http://purl.org/net/p-plan# http://www.w3.org/ns/prov-o-20130430 http://purl.org/adaptcentre/people/harshvardhan_pandit gdprov 0.7 The GDPR Provenance ontology http://purl.org/adaptcentre/people/dave_lewis 2017-08-01 https://openscience.adaptcentre.ie/ontologies/gdprov/v/gdprov.0.7.owl http://purl.org/adaptcentre/openscience/ontologies/gdprov# GDPRov is an OWL2 ontology to express provenance metadata of consent and data lifecycles towards documenting compliance for GDPR. The General Data Protection Regulation (GDPR) is an European law governing the use of consent and personal data. Some of its obligations involve concepts related to the lifecycles of consent and personal data. Such obligations are concerned with how the collection, use, processing, sharing, and storing of consent and personal data takes place and provides the motivation for a form of documentation that can demonstrate the required information towards compliance. GDPRov is an OWL2 ontology for representing this information as provenance metadata using terms relevant to the GDPR. It extends PROV-O and P-Plan to represent the lifecyles as an abstract model of how things should happen or will happen (future) as well as instance of what has happened (past). The ontology is being developed as part of contributions towards PhD research by its primary author. https://creativecommons.org/licenses/by/4.0/ GDPRov is an ontology for expressing provenance metadata in the context of the General Data Protection Regulation (GDPR) and its compliance. It extends PROV-O and P-Plan. PROV-O is the ontology based on the PROV model, a W3C recommendation, while P-Plan is an extension of PROV-O. PROV is used to define terms or 'instances' of what has happened in the past, while P-Plan is used to define the abstract model or 'Plan' of things to happen. GDPRov uses P-Plan to create a template/model/plan as an abstract or model representation of a system which is then recorded using PROV-O instances to show something has happened. The aim of the ontology is to enable representation of consent and personal data lifecycles using terms relevant to GDPR and to facilitate expression of this information towards documentation related to compliance. 2018-07-31 AcquireConsentActivity Is an activity that acquires consent. AcquireConsentActivity gdprtext:ObtainingConsent AcquireConsentActivity Acquire Consent Activity AcquireConsentActivity ConsentAcquisitionStep AnonymisationActivity Is an activity that anonymises data. AnonymisationActivity Anonymisation Activity AnonymisationActivity DataAnonymisationStep Anonymised Anonymised represents the Anonymisation level where the data cannot be de-anonymised to retrieve personally identifiable information. Anonymised Anonymised AnonymisedData Represents data that has been Anonymised at some level reflected by the hasAnonymityLevel object property AnonymisedData gdprtext:AnonymousData AnonymisedData gdprtext:PseudoAnonymousData AnonymisedData AnonymisedData AnonymisedData AnonymisedDataEntity AnonymisedDataEntity Is an entity where personal data has been anonymised to some extent. AnonymisedDataEntity gdprtext:AnonymousData AnonymisedDataEntity gdprtext:PseudoAnonymousData AnonymisedDataEntity Anonymised Data Entity AnonymisedDataEntity AnonymisedData AnonymityLevel Provides a way to express the Anonymity Level of AnonymisedData objects through the object property hasAnonymityLevel AnonymityLevel gdprtext:AnonymousData AnonymityLevel gdprtext:PseudoAnonymousData AnonymityLevel AnonymityLevel AppointProcessor Reflects the process(es) used to appoint processors AppointProcessor gdprtext:AppointmentOfProcessors AppointProcessor Appoint Processor ArchiveConsentActivity An activity that archives given/acquired consent for storage. ArchiveConsentActivity Archive Consent Activity ArchiveConsentActivity ConsentArchivalStep AutomatedStep AutomatedStep ConsentAcquisitionStep ConsentAcquisitionStep deals with acquiring consent from the user. It uses Terms and Conditions along with the appropriate Consent Model as the basis of obtaining consent from the user. The output of this step is the consent object agreed upon by the user. ConsentAcquisitionStep gdprtext:ObtainingConsent ConsentAcquisitionStep Consent Acquisition Step ConsentAcquisitionStep AcquireConsentActivity