http://purl.org/adaptcentre/people/harshvardhan_pandit gdprov GDPRtEXT http://purl.org/adaptcentre/openscience/ontologies/GDPRtEXT http://purl.org/adaptcentre/people/dave_lewis PROV extension for linking Plans and parts of plans to their respective executions. Created by Daniel Garijo and Yolanda Gil Recommendation version 2013-04-30 The General Data Protection Regulation (GDPR) is comprised of several articles, each with points that refer to specific concepts. The general convention of referring to these points and concepts is to quote the specific article or point using a human-readable reference. This ontology provides a way to refer to the points within the GDPR using the EurLex ontology published by the European Publication Office. It also defines the concepts defined, mentioned, and requried by the GDPR using the Simple Knowledge Organization System (SKOS) ontology. https://openscience.adaptcentre.ie/projects/GDPRtEXT/ GDPRov is an OWL2 ontology to express provenance metadata of consent and data lifecycles towards documenting compliance for GDPR. W3C PROVenance Interchange Ontology (PROV-O) 2017-08-15 https://creativecommons.org/licenses/by/4.0/ https://openscience.adaptcentre.ie/ontologies/gdprov/v/gdprov.0.6.owl 2018-04-06 2017-10-01 GDPRov is an ontology for expressing provenance metadata in the context of the General Data Protection Regulation (GDPR) and its compliance. It extends PROV-O and P-Plan. PROV-O is the ontology based on the PROV model, a W3C recommendation, while P-Plan is an extension of PROV-O. PROV is used to define terms or 'instances' of what has happened in the past, while P-Plan is used to define the abstract model or 'Plan' of things to happen. GDPRov uses P-Plan to create a template/model/plan as an abstract or model representation of a system which is then recorded using PROV-O instances to show something has happened. The aim of the ontology is to enable representation of consent and personal data lifecycles using terms relevant to GDPR and to facilitate expression of this information towards documentation related to compliance. The General Data Protection Regulation (GDPR) defines legal obligations over the use of personal data by organisations. This ontology aims to identify and model such terms and obligations as an OWL vocabulary and to directly link the terms to their occurence, usage, and influence in the GDPR text. 2014-03-12 http://purl.org/adaptcentre/people/HJP The GDPR Provenance ontology This is an ontology to represent GDPR text as a set of RDF resources 2017-08-01 http://purl.org/net/p-plan# http://www.isi.edu/~gil/ GDPR text EXTensions http://purl.org/adaptcentre/openscience/ontologies/gdprov# This document is published by the Provenance Working Group (http://www.w3.org/2011/prov/wiki/Main_Page). If you wish to make comments regarding this document, please send them to public-prov-comments@w3.org (subscribe public-prov-comments-request@w3.org, archives http://lists.w3.org/Archives/Public/public-prov-comments/). All feedback is welcome. gdprtext Bartolini, C., Muthuri, R., & Santos, C. (2015, November). Using ontologies to model data protection requirements in workflows. In JSAI International Symposium on Artificial Intelligence (pp. 233-248). Springer, Cham. 0.6 p-plan 0.5 1.3 http://creativecommons.org/licenses/by-nc-sa/2.0/ Harshvardhan J. Pandit 2012-11-10 The P-Plan ontology The General Data Protection Regulation (GDPR) is an European law governing the use of consent and personal data. Some of its obligations involve concepts related to the lifecycles of consent and personal data. Such obligations are concerned with how the collection, use, processing, sharing, and storing of consent and personal data takes place and provides the motivation for a form of documentation that can demonstrate the required information towards compliance. GDPRov is an OWL2 ontology for representing this information as provenance metadata using terms relevant to the GDPR. It extends PROV-O and P-Plan to represent the lifecyles as an abstract model of how things should happen or will happen (future) as well as instance of what has happened (past). The ontology is being developed as part of contributions towards PhD research by its primary author. http://delicias.dia.fi.upm.es/members/DGarijo#me http://creativecommons.org/licenses/by/4.0/ PROV extension for linking Plans and parts of plans to their respective executions. This ontology extends the canonical (official) GDPR text with additional annotations Specifies the location of something referenced by it location It signifies that two concepts are related within the context of the GDPR. involves Classify prov-o terms into three categories, including 'starting-point', 'qualifed', and 'extended'. This classification is used by the prov-o html document to gently introduce prov-o terms to its users. Classify prov-o terms into six components according to prov-dm, including 'agents-responsibility', 'alternate', 'annotations', 'collections', 'derivations', and 'entities-activities'. This classification is used so that readers of prov-o specification can find its correspondence with the prov-dm specification. A reference to the principal section of the PROV-CONSTRAINTS document that describes this concept. A definition quoted from PROV-DM or PROV-CONSTRAINTS that describes the concept expressed with this OWL term. A reference to the principal section of the PROV-DM document that describes this concept. A note by the OWL development team about how this term expresses the PROV-DM concept, or how it should be used in context of semantic web or linked data. When the prov-o term does not have a definition drawn from prov-dm, and the prov-o editor provides one. PROV-O does not define all property inverses. The directionalities defined in PROV-O should be given preference over those not defined. However, if users wish to name the inverse of a PROV-O property, the local name given by prov:inverse should be used. A reference to the principal section of the PROV-DM document that describes this concept. This annotation property links a subproperty of prov:wasInfluencedBy with the subclass of prov:Influence and the qualifying property that are used to qualify it. Example annotation: prov:wasGeneratedBy prov:qualifiedForm prov:qualifiedGeneration, prov:Generation . Then this unqualified assertion: :entity1 prov:wasGeneratedBy :activity1 . can be qualified by adding: :entity1 prov:qualifiedGeneration :entity1Gen . :entity1Gen a prov:Generation, prov:Influence; prov:activity :activity1; :customValue 1337 . Note how the value of the unqualified influence (prov:wasGeneratedBy :activity1) is mirrored as the value of the prov:activity (or prov:entity, or prov:agent) property on the influence class. Classes and properties used to qualify relationships are annotated with prov:unqualifiedForm to indicate the property used to assert an unqualified provenance relation. indicates the legal resource has the Article has Article indicates the legal resource has the Chapter has Chapter indicates that the legal resource has the referenced citation has Citation indicates the legal resource has the Point has Point indicates the legal resource has the Recital has Recital indicates the legal resource has the Section has Section indicates the legal resource has the SubPoint has SubPoint represents a legal resource subdivision to be part of a article is part of Article represents a legal resource subdivision to be part of a chapter is part of Chapter represents a legal resource subdivision to be part of a point is part of Point represents a legal resource subdivision to be part of a section is part of Section anonymity level true Archives the consent into some entity archives consent as Links data obtained (collected) by the step/activity that acquired it collectsData Indicates that an DataAnonymisationStep transforms a Data object into AnonymisedData generatesAnonymisedData Generates ConsentAgreement which is a the consent granted by the user based on the ConsentAgreementTemplate through a ConsentAcquisitionStep generatesConsentAgreement produces data generatesData Indicates the anonymity level of an AnonymisedData object using instances of the AnonymityLevel class hasAnonymityLevel has legal justification true hasSharedDataWith isAnonymisedByStep isConsentAgreementTemplateForStep isDataCollectedByStep isDataGeneratedByStep isGeneratedByStep isJustificationForDataStep justifies use of data by step through specified consent agreement isJustifiedUsingConsentAgreement isPartOfProcess isTermsAndConditionsForStep isUsedByStep Shares data with a third party sharesDataWithThirdParty true transferredDataToRegion uses Consent Agreement entity uses Consent Agreement links a Consent Acquisition Step with the Consent Agreement Template used to acquire consent usesConsentAgreementTemplate links step with data used usesData Links a Consent Acquisition Step with the Terms and Conditions presented to the user when acquiring Consent usesTermsAndConditions correspondsToStep p-plan:correspondsToStep links a p-plan:Activity to its planned p-plan:Step correspondsToVariable p-plan:correspondsToVariable binds a p-plan:Entity (used by a p-plan:Activity in the execution of a plan) to the p-plan:Variable it represented it in the p-plan:Plan. hasInputVar p-plan:hasInputVar binds a p-plan:Step to the p-plan:Variable that takes as input for the planned execution hasOutputVar p-plan:hasOutputVar binds a p-plan:Step to the p-plan:Variable that will be produced as output in the planned execution isDecomposedAsPlan The p-plan:isDecomposedAsPlan relationship binds a p-plan:MultiStep to the p-plan:Plan holding the definition of that step. That is, p-plan:isDecomposedAsPlan links the MultiStep to the Plan sptecification where it is decomposed. isInputVarOf p-plan:isInputVarOf links an input variable of a step to the step. isOutputVarOf p-plan:isOutputVarOf is intended to link an output variable of a step to the step. Property that asserts which Step preceeds the current one. isPrecededBy isStepOfPlan p-plan:isStepOfPlan links a p-plan:Step to the p-plan:Plan which it corresponds to. isSubPlanOfPlan A p-plan:Plan may be a subplan of another bigger p-plan:Plan. p-plan:isSubPlanOfPlan is used to state the link among the two different plans. Note that if p1 is a p-plan:subPlan of p2, p1will not necessarily be a step of p2. A multistep will represent p1 in p2, and link to p1 with the p-plan.hasStepDecomposition relationship. isVariableofPlan p-plan:IsVariableOfPlan binds a p-plan:Variable to the p-plan:Plan it corresponds to. An object property to express the accountability of an agent towards another agent. The subordinate agent acted on behalf of the responsible agent in an actual activity. actedOnBehalfOf starting-point agents-responsibility hadDelegate activity qualified This property behaves in spirit like rdf:object; it references the object of a prov:wasInfluencedBy triple. The prov:activity property references an prov:Activity which influenced a resource. This property applies to an prov:ActivityInfluence, which is given by a subproperty of prov:qualifiedInfluence from the influenced prov:Entity, prov:Activity or prov:Agent. activityOfInfluence agent qualified This property behaves in spirit like rdf:object; it references the object of a prov:wasInfluencedBy triple. The prov:agent property references an prov:Agent which influenced a resource. This property applies to an prov:AgentInfluence, which is given by a subproperty of prov:qualifiedInfluence from the influenced prov:Entity, prov:Activity or prov:Agent. agentOfInfluence alternateOf expanded alternate http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig Two alternate entities present aspects of the same thing. These aspects may be the same or different, and the alternate entities may or may not overlap in time. