterms:description "Data controller requires further action from data subject"^^xsd:string ;
dcterms:created "2023-11-02T16:09:21"^^xsd:dateTime ;
prov:wasAssociatedWith ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasStatus dpv:RequestRequiresAction ;
dpv:hasJustification justifications:IdentityVerificationFailure ;
dpv:hasProcess [
dpv:hasPersonalData pd:OfficialID ;
dpv:hasProcessing dpv:MakeAvailable ;
dpv:hasPurpose dpv:IdentityVerification ;
dpv:hasRecipientDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataSubject
] ;
dpv:isAfter ex:SARRejected .
</pre>
</div>
</aside>
<aside class="example" id="activity-ActionDelayed" title="Request is delayed as the data controller requires further information to identify the data subject">
<p>
Example of a right exercising activity related to a delay in the exercising of the request as the data controller
requires further information to identify the data subject. Such right exercise activity has a status of
<code>dpv:RequestActionDelayed</code>, with the justification being that identity verification is still required
by the data controller to proceed with the request, giving the data subject a duration of 1 month to reply with
the required information.
</p>
<div>
<pre class="nohighlight">
ex:SARActionDelayed a dpv:RightExerciseActivity, prov:Activity ;
dcterms:description "Request is delayed as the data controller requires further information to identify the data subject"^^xsd:string ;
dcterms:created "2023-11-02T16:09:52"^^xsd:dateTime ;
prov:wasAssociatedWith ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasStatus dpv:RequestActionDelayed ;
dpv:hasJustification justifications:IdentityVerificationRequired ;
dpv:hasDuration "P1M"^^xsd:duration ;
dpv:isAfter ex:SARRequiresAction .
</pre>
</div>
</aside>
<aside class="example" id="activity-RequiredActionPerformed" title="Data Subject provides required information">
<p>
Example of a right exercise activity associated with the data subject and with a
<code>dpv:RequestRequiredActionPerformed</code> status, which includes the official ID that
the data subject made available to the data controller to effectively identify themself.
</p>
<div>
<pre class="nohighlight">
ex:DataSubjectOfficialID a pd:OfficialID ;
dpv:hasDataSubject ex:DataSubject .
ex:SARActionPerformed a dpv:RightExerciseActivity, prov:Activity ;
dcterms:description "Data Subject provides required information" ;
dcterms:created "2023-11-02T17:20:42"^^xsd:dateTime ;
prov:wasAssociatedWith ex:DataSubject ;
dpv:hasStatus dpv:RequestRequiredActionPerformed ;
dpv:hasProcess [
dpv:hasPersonalData ex:DataSubjectOfficialID ;
dpv:hasProcessing dpv:MakeAvailable ;
dpv:hasPurpose dpv:IdentityVerification ;
dpv:hasRecipientDataController ex:DataController ;
dpv:isImplementedByEntity ex:DataSubjectUsername ] ;
dpv:isAfter ex:SARActionDelayed .
</pre>
</div>
</aside>
<aside class="example" id="activity-Accepted" title="Request accepted by data controller towards fulfilment">
<p>
Example of a right exercise activity associated with the data controller related to the acceptance of
a request to fulfil. In this case, the data controller effectively already has the information that they need
to fulfil the data subject's request and can proceed with said fulfilment.
</p>
<div>
<pre class="nohighlight">
ex:SARAccepted a dpv:RightExerciseActivity, prov:Activity ;
dcterms:description "Request accepted by data controller towards fulfilment" ;
dcterms:created "2023-11-03T08:15:04"^^xsd:dateTime ;
prov:wasAssociatedWith ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasStatus dpv:RequestAccepted ;
dpv:isAfter ex:SARActionPerformed .
</pre>
</div>
</aside>
<aside class="example" id="activity-Fulfilled" title="Request fulfilled by data controller">
<p>
Example of a right exercise activity associated with the fulfilment of the request by the data controller.
As such, the data controller provides the data subject with a notice of the fulfilment of GDPR's Art.15,
<code>ex:SARNotice</code>, and a copy of the data whose access was requested, <code>ex:DataCopy</code>.
Said copy can be retrieved from <code>https://example.org/DataSubject/SAR_DataCopy</code> in CSV format, from
November 3rd, 2023, to December 3rd, 2023, according with the attached access policy, <code>ex:access_policy</code>.