ConsentActivity Is an activity dealing with consent. ConsentActivity gdprtext:ConsentActivity ConsentActivity Consent Activity ConsentActivity ConsentStep ConsentAgreement ConsentAgreement reflects the consent provided by the user based on the provided Terms and Conditions and Consent Agreement Templates. It is the set of permissions the user has specifically provided or refused to provide. This consent is useful to provide justification of activities that use user data. ConsentAgreement gdprtext:GivenConsent ConsentAgreement ConsentAgreement ConsentAgreement GivenConsent ConsentAgreementTemplate This is a template for consent requested from the user. ConsentAgreementTemplate gdprtext:Consent ConsentAgreementTemplate gdprtext:ObligationForObtainingConsent ConsentAgreementTemplate gdprtext:ValidConsent ConsentAgreementTemplate ConsentAgreementTemplate ConsentAgreementTemplate GivenConsentTemplate ConsentArchivalStep ConsentArchivalStep archives acquired consent to form a record of the consent given by the user. ConsentArchivalStep gdprtext:DemonstratingConsent ConsentArchivalStep Consent Archival Step ConsentArchivalStep ArchiveConsentActivity ConsentModificationStep ConsentModificationStep deals with modifications to the consent by the user. It invalidates the previous consent object and produces a new updated consent object that represents the modified consent. ConsentModificationStep gdprtext:ObligationForObtainingConsent ConsentModificationStep Consent Modification Step ConsentModificationStep ModifyConsentActivity ConsentStep A ConsentStep acts/interacts with/uses Consent ConsentStep gdprtext:ConsentActivity ConsentStep Consent Step ConsentStep ConsentActivity ConsentWithdrawalProcess A ConsentWithdrawalProcess deals with the withdrawal of consent by the user and the corresponding activity carried out within the system ConsentWithdrawalProcess gdprtext:WithdrawingConsent ConsentWithdrawalProcess Consent Withdrawal Process ConsentWithdrawalProcess ConsentWithdrawalStep ConsentWithdrawalStep ConsentWithdrawalStep deals with withdrawal of consent ConsentWithdrawalStep gdprtext:CanBeWithdrawnEasilyConsentObligation ConsentWithdrawalStep gdprtext:WithdrawingConsent ConsentWithdrawalStep Consent Withdrawal Step ConsentWithdrawalStep WithdrawConsentActivity Controller A ThirdPartyDataController is a Third Party entity that acts as a Data Controller Controller gdprtext:Controller Controller Controller ControllerRepresentative A Representative of the Controller ControllerRepresentative gdprtext:ControllerRepresentative ControllerRepresentative Controller Representative CrossBorderDataTransfer Reflects cross-border transfer of data CrossBorderDataTransfer gdprtext:CrossBorderTransfer CrossBorderDataTransfer Cross-border Data Transfer CrossBorderDataTransfer CrossBorderTransferActivity CrossBorderTransferActivity Is an activity that transfer data across borders (as defined in the GDPR). CrossBorderTransferActivity gdprtext:CrossBorderTransfer CrossBorderTransferActivity Cross Border Transfer Activity CrossBorderTransferActivity CrossBorderDataTransfer DPO The Data Protection Officer appointed to an organisation. DPO gdprtext:DPO DPO Data Protection Officer (DPO) Data Represents class of data collected or generated through various activities Data gdprtext:Data Data Data Data DataEntity DataAccessProcess A DataAccessProcess corresponds to the request made by an user for access to their data within the system. This process is responsible for handling the request process and providing the appropriate data to the end user. DataAccessProcess gdprtext:ProvideCopyOfPersonalData DataAccessProcess Data Access Process DataActivity Is an activity involving data. DataActivity gdprtext:DataActivity DataActivity Data Activity DataActivity DataStep DataAnonymisationStep DataAnonymisationStep anonymises data by transforming it from one form to another along the anonymisation chain. Anonymisation can be represented as a spectrum going from raw user data to pseudo-anonymised data that can be de-anonymised by the same agent/organisation to pseudo-anonymous data that cannot be deanonymised internally, but may be done by external agents who have access to other data, and finally to completely anonymised data. DataAnonymisationStep Data