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-alternate alternateOf http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-alternate The Location of any resource. This property has multiple RDFS domains to suit multiple OWL Profiles. See <a href="#owl-profile">PROV-O OWL Profile</a>. atLocation expanded The naming of prov:atLocation parallels prov:atTime, and is not named prov:hadLocation to avoid conflicting with the convention that prov:had* properties are used on prov:Influence classes. This property is not functional because the many values could be at a variety of granularies (In this building, in this room, in that chair). locationOf entity qualified This property behaves in spirit like rdf:object; it references the object of a prov:wasInfluencedBy triple. The prov:entity property references an prov:Entity which influenced a resource. This property applies to an prov:EntityInfluence, which is given by a subproperty of prov:qualifiedInfluence from the influenced prov:Entity, prov:Activity or prov:Agent. entityOfInfluence generated expanded entities-activities prov:generated is one of few inverse property defined, to allow Activity-oriented assertions in addition to Entity-oriented assertions. wasGeneratedBy The _optional_ Activity of an Influence, which used, generated, invalidated, or was the responsibility of some Entity. This property is _not_ used by ActivityInfluence (use prov:activity instead). This property has multiple RDFS domains to suit multiple OWL Profiles. See <a href="#owl-profile">PROV-O OWL Profile</a>. hadActivity qualified derivations The multiple rdfs:domain assertions are intended. One is simpler and works for OWL-RL, the union is more specific but is not recognized by OWL-RL. wasActivityOfInfluence The _optional_ Generation involved in an Entity's Derivation. hadGeneration qualified derivations generatedAsDerivation hadMember expanded expanded wasMemberOf A collection is an entity that provides a structure to some constituents, which are themselves entities. These constituents are said to be member of the collections. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-collection The _optional_ Plan adopted by an Agent in Association with some Activity. Plan specifications are out of the scope of this specification. hadPlan qualified agents-responsibility wasPlanOf hadPrimarySource expanded derivations wasPrimarySourceOf hadPrimarySource property is a particular case of wasDerivedFrom (see http://www.w3.org/TR/prov-dm/#term-original-source) that aims to give credit to the source that originated some information. The _optional_ Role that an Entity assumed in the context of an Activity. For example, :baking prov:used :spoon; prov:qualified [ a prov:Usage; prov:entity :spoon; prov:hadRole roles:mixing_implement ]. This property has multiple RDFS domains to suit multiple OWL Profiles. See <a href="#owl-profile">PROV-O OWL Profile</a>. hadRole qualified agents-responsibility prov:hadRole references the Role (i.e. the function of an entity with respect to an activity), in the context of an instantaneous usage, generation, association, start, and end. wasRoleIn The _optional_ Usage involved in an Entity's Derivation. hadUsage qualified derivations wasUsedInDerivation influenced expanded agents-responsibility wasInfluencedBy Subproperties of prov:influencer are used to cite the object of an unqualified PROV-O triple whose predicate is a subproperty of prov:wasInfluencedBy (e.g. prov:used, prov:wasGeneratedBy). prov:influencer is used much like rdf:object is used. influencer qualified http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-influence This property and its subproperties are used in the same way as the rdf:object property, i.e. to reference the object of an unqualified prov:wasInfluencedBy or prov:influenced triple. This property is used as part of the qualified influence pattern. Subclasses of prov:Influence use these subproperties to reference the resource (Entity, Agent, or Activity) whose influence is being qualified. hadInfluence invalidated expanded entities-activities prov:invalidated is one of few inverse property defined, to allow Activity-oriented assertions in addition to Entity-oriented assertions. wasInvalidatedBy If this Activity prov:wasAssociatedWith Agent :ag, then it can qualify the Association using prov:qualifiedAssociation [ a prov:Association; prov:agent :ag; :foo :bar ]. qualifiedAssociation qualified agents-responsibility qualifiedAssociationOf If this Entity prov:wasAttributedTo Agent :ag, then it can qualify how it was influenced using prov:qualifiedAttribution [ a prov:Attribution; prov:agent :ag; :foo :bar ]. qualifiedAttribution qualified agents-responsibility qualifiedAttributionOf If this Activity prov:wasInformedBy Activity :a, then it can qualify how it was influenced using prov:qualifiedCommunication [ a prov:Communication; prov:activity :a; :foo :bar ]. qualifiedCommunication qualified entities-activities qualifiedCommunicationOf If this Agent prov:actedOnBehalfOf Agent :ag, then it can qualify how with prov:qualifiedResponsibility [ a prov:Responsibility; prov:agent :ag; :foo :bar ]. qualifiedDelegation qualified agents-responsibility qualifiedDelegationOf If this Entity prov:wasDerivedFrom Entity :e, then it can qualify how it was derived using prov:qualifiedDerivation [ a prov:Derivation; prov:entity :e; :foo :bar ]. qualifiedDerivation qualified derivations qualifiedDerivationOf If this Activity prov:wasEndedBy Entity :e1, then it can qualify how it was ended using prov:qualifiedEnd [ a prov:End; prov:entity :e1; :foo :bar ]. qualifiedEnd qualified entities-activities qualifiedEndOf If this Activity prov:generated Entity :e, then it can qualify how it performed the Generation using prov:qualifiedGeneration [ a prov:Generation; prov:entity :e; :foo :bar ]. qualifiedGeneration qualified entities-activities qualifiedGenerationOf Because prov:qualifiedInfluence is a broad relation, the more specific relations (qualifiedCommunication, qualifiedDelegation, qualifiedEnd, etc.) should be used when applicable. qualifiedInfluence qualified derivations qualifiedInfluenceOf If this Entity prov:wasInvalidatedBy Activity :a, then it can qualify how it was invalidated using prov:qualifiedInvalidation [ a prov:Invalidation; prov:activity :a; :foo :bar ]. qualifiedInvalidation qualified entities-activities qualifiedInvalidationOf If this Entity prov:hadPrimarySource Entity :e, then it can qualify how using prov:qualifiedPrimarySource [ a prov:PrimarySource; prov:entity :e; :foo :bar ]. qualifiedPrimarySource qualified derivations qualifiedSourceOf If this Entity prov:wasQuotedFrom Entity :e, then it can qualify how using prov:qualifiedQuotation [ a prov:Quotation; prov:entity :e; :foo :bar ]. qualifiedQuotation qualified derivations qualifiedQuotationOf If this Entity prov:wasRevisionOf Entity :e, then it can qualify how it was revised using prov:qualifiedRevision [ a prov:Revision; prov:entity :e; :foo :bar ]. qualifiedRevision qualified derivations revisedEntity If this Activity prov:wasStartedBy Entity :e1, then it can qualify how it was started using prov:qualifiedStart [ a prov:Start; prov:entity :e1; :foo :bar ]. qualifiedStart qualified entities-activities qualifiedStartOf If this Activity prov:used Entity :e, then it can qualify how it used it using prov:qualifiedUsage [ a prov:Usage; prov:entity :e; :foo :bar ]. qualifiedUsage qualified entities-activities qualifiedUsingActivity specializationOf expanded alternate http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig An entity that is a specialization of another shares all aspects of the latter, and additionally presents more specific aspects of the same thing as the latter. In particular, the lifetime of the entity being specialized contains that of any specialization. Examples of aspects include a time period, an abstraction, and a context associated with the entity. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-specialization generalizationOf http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-specialization A prov:Entity that was used by this prov:Activity. For example, :baking prov:used :spoon, :egg, :oven . used starting-point entities-activities wasUsedBy An prov:Agent that had some (unspecified) responsibility for the occurrence of this prov:Activity. wasAssociatedWith starting-point agents-responsibility wasAssociateFor Attribution is the ascribing of an entity to an agent. wasAttributedTo starting-point agents-responsibility Attribution is the ascribing of an entity to an agent. contributed Attribution is a particular case of trace (see http://www.w3.org/TR/prov-dm/#concept-trace), in the sense that it links an entity to the agent that ascribed it. IF wasAttributedTo(e2,ag1,aAttr) holds, THEN wasInfluencedBy(e2,ag1) also holds. The more specific subproperties of prov:wasDerivedFrom (i.e., prov:wasQuotedFrom, prov:wasRevisionOf, prov:hadPrimarySource) should be used when applicable. wasDerivedFrom starting-point derivations A derivation is a transformation of an entity into another, an update of an entity resulting in a new one, or the construction of a new entity based on a pre-existing entity. hadDerivation Derivation is a particular case of trace (see http://www.w3.org/TR/prov-dm/#term-trace), since it links an entity to another entity that contributed to its existence. End is when an activity is deemed to have ended. An end may refer to an entity, known as trigger, that terminated the activity. wasEndedBy expanded entities-activities ended wasGeneratedBy starting-point entities-activities generated Because prov:wasInfluencedBy is a broad relation, its more specific subproperties (e.g. prov:wasInformedBy, prov:actedOnBehalfOf, prov:wasEndedBy, etc.) should be used when applicable. This property has multiple RDFS domains to suit multiple OWL Profiles. See <a href="#owl-profile">PROV-O OWL Profile</a>. wasInfluencedBy qualified agents-responsibility The sub-properties of prov:wasInfluencedBy