</p>
<div>
<pre class="nohighlight">
ex:SARFulfilled a dpv:RightExerciseActivity, prov:Activity ;
dcterms:description "Request fulfilled by data controller" ;
dcterms:created "2023-11-03T08:37:25"^^xsd:dateTime ;
prov:wasAssociatedWith ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasStatus dpv:RequestFulfilled ;
prov:generated ex:DataCopy, ex:SARNotice ;
dpv:isAfter ex:SARAccepted .
ex:DataCopy a dcat:Dataset ;
dcterms:format <https://www.iana.org/assignments/media-types/text/csv> ;
odrl:hasPolicy ex:access_policy ;
dcterms:issued "2023-11-03T08:35:42"^^xsd:dateTime ;
dcterms:valid "2023-12-03T08:35:42"^^xsd:dateTime ;
dcat:landingPage <https://example.org/DataSubject/SAR_DataCopy> .
</pre>
</div>
</aside>
<p>
In this <a href="#activity-Fulfilled">latest example</a>, a SAR notice is not included as
<a href="#notices">Section 3</a> already includes a set of modelled notices, including an example of a modelled
<a href="#SAR-notice">SAR Notice</a>.
</p>
<p>
Moreover, <a href="https://www.w3.org/TR/vocab-dcat-3/" target="_blank">DCAT</a> can be used to model resources
beyond notices, for instance, a copy of the personal data, which is required in both GDPR's access and data
portability rights. DCAT promotes the usage of the properties such as <code>dcterms:format</code>,
<code>dcterms:valid</code>, and <code>dcat:landingPage</code> to include information regarding the format, validity
and dataset provision location, respectively, to characterize the dataset in question.
Additionally, DCAT promotes the usage of ODRL to express license and rights statements, by linking the dataset with
an ODRL policy using the <code>odrl:hasPolicy</code> property, or the usage of DCMI Metadata Terms' <code>license</code>,
<code>accessRights</code> or <code>rights</code> properties to link datasets with licenses, access rights statements
or other types of rights statements, e.g., copyrights, respectively. The latter can be used to express 'high-level'
access control statements, e.g., embargoed, restricted or open access, while the former has the advantage of also being
a W3C Recommendation, for policy expression, which provides a model to represent complex policies and an easy mechanism
to extend its model to cover other use cases.
</p>
<p>
In this Section, the GDPR's Right of Access is used as an example to showcase how to model right exercising activities
using DPV, DCMI Metadata Terms, PROV-O and DCAT. However, a similar pattern can be followed by data controllers to
fulfil the other rights as in most cases the only substantial change would be the notice concept that needs to be used
for a particular right instance, e.g., <code>eu-gdpr:DirectDataCollectionNotice</code> for the right fulfilment notice
related to GDPR's Article 13, <code>eu-gdpr:IndirectDataCollectionNotice</code> for the right
fulfilment notice related to GDPR's Article 14 or <code>eu-gdpr:RightsRecipientsNotice</code>
for the right fulfilment notice related to GDPR's Article 19.
Additionally, the proposed model for right exercising activities is generic enough to support the representation of rights
from other jurisdictions and can be easily extended if the need arises.
</p>
<h3>Rights exercise records</h3>
<p>
As previously mentioned,
<a href="https://w3id.org/dpv#RightExerciseRecord" target="_blank">RightExerciseRecord</a>s
can be used to associate a particular request, or even distinct requests from the same data subject,
with corresponding activities exercised by entities towards the fulfilment or non-fulfilment of such requests,
e.g., using the <a href="http://purl.org/dc/terms/hasPart" target="_blank">dcterms:hasPart</a> property.
</p>
<aside class="example" id="record" title="Record maintained by the data controller for a GDPR Right of Access request">
<p>
Example of a right exercise record related to a GDPR Right of Access request, which was already fulfilled,
as represented by the <code>dpv:RequestFulfilled</code> status. The activities performed for the fulfilment of
the right are all connected with the record using the <code>dcterms:hasPart</code> property.
</p>
<div>
<pre class="nohighlight">
ex:SAR-DS-record a dpv:RightExerciseRecord ;
dcterms:description "Record maintained by the data controller for a GDPR Right of Access request" ;
dcterms:created "2023-11-02T11:08:05"^^xsd:dateTime ;
dcterms:modified "2023-11-03T08:37:25"^^xsd:dateTime ;
dpv:hasDataController ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasRight eu-gdpr:A15 ;
dpv:hasStatus dpv:RequestFulfilled ;
dcterms:hasPart ex:SARequest, ex:SARAcknowledged, ex:SARRejected, ex:SARRequiresAction, ex:SARActionDelayed,
ex:SARActionPerformed, ex:SARAccepted, ex:SARFulfilled .