Anonymisation Step DataAnonymisationStep AnonymisationActivity DataArchivalActivity Is an activity that archives data. Archival is transformation of data into some form for storage. DataArchivalActivity gdprtext:ArchiveData DataArchivalActivity Data Archival Activity DataArchivalActivity DataArchivalStep DataArchivalProcess A DataArchivalProcess describes the process of data archival DataArchivalProcess gdprtext:ArchiveData DataArchivalProcess Data Archival Process DataArchivalStep DataArchivalStep archives data by transforming it and storing it DataArchivalStep gdprtext:ArchiveData DataArchivalStep Data Archival Step DataArchivalStep DataArchivalActivity DataBreachActivity Is an activity dealing with data breach. DataBreachActivity gdprtext:ReportDataBreach DataBreachActivity Data Breach Activity DataBreachActivity DataBreachStep DataBreachRecord A record of a data breach. DataBreachRecord gdprtext:MaintainRecordOfBreach DataBreachRecord Data Breach Record DataBreachStep Step representing an action associated with data breach. DataBreachStep gdprtext:ReportDataBreach DataBreachStep Data Breach Step DataBreachStep DataBreachActivity DataCollectionActivity Is an activity that collects or acquires data. DataCollectionActivity gdprtext:CollectionOfPersonalData DataCollectionActivity Data Collection Activity DataCollectionActivity DataCollectionStep DataCollectionStep DataCollectionStep collects data from the user DataCollectionStep gdprtext:CollectionOfPersonalData DataCollectionStep Data Collection Step DataCollectionStep DataCollectionActivity DataDeanonymisationStep DataDeanonymisationStep deanonymises data by transforming it from one form to another along the anonymisation chain. DataDeanonymisationStep Data Deanonymisation Step DataDeanonymisationStep DeAnonymisationActivity DataDeletionActivity Is an activity that deletes or erases data. DataDeletionActivity gdprtext:EraseData DataDeletionActivity Data Deletion Activity DataDeletionActivity DataDeletionStep DataDeletionStep DataDeletionStep deletes data from within the system; The deletion is expressed as prov:invalidated over the dataset. DataDeletionStep gdprtext:EraseData DataDeletionStep Data Deletion Step DataDeletionStep DataDeletionActivity DataEntity Represents a data entity. DataEntity gdprtext:Data DataEntity Data Entity DataEntity Data DataErasureProcess A DataErasureProcess is responsible for handling the data erasure of a data subject. DataErasureProcess gdprtext:EraseData DataErasureProcess Data Erasure Process DataRectificationProcess A DataRectificationProcess describes the process of data rectification, which is the correction of data already present within the system DataRectificationProcess gdprtext:RectifyData DataRectificationProcess Data Rectification Process DataSharingActivity Is an activity that shares data. DataSharingActivity gdprtext:ShareDataWithThirdParty DataSharingActivity Data Sharing Activity DataSharingActivity DataSharingStep DataSharingStep DataSharingStep shares data with another agent/organisation. These may be internal or external entities. DataSharingStep gdprtext:ShareDataWithThirdParty DataSharingStep Data Sharing Step DataSharingStep DataSharingActivity DataStep A DataStep deals with data DataStep gdprtext:DataActivity DataStep Data Step DataStep DataActivity DataStorageActivity Is an activity that stores data. DataStorageActivity gdprtext:StoreData DataStorageActivity Data Storage Activity DataStorageActivity DataStorageStep DataStorageStep DataStorageStep stores data within the system DataStorageStep gdprtext:StoreData DataStorageStep Data Storage Step DataStorageStep DataStorageActivity DataSubject An individual or entity DataSubject gdprtext:DataSubject DataSubject Data Subject DataTransferStep DataTransferStep DataTransformationActivity Is an activity that transforms data. DataTransformationActivity Data Transformation Activity DataTransformationActivity DataTransformationStep DataTransformationStep DataTransformationStep transforms data from one form into another. DataTransformationStep Data Transformation Step DataTransformationStep DataTransformationActivity DataUsageActivity Is an activity that uses data. Can also be termed as 'Processing' of data. DataUsageActivity gdprtext:UseData DataUsageActivity Data Usage