can be elaborated in more detail using the Qualification Pattern. For example, the binary relation :baking prov:used :spoon can be qualified by asserting :baking prov:qualifiedUsage [ a prov:Usage; prov:entity :spoon; prov:atLocation :kitchen ] . Subproperties of prov:wasInfluencedBy may also be asserted directly without being qualified. prov:wasInfluencedBy should not be used without also using one of its subproperties. influenced influencee: an identifier (o2) for an entity, activity, or agent; http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-influence influencer: an identifier (o1) for an ancestor entity, activity, or agent that the former depends on; http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-influence An activity a2 is dependent on or informed by another activity a1, by way of some unspecified entity that is generated by a1 and used by a2. wasInformedBy starting-point entities-activities informed wasInvalidatedBy expanded entities-activities invalidated An entity is derived from an original entity by copying, or 'quoting', some or all of it. wasQuotedFrom expanded derivations quotedAs Quotation is a particular case of derivation (see http://www.w3.org/TR/prov-dm/#term-quotation) in which an entity is derived from an original entity by copying, or "quoting", some or all of it. A revision is a derivation that revises an entity into a revised version. wasRevisionOf expanded derivations hadRevision Revision is a derivation (see http://www.w3.org/TR/prov-dm/#term-Revision). Moreover, according to http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#term-Revision 23 April 2012 'wasRevisionOf is a strict sub-relation of wasDerivedFrom since two entities e2 and e1 may satisfy wasDerivedFrom(e2,e1) without being a variant of each other.' Start is when an activity is deemed to have started. A start may refer to an entity, known as trigger, that initiated the activity. wasStartedBy expanded entities-activities started The time at which an InstantaneousEvent occurred, in the form of xsd:dateTime. atTime qualified entities-activities The time at which an activity ended. See also prov:startedAtTime. endedAtTime starting-point entities-activities It is the intent that the property chain holds: (prov:qualifiedEnd o prov:atTime) rdfs:subPropertyOf prov:endedAtTime. The time at which an entity was completely created and is available for use. generatedAtTime expanded entities-activities It is the intent that the property chain holds: (prov:qualifiedGeneration o prov:atTime) rdfs:subPropertyOf prov:generatedAtTime. The time at which an entity was invalidated (i.e., no longer usable). invalidatedAtTime expanded entities-activities It is the intent that the property chain holds: (prov:qualifiedInvalidation o prov:atTime) rdfs:subPropertyOf prov:invalidatedAtTime. The time at which an activity started. See also prov:endedAtTime. startedAtTime starting-point entities-activities It is the intent that the property chain holds: (prov:qualifiedStart o prov:atTime) rdfs:subPropertyOf prov:startedAtTime. value expanded entities-activities Provides a value that is a direct representation of an entity. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-attribute-value The editor's definition comes from http://www.w3.org/TR/rdf-primer/#rdfvalue This property serves the same purpose as rdf:value, but has been reintroduced to avoid some of the definitional ambiguity in the RDF specification (specifically, 'may be used in describing structured values'). Information about a Customer's Bank/Payment/Account/Transaction Banking Info Information about the Customer (A User who has ordered products) Customer Info A User of the Services provided Service User The principle of accountability states that the controller shall be responsible for, and be able to demonstrate compliance with the processing of personal data as defined by the justifications permissible under the GDPR Principle of Accountability The principle of accuracy states that personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. Principle of Accuracy The data subject can exercise the right to restrict processing of their personal data when the accuracy of personal data is contested Accuracy is contested This obligation specifies that the collection of (or collected) personal data should in an accurate form - i.e. the personal data should be accurate. Accurate Collection An Activity signifies some process(es) or step(s) towards specific deed(s), action(s), function(s), or sphere(s) of action. Activity Only the personal data adequat for required processing should be maintained Adequate for processing The seal or certification does not reduce or impact the responsiblity of the controller or processor for compliance with the GDPR Adherence Data is termed to be anonymous if it cannot be connected or associated with individual person or persons that have provided or are associated with it. Anonymous Data These are the obligations for Processors over appointing sub-processors Appointing Sub-Processors These are the obligations specified by the GDPR for the appointment of Processors by Controllers. Appointment of Processors An activity where personal data is archived Archive Data Article in GDPR text Article gdpr:article10 a eli:LegalResourceSubdivision, GDPRtext:Article ; eli:is_part_of gdpr:GDPR, gdpr:chapterII ; eli:number "10"^^xsd:string ; eli:title_alternative "Article 10"^^xsd:string ; GDPRtext:hasPoint gdpr:article10-1 ; GDPRtext:isPartOfChapter gdpr:chapterII . Processors must assist Controllers in complying with the various rights provided by the GDPR to data subjects which can be exercised at any time. Assist in complying with rights Automated decision making with significant effect This type of processing involves automated processing that does decision making having significant effects on the data subject. Automatic decision making with significant effect This is automated processing of data subject's personal data. Automated Processing This obligation states that the data subject should be able to withdraw the consent as easily as it was to give it. Can be withdrawn easily A certification pertaining to GDPR compliance Certification A Certification Body is an entity that can award/issue/renew a certification pertaining to compliance towards the GDPR. Certification Body Chapter in GDPR text Chapter gdpr:chapterI a eli:LegalResourceSubdivision, GDPRtext:Chapter ; eli:is_part_of gdpr:GDPR ; eli:number "I"^^xsd:string ; eli:title "General provisions"^^xsd:string ; eli:title_alternative "Chapter I"^^xsd:string ; GDPRtext:hasArticle gdpr:article1, gdpr:article2, gdpr:article3, gdpr:article4 . Citation in GDPR text Citation gdpr:citation1 a eli:LegalResourceSubdivision, GDPRtext:Citation ; eli:description "OJ C 229, 31.7.2012, p. 90."^^xsd:string ; eli:is_part_of gdpr:GDPR ; eli:number "1"^^xsd:string . Obtaining consent must provide clear explanations of the processing involved over the personal data Clear explanation A Code of Conduct for the purpose of specifying the application of GDPR which may be monitored, evaluated, or processed by a third party appointed by the organisation. Code of Conduct Collection of Personal Data is an Activity that deals with acquiring data subject's personal data through some model of interaction. Collection of Personal Data Represents the act of complying with the obligations and actions specified by the GDPR. Compliance The processor has an obligation to comply with the controller's instructions Compliance with Controller's instructions GDPR mentions some conditions or criterion for the creation and issuing of seals and certifications pertaining to GDPR compliance Awarding Seals and Certifications This type of processing involves matching data subject's identity or personal data in different datasets. Confirming or matching datasets Consent in the context of the GDPR refers to the assent or agreement by the data subject in relation to their personal data for the proposed processing activities associated with one or more organisations. Consent An activity involving data subject's consent. Consent Activity The purpose of new processing should take the context of how the original data was collected into consideration Context of data collection The lawful basis for processing personal data is provided through a contract with the data subject. Contract with Data Subject The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controller These obligations specify the accountability of the Controller. Controller Accountability The data subjects were not notified about the data breach because the controller had already taken action regarding the data breach. Controller has taken action These are the obligations specified by the GDPR as being specifically the responsbility of the Controller. Controller Obligation A natural or legal person established in the Union who, designated by the controllerin writing, represents the controller with regard to their respective obligations under the GDPR. Controller Representative These obligations specify the responsiblity of the Controller Controller Responsibility This obligation specifies the Controller/Processor must co-operate with the Data Protection Authority (DPA). Co-operate with DPA Personal data related to criminal convictions and offences. Crime data Cross-border data transfer refers to data transfer crossing the boundaries of EU (legislative) region. Cross-border Transfer The Data Protection Authority (DPA) is a public institution responsible for monitoring the application of data protection laws. DPA The Data Protection Officer (DPO) is an individual(s) appointed by the organisation to monitor compliance and assist in complying with the GDPR. DPO These are the obligations specified for the Data Protection Office (DPO) within the GDPR DPO Obligation A generic term to refer to Data. Data An activity involving personal data of data subject(s). Data Activity A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Data Breach The principle of data minimisation states that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Principle of Data Minimisation The data subject can exercise the right to restrict processing of their personal data when the personal data is no longer required for the original purpose it was collected under Data no longer needed for original purpose This obligation requires Controllers to follow data protection by design and by default. Data protection by design and default These are obligations regarding security of data managed by the Controllers. Data Security An individual or entity to whom their personal data relates. Data Subject The obligation or activity coult not be completed because the data was inferred or derived, and therefore did not come from the data subject or other sources. Data inferred or derived The act of demonstrating consent is an activity whereby previously acquired consent