</pre>
</div>
</aside>
<aside class="example" id="record-multiple" title="Record maintained by the data controller for the data subject's rights-related requests">
<p>
Example of a right exercise record maintained by the data controller for all the data subject's rights-related
requests. Distinct recorded requests are connected by the <code>dcterms:hasPart</code> property to the main record
maintained by the data controller for that particular data subject. Each individual request is then modelled as a
separate record related to a particular right request, which uses DPV's <code>hasRight</code> and
<code>hasStatus</code> to establish the right being exercised and to maintain the status of the request - in this case
<code>ex:request-1</code> has already been fulfilled, while <code>ex:request-2</code> has as its latest status being
acknowledged by the data controller. The activities performed for the fulfilment of the right are all connected with
the record using the <code>dcterms:hasPart</code> property.
</p>
<div>
<pre class="nohighlight">
ex:DS-record a dpv:RightExerciseRecord ;
dcterms:description "Record maintained by the data controller for the data subject's rights-related requests" ;
dcterms:created "2023-10-23T08:37:25"^^xsd:dateTime ;
dcterms:modified "2023-11-03T08:37:25"^^xsd:dateTime ;
dpv:hasDataController ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dcterms:hasPart ex:request-1, ex-request-2 .
ex:request-1 a dpv:RightExerciseRecord ;
dcterms:description "Record maintained by the data controller for a GDPR Right of Access request" ;
dcterms:created "2023-10-23T08:37:25"^^xsd:dateTime ;
dcterms:modified "2023-10-25T08:37:25"^^xsd:dateTime ;
dpv:hasDataController ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasRight eu-gdpr:A15 ;
dpv:hasStatus dpv:RequestFulfilled ;
dcterms:hasPart ex:SARequest, ex:SARAcknowledged, ex:SARRejected, ex:SARRequiresAction, ex:SARActionDelayed,
ex:SARActionPerformed, ex:SARAccepted, ex:SARFulfilled .
ex:request-2 a dpv:RightExerciseRecord ;
dcterms:description "Record maintained by the data controller for a GDPR Right of data portability" ;
dcterms:created "2023-11-02T18:36:14"^^xsd:dateTime ;
dcterms:modified "2023-11-03T08:37:25"^^xsd:dateTime ;
dpv:hasDataController ex:DataController ;
dpv:hasDataSubject ex:DataSubject ;
dpv:hasRight eu-gdpr:A20 ;
dpv:hasStatus dpv:RequestAcknowledged ;
dcterms:hasPart ex:portabilityRequest, ex:portabilityAcknowledged .
</pre>
</div>
</aside>
<p>
For integration with <a href="https://www.w3.org/TR/vocab-dcat-3/" target="_blank">DCAT</a>-based systems, right
exercise records can also adapt DCAT's standard to represent data catalogs - a right exercise record can also be
modelled as a <a href="http://www.w3.org/ns/dcat#Catalog" target="_blank">dcat:Catalog</a> and right exercise activities
as <a href="http://www.w3.org/ns/dcat#Resource" target="_blank">dcat:Resource</a>s, which can be bundled and ordered
using <a href="http://www.w3.org/ns/dcat#DatasetSeries" target="_blank">dcat:DatasetSeries</a>.
This also brings the advantage of using DCAT's ordering properties, i.e.,
<a href="http://www.w3.org/ns/dcat#first" target="_blank">dcat:first</a>,
<a href="http://www.w3.org/ns/dcat#last" target="_blank">dcat:last</a>, and
<a href="http://www.w3.org/ns/dcat#prev" target="_blank">dcat:prev</a>,
to retrieve the latest activity related to a particular rights-related request.
</p>
<aside class="example" id="record-dcat" title="Record maintained by the data controller for the data subject's rights-related requests using DCAT">
<p>
Example of a right exercise record maintained by the data controller for all the data subject's rights-related
requests. A catalog record is maintained to describe metadata about the right exercise record, including
the involved data controller and data subject. As it stands, the data subject has opened two requests,
<code>ex:request-001</code> and <code>ex-request-002</code>. The right exercising activities pertaining to these
requests are collected and ordered in <code>ex:request-001-series</code> and <code>ex:request-002-series</code>,