is provided as sufficient justification for processing activities involving data subject's personal information. Demonstrating Consent Type of Marketing that reaches data subjects directly by communications directly addressed to the data subject. Direct Marketing Lawful basis for processing is provided by Employment Law Employment Law A general term for any institution, company, corporation, partnership, government agency, university, or any other organization including individuals. Entity An activity that erases data Erase Data The right of erasure applies when the data subject withdraws given consent Erase if conesnt was withdrawn The right to erasure applies where data is no longer needed for original purposes for which it was collected Erase if no longer needed for original purpose Whether the proposed activity involves the evaluation of the data subject. Evaluation of data subjects Exceptions associated with compliance for reporting data breach to the affected data subjects. Exceptions on reporting data breach Exclusions and Exemptions provided by the GDPR for not complying with the specified obligations. Exlcusions and Exceptions Lawful basis for processing is provided by National Law Exempted by National Law The request or activity could not or was not completed because there was no sufficient proof of the data subject's identity. Exempted without identity The activity represents exercising of rights provided by GDPR by the data subject. Exercise Rights The purpose of new processing should take into context the existence of appropriate safeguards Existence of safeguards This obligation specifies that the collected (or collection) of personal data should be for/with explicit purposes. Explicit Purpose These are the factors stated by the GDPR for Impact Assessment. Factors for Impact Assessment The stated obligation could not be completed as it concerns rights protection. Rights protection GDPR obligation that specifies consent must be freely given by the data subject for it to be valid. Freely given Personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained. Genetic Data Given Consent refers specifically to the form of consent given by the data subject in relation to their personal data and the proposed usage by activities. Given Consent The data subjects were not notified about the data breach because the harm was deemed to be remote. Harm was remote Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Health data Lawful basis if provided by the GDPR for processing related to historic, statistical, or scientific purposes. Historic, Statistical, or Scientific purposes Retention of personal data should be identifiable for the requried processing Identifiable for required processing Activity where the data subject is explicitly identified through direct or indirect means. Identification of Data Subject The right to access personal data also includes information about whether and where the controller is processing the data subject's personal data If and where Controller is processing The activity wherein the controller carries out an assessment of the impact of the envisaged processing operations on the protection of personal data. Impact Assessment This obligation requires Controllers to implement the required technical measures necessary for compliance of the GDPR Implement technical measures The processor must impose confidentiality agreements on its personnel in relation to handling of personal data Impose confidentiality obligations on personnel The right to access personal data also includes information about automated processing that has significant effects on the data subject. Information about automated processing with significant effects The right to access personal data also includes information about the categories of recipients the data is shared with. Information about categories of recipients The right to access personal data also includes information about categories of data being processed Information about categories of data being processed The right to access personal data also includes information about the existence of rights provided by the GDPR to the data subject Information about rights The right to access personal data also includes information about the processing of personal data of the data subject Information about processing The right to access personal data also includes information about the source of the personal data Information about data source The right to access personal data also includes information about the storage period of the data subject's personal data Information about storage period In case of conflict with the controller's intructions and the law, the processor must immediately inform the controller of this conflict Inform Controller of conflict with law The right to basic information also provides data subject's with information about third parties involved in the processing. Information about third parties The information provided under the right to transparency should be concise Concise The information provided under the right to transparency should be easily accessible Easily Accessible The information provided under the right to transparency should be intelligible Intelligible The information provided under the right to transparency should be transparent and clear (i.e. not umambigious or vague) Transparent GDPR obligation that specifies consent must be informed for it be valid. Informed The principle of integrity and confidentiality states that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Principle of Integrity and Confidentiality The obligation or activity could not be completed as it was deemed to be impossible. Is impossible A joint controller is two or more controllers jointly determine the purposes and means of processing. Joint Controller Retained personal data must be kept up-to-date Kept up to date The processing of personal data at a large scale of quantity or significant proportions. Large scale processing This provides the basis for lawful processing of personal data. Lawful Basis The principle of lawfulness, fairness, and transparency states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Principle of Lawfulness, Fairness, and Transparency Lawful basis for processing is provided by legal claims. Legal Claims Lawful basis for processing is covered by legal obligation(s). Legal Obligations Lawful basis for processing is provided through the legitimate interests pursued by the Controller or by a third party Legitimate Interests This specifies that the collection (or collected) personal data should be used/specified to be used for legitimate purposes. Legitimate purpose These specify the liability of Joint Controllers, i.e. cases where more than one Controller share the responsiblity. Liability of Joint-Controllers Personal data retained should be limited in its use only for the requried processing Limited for processing Whether there is a link between the new and old purposes of processing Lnk between new and old processing Lawful basis is provided through the data being publicly made available by the data subject Made Public GDPR mandates the recording of data breaches and its effects. Maintain Record of Breach This obligation requires the Controller/Processor to maintain adequate records about their processing activities. Maintain records for processing The process or technique of promoting, selling, and distributing a product or service. Marketing The maximum validity for all seals and certifications should be 3 years from the date of issue. Maximum validty 3 years Lawful basis for processing is provided by the GDPR for medical or diagnostics purposes pertaining to the data subject Medical or Diagnostics The activity or process of overseeing an organisation's compliance. Monitor Compliance The stated obligation could not be completed as it concerns national security. National Security The nature of the personal data involved, whether it is sensitive or confidential. Nature of data involved The right to access personal data should not incur any undue charge levied on the data subject for exercising their right No charges levied Lawful basis is provided by the GDPR for activities of/for not-for-profit organisations Not-for-profit organisation Consent should not be obtained from silence or inactivity of the data subject Not from silence or inactivity This obligation specifies that the collected personal data should not be processed beyond the purpose for which it was originally collected without an updated consent for the proposed purposes. Not further processed The data subjects were not notified about the data breach because it required disproportionate efforts. Notification requires disproportionate efforts Affected data subject's must be notified about the consequences of the data breach. Notify consequences of breach Affected data subjects must be notified with the name and contact of the DPO responsible/handling for the data breach. Notify about DPO Affected data subjects must be notified of the data breach and its effects. Notify Data Subject of Breach Affect data subjets must be notified of the measures taken against the data breach. Notify measures taken These are the obligations specified by the GDPR. Following the obligations is necessary for compliance. Obligation Collection of Personal Data is an Activity that deals with acquiring data subject's personal data through some model of interaction. Obligation for data collection These are the obligations specified by the GDPR for obtaining consent Obligation for obtaining consent The act of getting a data subject's consent. Obtaining Consent from Data Subject The processor must only act on the intructions provided and documented by the controller Only act on Controller instructions The activity was deemed to be outside the material scope of the GDPR. Outside Material Scope Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data Point in GDPR text Point gdpr:article27-2 a eli:LegalResourceSubdivision, GDPRtext:Point ; eli:description "The obligation laid down in paragraph 1 of this Article shall not apply to:"^^xsd:string ; eli:is_part_of gdpr:GDPR, gdpr:article27, gdpr:chapterIV, gdpr:chapterIV-1 ; eli:number "2"^^xsd:string ; eli:title_alternative "Article27(2)"^^xsd:string ; GDPRtext:hasSubPoint gdpr:article27-2-a, gdpr:article27-2-b ; GDPRtext:isPartOfArticle gdpr:article27 ; GDPRtext:isPartOfChapter gdpr:chapterIV ; GDPRtext:isPartOfSection gdpr:chapterIV-1 . The possible consequences of the change in processing for the data subject Consequences for data subjects A Principle is a rule or standard defined by the GDPR which is essential to be followed for compliance Principle Privacy by Design is the approach of taking privacy into consideration throughout the whole planning and execution processes. Privacy by Design Processing here refers to an Activity that acts on the Data Subject's personal information. Processing This type of processing involves data subjects that are vulnerable, such as children, or people with disabilities. Processing affected or vulnerable individuals The data subject can exercise the right to restrict processing of their personal data when the processing is unlawful Processing is unlawful This involves processing involving sensitive personal data. Processing sensitive data This type of processing uses technologies that are new or have not yet been deemed to be fit or stable for usage. Processing using untested technologies A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processor Signifies the agreement between Controller and Processors for processing of personal data Agreement between Processor and Controller These are the obligations specified by the GDPR in the context of Processors Processor Obligations A natural or legal person established in the Union who, designated by the processor in writing, represents the processor with regard to their respective obligations under the GDPR. Processor Representative To propogate a data subject's right once they have been exercised to other third parties that are involved through the data subject's personal data. Propogate rights to Third Parties Protection of data subject's personal data against accidental loss. Protection against accidental loss Protection of data subject's personal data against damage to the data. Protection against damage Protection of data subject's personal data against destruction of data. Protection against destruction Protection of data subject's personal data against unlawful processing of data. Protection against unlawful processing The processor must provide the controller with the information necessary to demonstrate compliance Provide information for compliance The right of data portability requries providing a copy of the data subject's personal data Provide copy of Personal Data Personal data that can no longer be attributed to a specific data subject without the use of additional information. Pseudo-anonymous data Lawful basis is provided by the GDPR as being in the interest of the public Public Interest The principle of purpose limitation states that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes. Principle of Purpose Limitation These are the obligations over determining the new or changed purposes of processing Purpose of new processing Related to Regulation (EC) No. 45/2001 Regulation (EC) No 45/2001 Exempted as the GDPR does not apply to personal or household activity that does not have a professional or commercial activity associated with it. Personal or Household activity Exempted as it involves areas covered by Directive (EU) 2016/680 Covered by Directive (EU) 2016/680 Personal data revealing racial or ethnic origin. Racial origin data Regulation in GDPR text Regulation gdpr:recital1 a eli:LegalResourceSubdivision, GDPRtext:Recital ; eli:description "The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her."^^xsd:string ; eli:is_part_of gdpr:GDPR ; eli:number "1"^^xsd:string . This obligation requires Controllers to record the categories of data subjects and the personal data involved in processing/activities. Categories of data subjects and personal data This obligation requires Controllers to record the categories of recipients the personal data was shared with. Record categories of recipients This obligation requires Controllers to record the cross-border data transfers. Record cross-border transfers This obligation requires Controllers to record the data retention period of personal data. Record data retention periods This obligation requires Controllers to record the purpose of processing associated with personal data and the given consent. Record purpose of processing This obligation requires Controllers to record the measures taken to ensure adequate safety measures of personal data and the involved activities. Record security measures An activity that rectifies data Rectify Data Any inaccuracies or discrepancies in the retained data must be rectified Rectify Inaccuracies The authority responsible for regulating data protection laws. Regulatory Authority Any retained personal data must be relevant for subsiquent processing Relevant for processing The act of reporting a data breach to entities mentioned within the GDPR. These are the Data Protection Authority (DPA), and in the case of Processors, the Controller they have an agreement with. Report Data Breach The occurence of a data breach must be reported to the Controller. Report data breach to Controller The occurence of a data breach must be reported to the Data Protection Authority (DPA) within 72 hours Report breach to DPA within 72 hours The stated obligation or activity could not be completed as it requires disproportionate efforts to complete. Requires disproportionate efforts Appointing a sub-processor requires the written consent of the controller specifying permission or consent Written consent of Controller These provide restrictions on cross-border transfers for Processors Restrictions on cross-border transfers These are the obligations specified by the GDPR on the retention of personal data Data Retention The processor must return or destroy personal data at the end of term (of its agreement with the controller) Return or destroy data The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Right of Data Portability The data subject has the right to obtain erasure of their personal data Right of Erasure The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data along with additional information about it. Right to Access Personal Data The right to basic information about processing provides data subjects with information about the processing activities involving their personal data Right to basic information about processing of personal data The data subject has a right to not be evaluated through automated processing Right to not be evaluated through automated processing The data subject has a right to object to direct marketting based on their personal data Right to object direct marketting The data subject has the right to object to processing of their personal data Right to object processing The data subject has a right to recitify their personal data Right to rectify The data subject has the rights to restrict the processing of their personal data Right to restrict processing The right to transparency requires controllers to provide information about the processing activities as well as personal data and its usage in a transparent manner Right to Transparency The GDPR provides several rights to the data subjects which may be exercised at any time by the data subject and which are mandatory for the organisation to provide, comply with, and inform the data subject about. Data Subject's Rights The stated obligation could not be completed as it concerns freedoms protection. Freedoms protection A seal pertaining to GDPR compliance Seal GDPR provides for the creation and provision of seals and certificates pertaining to compliance or related activities Seals and Certifications Section in GDPR text Section gdpr:chapterIV-5 a eli:LegalResourceSubdivision, GDPRtext:Section ; eli:is_part_of gdpr:GDPR, gdpr:chapterIV ; eli:number "5"^^xsd:string ; eli:title "Codes of conduct and certification"^^xsd:string ; eli:title_alternative "Section 5"^^xsd:string ; GDPRtext:hasArticle gdpr:article40, gdpr:article41, gdpr:article42, gdpr:article43 ; GDPRtext:isPartOfChapter gdpr:chapterIV . This activity refers to security of data subject's personal data. Security of Personal Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Sensitive Personal Data This activity represents the sharing of data subject's personal data with a third party. Share Personal Data with Third Party The provided copy of personal data should be in a commonly used format Copy should be in a commonly used format Obtained consent should be in a demonstrable form Demonstrable Obtained consent should be distinguishable from other related matters (in the context of the process) Distinguishable from other matters The provided copy of personal data should be machine readable Copy should be in a machine readable format The provided copy of personal data should be structured Should be structured The provided copy of personal data should support reuse Shoud support reuse GDPR obligation that specifies consent must be specific for it to be valid. Specific This obligation states that the collection of personal data should happen only for the specified purposes (for which the data subject has consented). Specified purpose The principle of storage limitation states that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject. Principle of Storage Limitation An activity where personal data is being stored Store Data SubPoint in GDPR text SubPoint gdpr:article12-5-b a eli:LegalResourceSubdivision, GDPRtext:SubPoint ; eli:description "refuse to act on the request."^^xsd:string ; eli:is_part_of gdpr:GDPR, gdpr:article12, gdpr:article12-5, gdpr:chapterIII, gdpr:chapterIII-1 ; eli:number "b"^^xsd:string ; eli:title_alternative "Article12(5)(b)"^^xsd:string ; GDPRtext:isPartOfArticle gdpr:article12 ; GDPRtext:isPartOfChapter gdpr:chapterIII ; GDPRtext:isPartOfPoint gdpr:article12-5 ; GDPRtext:isPartOfSection gdpr:chapterIII-1 . A sub-processor is a processor acting under another processor. Sub-Processor Sub-processors must follow the same rules and obligations (or terms) as the agreement between processor and controller. Follow same terms This activity provides a systematic monitoring or overview of processes/activities taking place within the context of the organisation. Systematic Monitoring Processing of personal data that is termed to be unlawful in the context of the GDPR or other relevant laws and regulations Unlawful Processing An activity that uses personal data Use Data Consent is termed to be valid if it passes all the criteria or obligations laid down by the GDPR. Valid Consent These are obligations pertaining to the vital interests of the data subjects Vital Interests Consent must be obtained through the data subject's voluntary action and should be opt-in and not opt-out or by default. Voluntary & Opt-in The seals and certifications should be a voluntary system of accredition Voluntary accredition This activity represents the data subject withdrawing given consent. Withdrawing Given Consent Is an activity that acquires consent. Acquire Consent Activity Is an activity that anonymises data. Anonymisation Activity Represents data that has been Anonymised at some level reflected by the hasAnonymityLevel object property AnonymisedData Is an entity where personal data has been anonymised to some extent. Anonymised Data Entity Provides a way to express the Anonymity Level of AnonymisedData objects through the object property hasAnonymityLevel AnonymityLevel Reflects the process(es) used to appoint processors Appoint Processor An activity that archives given/acquired consent for storage. Archive Consent Activity AutomatedStep ConsentAcquisitionStep deals with acquiring consent from the user. It uses Terms and Conditions along with the appropriate Consent Model as the basis of obtaining consent from the user. The output of this step is the consent object agreed upon by the user. Consent Acquisition Step Is an activity dealing with consent. Consent Activity ConsentAgreement reflects the consent provided by the user based on the provided Terms and Conditions and Consent Agreement Templates. It is the set of permissions the user has specifically provided or refused to provide. This consent is useful to provide justification of activities that use user data. ConsentAgreement This is a template for consent requested from the user. ConsentAgreementTemplate ConsentArchivalStep archives acquired consent to form a record of the consent given by the user. Consent Archival Step ConsentModificationStep deals with modifications to the consent by the user. It invalidates the previous consent object and produces a new updated consent object that represents the modified consent. Consent Modification Step A ConsentStep acts/interacts with/uses Consent Consent Step A ConsentWithdrawalProcess deals with the withdrawal of consent by the user and the corresponding activity carried out within the system Consent Withdrawal Process ConsentWithdrawalStep deals with withdrawal of consent Consent Withdrawal Step A ThirdPartyDataController is a Third Party entity that acts as a Data Controller Controller A Representative of the Controller Controller Representative Reflects cross-border transfer of data Cross-border Data Transfer Is an activity that transfer data across borders (as defined in the GDPR). Cross Border Transfer Activity The Data Protection Officer appointed to an organisation. Data Protection Officer (DPO) Represents class of data collected or generated through various activities Data A DataAccessProcess corresponds to the request made by an user for access to their data within the system. This process is responsible for handling the request process and providing the appropriate data to the end user. Data Access Process Is an activity involving data. Data Activity DataAnonymisationStep anonymises data by transforming it from one form to another along the anonymisation chain. Anonymisation can be represented as a spectrum going from raw user data to pseudo-anonymised data that can be de-anonymised by the same agent/organisation to pseudo-anonymous data that cannot be deanonymised internally, but may be done by external agents who have access to other data, and finally to completely anonymised data. Data Anonymisation Step Is an activity that archives data. Archival is transformation of data into some form for storage. Data Archival Activity A DataArchivalProcess describes the process of data archival Data Archival Process DataArchivalStep archives data by transforming it and storing it Data Archival Step Is an activity dealing with data breach. Data Breach Activity A record of a data breach. Data Breach Record Step representing an action associated with data breach. Data Breach Step Is an activity that collects or acquires data. Data Collection Activity DataCollectionStep collects data from the user Data Collection Step DataDeanonymisationStep deanonymises data by transforming it from one form to another along the anonymisation chain. Data Deanonymisation Step Is an activity that deletes or erases data. Data Deletion Activity DataDeletionStep deletes data from within the system; The deletion is expressed as prov:invalidated over the dataset. Data Deletion Step Represents a data entity. Data Entity A DataErasureProcess is responsible for handling the data erasure of a data subject. Data Erasure Process A DataRectificationProcess describes the process of data rectification, which is the correction of data already present within the system Data Rectification Process Is an activity that shares data. Data Sharing Activity DataSharingStep shares data with another agent/organisation. These may be internal or external entities. Data Sharing Step A DataStep deals with data Data Step Is an activity that stores data. Data Storage Activity DataStorageStep stores data within the system Data Storage Step An individual or entity Data Subject DataTransferStep Is an activity that transforms data. Data Transformation Activity DataTransformationStep transforms data from one form into another. Data Transformation Step Is an activity that uses data. Can also be termed as 'Processing' of data. Data Usage Activity A DataUsageStep is a DataStep that uses existing data present within the system Data Usage Step Is an activity that deanonymises data. DeAnonymisation Activity Direct Marketing where the marketing is done directly to the data subject. Direct Marketing Represents the given consent by the data subject. Given Consent Is the template used to obtain the given consent. Given Consent Template A process that defines the actions that should be undertaken in event of a data breach HandleDataBreachProcess The process or series of steps that handle the right of data portability. Handle Right of Data Portability The process or series of steps that handle the right of erasure. Handle Right of Erasure The process or series of steps that handle the right to access personal data. Handle Right to access Personal Data The process or series of steps that handle the right to basic information about processing. Handle Right to basic information about Processing The process or series of steps that handle the right to not be processed automatically. Handle Right to not be evaluated through Automated Processing The process or series of steps that handle the right to object to direct marketing. Handle Right to Object to Direct Marketing The process or series of steps that handle the right to object to processing. Handle Right to Object to Processing The process or series of steps that handle the right to rectification of personal data. Handle Right to Rectification The process or series of steps that handle the right to restrict processing. Handle Right to restrict Processing The process or series of steps that handle the right to transparency. Handle Right to Transparency HandleSAR Impact Assessment for the organisation Represents the process or collection of steps representing the Impact Assessment. Impact Assessment A Joint Controller is where two or more controllers jointly determine the purposes and means of processing. Joint Controller(s) Marketing as a process or collection of steps. Marketing Is an activity that modifies given consent. Modify Consent Activity The process of monitoring compliance as mandated by the GDPR. Monitor Compliance Step that notifies the controller of data breach. Notify Controller Is an activity that notifies controller about data breach Notify Controller Activity Step that notifies the Data Protection Authorities of a data breach. Notify Data Protection Authority Is an activity that notifies data protection authorities about data breach Notify DPA Activity Step that notifies the data subject of data breach. Notify Data Subject Is an activity that notifies data subjects about data breach Notify Data Subject Activity PersonalData is any data pertaining to the user which can contain personally identifiable information or a data set generated by the system using personally identifiable information acquired through direct or indirect means PersonalData Represents a personal data entity. Personal Data Entity A Process describes a 'Plan' of action for carrying out a particular activity that uses or is related to Data or Consent Process A ThirdPartyDataProcessor is a Third Party entity that acts as a Data Processor Processor A representative of the Processor. Processor Representative A step that provides the data subject with a copy of their personal data. Provide copy of Personal Data Rectifies existing data Rectify Data Is an activity that recitifies data. Rectify Data Activity The process of reporting after a data breach has taken place. Report Data Breach Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Sensitive Personal Data Is an entity containing sensitive personal information. Sensitive Data Entity A Processor appointed under or by another Processor is a Sub-Processor. Sub-Processor Terms and Conditions of usage as provided to the user in agreement of provided service TermsAndConditions Represents the Terms and Conditions entity. Terms and Conditions Entity A ThirdParty is any external entitiy associated with some internal activity ThirdParty An UserIdentifier is a specific way to identify the user through a unique ID or a combination of other attributes UserIdentifier Is an entity acting as the user identifier. Or contains an identifier. User Identifier Entity Is an activity that withdraws given consent. Can also term it so as to depict withdrawal as a modification of consent. Withdraw Consent Activity A p-plan:Activity represents the execution process planned in a p-plan:Step Activity Bundle A p-plan:Bundle is a specific type of prov:Bundle that contains the provenance assertions of the execution of a p-plan:Plan Entity A p-plan:Entity represents the input of the execution of a p-plan:Activity. It corresponds to a p-plan:Variable. MultiStep A multi step is the representation of a plan that appears as a step of another plan. Plan A p-plan:Plan is a specific type of prov:Plan. It is composed of smaller steps that use and produce Variables. Step A p-plan:Step represents the planned execution activity Variable A p-plan:Variable represents a description of the input of the planned Activity (p-plan:Step) Activity starting-point entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig An activity is something that occurs over a period of time and acts upon or with entities; it may include consuming, processing, transforming, modifying, relocating, using, or generating entities. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Activity http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Activity 0 ActivityInfluence provides additional descriptions of an Activity's binary influence upon any other kind of resource. Instances of ActivityInfluence use the prov:activity property to cite the influencing Activity. It is not recommended that the type ActivityInfluence be asserted without also asserting one of its more specific subclasses. ActivityInfluence qualified ActivitiyInfluence is the capacity of an activity to have an effect on the character, development, or behavior of another by means of generation, invalidation, communication, or other. Agent starting-point agents-responsibility An agent is something that bears some form of responsibility for an activity taking place, for the existence of an entity, or for another agent's activity. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-agent http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Agent AgentInfluence provides additional descriptions of an Agent's binary influence upon any other kind of resource. Instances of AgentInfluence use the prov:agent property to cite the influencing Agent. It is not recommended that the type AgentInfluence be asserted without also asserting one of its more specific subclasses. AgentInfluence qualified AgentInfluence is the capacity of an agent to have an effect on the character, development, or behavior of another by means of attribution, association, delegation, or other. An instance of prov:Association provides additional descriptions about the binary prov:wasAssociatedWith relation from an prov:Activity to some prov:Agent that had some responsiblity for it. For example, :baking prov:wasAssociatedWith :baker; prov:qualifiedAssociation [ a prov:Association; prov:agent :baker; :foo :bar ]. Association qualified agents-responsibility An activity association is an assignment of responsibility to an agent for an activity, indicating that the agent had a role in the activity. It further allows for a plan to be specified, which is the plan intended by the agent to achieve some goals in the context of this activity. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Association http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Association An instance of prov:Attribution provides additional descriptions about the binary prov:wasAttributedTo relation from an prov:Entity to some prov:Agent that had some responsible for it. For example, :cake prov:wasAttributedTo :baker; prov:qualifiedAttribution [ a prov:Attribution; prov:entity :baker; :foo :bar ]. Attribution qualified agents-responsibility http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig Attribution is the ascribing of an entity to an agent. When an entity e is attributed to agent ag, entity e was generated by some unspecified activity that in turn was associated to agent ag. Thus, this relation is useful when the activity is not known, or irrelevant. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-attribution http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-attribution Note that there are kinds of bundles (e.g. handwritten letters, audio recordings, etc.) that are not expressed in PROV-O, but can be still be described by PROV-O. Bundle expanded A bundle is a named set of provenance descriptions, and is itself an Entity, so allowing provenance of provenance to be expressed. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-bundle-entity http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-bundle-declaration Collection expanded collections A collection is an entity that provides a structure to some constituents, which are themselves entities. These constituents are said to be member of the collections. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-collection An instance of prov:Communication provides additional descriptions about the binary prov:wasInformedBy relation from an informed prov:Activity to the prov:Activity that informed it. For example, :you_jumping_off_bridge prov:wasInformedBy :everyone_else_jumping_off_bridge; prov:qualifiedCommunication [ a prov:Communication; prov:activity :everyone_else_jumping_off_bridge; :foo :bar ]. Communication qualified entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig Communication is the exchange of an entity by two activities, one activity using the entity generated by the other. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Communication http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-wasInformedBy An instance of prov:Delegation provides additional descriptions about the binary prov:actedOnBehalfOf relation from a performing prov:Agent to some prov:Agent for whom it was performed. For example, :mixing prov:wasAssociatedWith :toddler . :toddler prov:actedOnBehalfOf :mother; prov:qualifiedDelegation [ a prov:Delegation; prov:entity :mother; :foo :bar ]. Delegation qualified agents-responsibility Delegation is the assignment of authority and responsibility to an agent (by itself or by another agent) to carry out a specific activity as a delegate or representative, while the agent it acts on behalf of retains some responsibility for the outcome of the delegated work. For example, a student acted on behalf of his supervisor, who acted on behalf of the department chair, who acted on behalf of the university; all those agents are responsible in some way for the activity that took place but we do not say explicitly who bears responsibility and to what degree. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-delegation http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-delegation An instance of prov:Derivation provides additional descriptions about the binary prov:wasDerivedFrom relation from some derived prov:Entity to another prov:Entity from which it was derived. For example, :chewed_bubble_gum prov:wasDerivedFrom :unwrapped_bubble_gum; prov:qualifiedDerivation [ a prov:Derivation; prov:entity :unwrapped_bubble_gum; :foo :bar ]. The more specific forms of prov:Derivation (i.e., prov:Revision, prov:Quotation, prov:PrimarySource) should be asserted if they apply. Derivation qualified derivations http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig A derivation is a transformation of an entity into another, an update of an entity resulting in a new one, or the construction of a new entity based on a pre-existing entity. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Derivation http://www.w3.org/TR/2013/REC-prov-n-20130430/#Derivation-Relation EmptyCollection expanded collections An empty collection is a collection without members. An instance of prov:End provides additional descriptions about the binary prov:wasEndedBy relation from some ended prov:Activity to an prov:Entity that ended it. For example, :ball_game prov:wasEndedBy :buzzer; prov:qualifiedEnd [ a prov:End; prov:entity :buzzer; :foo :bar; prov:atTime '2012-03-09T08:05:08-05:00'^^xsd:dateTime ]. End qualified entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig End is when an activity is deemed to have been ended by an entity, known as trigger. The activity no longer exists after its end. Any usage, generation, or invalidation involving an activity precedes the activity's end. An end may refer to a trigger entity that terminated the activity, or to an activity, known as ender that generated the trigger. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-End http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-End Entity starting-point entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig An entity is a physical, digital, conceptual, or other kind of thing with some fixed aspects; entities may be real or imaginary. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-entity http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Entity EntityInfluence provides additional descriptions of an Entity's binary influence upon any other kind of resource. Instances of EntityInfluence use the prov:entity property to cite the influencing Entity. It is not recommended that the type EntityInfluence be asserted without also asserting one of its more specific subclasses. EntityInfluence qualified EntityInfluence is the capacity of an entity to have an effect on the character, development, or behavior of another by means of usage, start, end, derivation, or other. An instance of prov:Generation provides additional descriptions about the binary prov:wasGeneratedBy relation from a generated prov:Entity to the prov:Activity that generated it. For example, :cake prov:wasGeneratedBy :baking; prov:qualifiedGeneration [ a prov:Generation; prov:activity :baking; :foo :bar ]. Generation qualified entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig Generation is the completion of production of a new entity by an activity. This entity did not exist before generation and becomes available for usage after this generation. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Generation http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Generation An instance of prov:Influence provides additional descriptions about the binary prov:wasInfluencedBy relation from some influenced Activity, Entity, or Agent to the influencing Activity, Entity, or Agent. For example, :stomach_ache prov:wasInfluencedBy :spoon; prov:qualifiedInfluence [ a prov:Influence; prov:entity :spoon; :foo :bar ] . Because prov:Influence is a broad relation, the more specific relations (Communication, Delegation, End, etc.) should be used when applicable. Because prov:Influence is a broad relation, its most specific subclasses (e.g. prov:Communication, prov:Delegation, prov:End, prov:Revision, etc.) should be used when applicable. Influence qualified derivations Influence is the capacity of an entity, activity, or agent to have an effect on the character, development, or behavior of another by means of usage, start, end, generation, invalidation, communication, derivation, attribution, association, or delegation. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-influence http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-influence An instantaneous event, or event for short, happens in the world and marks a change in the world, in its activities and in its entities. The term 'event' is commonly used in process algebra with a similar meaning. Events represent communications or interactions; they are assumed to be atomic and instantaneous. InstantaneousEvent qualified entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#dfn-event The PROV data model is implicitly based on a notion of instantaneous events (or just events), that mark transitions in the world. Events include generation, usage, or invalidation of entities, as well as starting or ending of activities. This notion of event is not first-class in the data model, but it is useful for explaining its other concepts and its semantics. An instance of prov:Invalidation provides additional descriptions about the binary prov:wasInvalidatedBy relation from an invalidated prov:Entity to the prov:Activity that invalidated it. For example, :uncracked_egg prov:wasInvalidatedBy :baking; prov:qualifiedInvalidation [ a prov:Invalidation; prov:activity :baking; :foo :bar ]. Invalidation qualified entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig Invalidation is the start of the destruction, cessation, or expiry of an existing entity by an activity. The entity is no longer available for use (or further invalidation) after invalidation. Any generation or usage of an entity precedes its invalidation. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Invalidation http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Invalidation Location expanded A location can be an identifiable geographic place (ISO 19112), but it can also be a non-geographic place such as a directory, row, or column. As such, there are numerous ways in which location can be expressed, such as by a coordinate, address, landmark, and so forth. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-attribute-location http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-attribute Organization expanded agents-responsibility An organization is a social or legal institution such as a company, society, etc. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-agent http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-types Person expanded agents-responsibility Person agents are people. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-agent http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-types There exist no prescriptive requirement on the nature of plans, their representation, the actions or steps they consist of, or their intended goals. Since plans may evolve over time, it may become necessary to track their provenance, so plans themselves are entities. Representing the plan explicitly in the provenance can be useful for various tasks: for example, to validate the execution as represented in the provenance record, to manage expectation failures, or to provide explanations. Plan expanded qualified agents-responsibility A plan is an entity that represents a set of actions or steps intended by one or more agents to achieve some goals. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Association http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Association An instance of prov:PrimarySource provides additional descriptions about the binary prov:hadPrimarySource relation from some secondary prov:Entity to an earlier, primary prov:Entity. For example, :blog prov:hadPrimarySource :newsArticle; prov:qualifiedPrimarySource [ a prov:PrimarySource; prov:entity :newsArticle; :foo :bar ] . PrimarySource qualified derivations A primary source for a topic refers to something produced by some agent with direct experience and knowledge about the topic, at the time of the topic's study, without benefit from hindsight. Because of the directness of primary sources, they 'speak for themselves' in ways that cannot be captured through the filter of secondary sources. As such, it is important for secondary sources to reference those primary sources from which they were derived, so that their reliability can be investigated. A primary source relation is a particular case of derivation of secondary materials from their primary sources. It is recognized that the determination of primary sources can be up to interpretation, and should be done according to conventions accepted within the application's domain. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-primary-source http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-original-source An instance of prov:Quotation provides additional descriptions about the binary prov:wasQuotedFrom relation from some taken prov:Entity from an earlier, larger prov:Entity. For example, :here_is_looking_at_you_kid prov:wasQuotedFrom :casablanca_script; prov:qualifiedQuotation [ a prov:Quotation; prov:entity :casablanca_script; :foo :bar ]. Quotation qualified derivations A quotation is the repeat of (some or all of) an entity, such as text or image, by someone who may or may not be its original author. Quotation is a particular case of derivation. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-quotation http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-quotation An instance of prov:Revision provides additional descriptions about the binary prov:wasRevisionOf relation from some newer prov:Entity to an earlier prov:Entity. For example, :draft_2 prov:wasRevisionOf :draft_1; prov:qualifiedRevision [ a prov:Revision; prov:entity :draft_1; :foo :bar ]. Revision qualified derivations A revision is a derivation for which the resulting entity is a revised version of some original. The implication here is that the resulting entity contains substantial content from the original. Revision is a particular case of derivation. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-revision http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Revision Role qualified agents-responsibility A role is the function of an entity or agent with respect to an activity, in the context of a usage, generation, invalidation, association, start, and end. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-attribute-role http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-attribute SoftwareAgent expanded agents-responsibility A software agent is running software. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-agent http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-types An instance of prov:Start provides additional descriptions about the binary prov:wasStartedBy relation from some started prov:Activity to an prov:Entity that started it. For example, :foot_race prov:wasStartedBy :bang; prov:qualifiedStart [ a prov:Start; prov:entity :bang; :foo :bar; prov:atTime '2012-03-09T08:05:08-05:00'^^xsd:dateTime ] . Start qualified entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig Start is when an activity is deemed to have been started by an entity, known as trigger. The activity did not exist before its start. Any usage, generation, or invalidation involving an activity follows the activity's start. A start may refer to a trigger entity that set off the activity, or to an activity, known as starter, that generated the trigger. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Start http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Start An instance of prov:Usage provides additional descriptions about the binary prov:used relation from some prov:Activity to an prov:Entity that it used. For example, :keynote prov:used :podium; prov:qualifiedUsage [ a prov:Usage; prov:entity :podium; :foo :bar ]. Usage qualified entities-activities http://www.w3.org/TR/2013/REC-prov-constraints-20130430/#prov-dm-constraints-fig Usage is the beginning of utilizing an entity by an activity. Before usage, the activity had not begun to utilize this entity and could not have been affected by the entity. http://www.w3.org/TR/2013/REC-prov-dm-20130430/#term-Usage http://www.w3.org/TR/2013/REC-prov-n-20130430/#expression-Usage A process to generate Ads to be shown along with the Product Ads Generation Process Ads shown along with a product Ads Third Party that provides Ads based on given information Ads Provider A user's personal data that has been anonymised before deletion Anonymise user data (for removal) A User Profile where all personal information has been either removed or anonymised User Profile (Anonymised) Archived copy of given consent preserved (before deletion) for compliance purposes Archive consent (for removal) Archived copy of consent Consent (Archived) Ireland Backup Servers hosting data and situated in Ireland Backup Servers This step withdraws consent (User's Given Consent) Consent Withdrawal Step This is a copy of (all of) the user's personal data. Personal Data (copy) The address of the customer Customer Address The Bank Account or Transaction details of Customer Customer Bank Account Payment information such as Card details for Customer Customer Card Details Customer's contact information, such as telephone number Customer Contact Number Customer's contact information, such as email Customer Email Name of Customer Customer Name This step deletes user (customer records) data Delete User Account Data This step deletes (partially) some of the user's data. It allows the user to select which data should be deleted. Erase (selected) Data This step gathers information required for an Impact Assessment within the framework of the system model. It is a pre-cursor for the Impact Assessment step. Gather required information for Impact Assessment This step generates the Impact Assessment report Generate Impact Assessment Report This step is responsible for retrieving the (new) user's consent. Get Consent for New User This step is responsible for gathering the (new) user's details required for operation of services Get Details for New User This process outlines the set of actions to be carried out in the event of a data breach Handle Data Breach This process is responsible for handling the Right to Data Portability Handle Right to Data Portability This process is responsible for handling the Right of Erasure Handle Right of Erasure This process is responsible for handling the Right to Object to Processing Handle Right to Object to Processing This process is responsible for handling the Right to Rectification Handle Right to Rectification This process is responsible for handling Subject Access Requests Handle Subject Access Requests This process undertakes the Impact Assessment for the current state of the system (model) Impact Assessment This is the Impact Assessment Report, produced as the outcome of the Impact Assessment Process Impact Assessment Report This is an Invoice shown/presented to the user upon ordering a product Invoice (Order) Marketing Consent (modified) Consent from New User Sign up form for New Users Sign up process for New Users Notify Data Breach to Users Notify Data Breach to Supervisory Authorities Ordering Products Order Product Product Provide a copy of user's personal data Rectify specified user data Remove user's account Report Data Breach Request Ads from Provider Provide user's data as part of SAR Store new user's details Store new user's consent Stored Consent Terms and Conditions Transfer data to backup servers User Get data to be erased Get processes to be halted TEST TEST2 TEST TEST2 An ontology for representing provenance traces pertainining to GDPR compliance. It uses concepts from GDPRtEXT along with extending PROV and P-Plan. Anonymised Anonymised represents the Anonymisation level where the data cannot be de-anonymised to retrieve personally identifiable information. DeAnonymised DeAnonymised represents the Anonymisation level where the data is completely de-anonymised and contains directly accessible personally identifiable information. PseudoAnonymised PseudoAnonymised represents the Anonymisation level where the data is anonymised but cannot be de-anonymised without additional data which is NOT accessible to the data-holding organisation to retrieve personally identifiable information. PseudoOrganisationalOrganised PseudoOrganisationalAnonymised represents the Anonymisation level where the data is anonymised but cannot be de-anonymised without additional data which is accessible to the data-holding organisation to recreate the de-anonymised information. hasLegalBasis Indicates sharing of Data through a DataStep sharesData sharesDataWith transfersDataToRegion The position that this OWL term should be listed within documentation. The scope of the documentation (e.g., among all terms, among terms within a prov:category, among properties applying to a particular class, etc.) is unspecified.