Activity DataUsageActivity DataUsageStep DataUsageStep A DataUsageStep is a DataStep that uses existing data present within the system DataUsageStep gdprtext:Processing DataUsageStep Data Usage Step DataUsageStep DataUsageActivity DeAnonymisationActivity Is an activity that deanonymises data. DeAnonymisationActivity DeAnonymisation Activity DeAnonymisationActivity DataDeanonymisationStep DeAnonymised DeAnonymised represents the Anonymisation level where the data is completely de-anonymised and contains directly accessible personally identifiable information. DeAnonymised DeAnonymised DirectMarketing Direct Marketing where the marketing is done directly to the data subject. DirectMarketing gdprtext:DirectMarketing DirectMarketing Direct Marketing GivenConsent Represents the given consent by the data subject. GivenConsent gdprtext:GivenConsent GivenConsent Given Consent GivenConsent ConsentAgreement GivenConsentTemplate Is the template used to obtain the given consent. GivenConsentTemplate Given Consent Template GivenConsentTemplate ConsentAgreementTemplate HandleDataBreachProcess A process that defines the actions that should be undertaken in event of a data breach HandleDataBreachProcess gdprtext:DataBreach HandleDataBreachProcess HandleDataBreachProcess HandleRightOfDataPortability The process or series of steps that handle the right of data portability. HandleRightOfDataPortability gdprtext:RightOfDataPortability HandleRightOfDataPortability Handle Right of Data Portability HandleRightOfErasure The process or series of steps that handle the right of erasure. HandleRightOfErasure gdprtext:RightOfErasure HandleRightOfErasure Handle Right of Erasure HandleRightToAccessPersonalData The process or series of steps that handle the right to access personal data. HandleRightToAccessPersonalData gdprtext:RightOfErasure HandleRightToAccessPersonalData Handle Right to access Personal Data HandleRightToBasicInfoAboutProcessing The process or series of steps that handle the right to basic information about processing. HandleRightToBasicInfoAboutProcessing gdprtext:RightToBasicInformationAboutProcessing HandleRightToBasicInfoAboutProcessing Handle Right to basic information about Processing HandleRightToNoAutomatedProcessing The process or series of steps that handle the right to not be processed automatically. HandleRightToNoAutomatedProcessing gdprtext:RightToNotBeEvaluatedThroughAutomatedProcessing HandleRightToNoAutomatedProcessing Handle Right to not be evaluated through Automated Processing HandleRightToObjectDirectMarketing The process or series of steps that handle the right to object to direct marketing. HandleRightToObjectDirectMarketing gdprtext:RightToObjectForDirectMarketting HandleRightToObjectDirectMarketing Handle Right to Object to Direct Marketing HandleRightToObjectProcessing The process or series of steps that handle the right to object to processing. HandleRightToObjectProcessing gdprtext:RightToObjectToProcessing HandleRightToObjectProcessing Handle Right to Object to Processing HandleRightToRectification The process or series of steps that handle the right to rectification of personal data. HandleRightToRectification gdprtext:RightToRectification HandleRightToRectification Handle Right to Rectification HandleRightToRestrictProcessing The process or series of steps that handle the right to restrict processing. HandleRightToRestrictProcessing gdprtext:RightToRestrictProcessing HandleRightToRestrictProcessing Handle Right to restrict Processing HandleRightToTransparency The process or series of steps that handle the right to transparency. HandleRightToTransparency gdprtext:RightToTransparency HandleRightToTransparency Handle Right to Transparency HandleSAR HandleSAR ImpactAssessment Impact Assessment for the organisation ImpactAssessment Represents the process or collection of steps representing the Impact Assessment. ImpactAssessment gdprtext:ImpactAssessment ImpactAssessment Impact Assessment JointController A Joint Controller is where two or more controllers jointly determine the purposes and means of processing. JointController gdprtext:JointController JointController Joint Controller(s) Marketing Marketing as a process or collection of steps. Marketing gdprtext:Marketing Marketing Marketing ModifyConsentActivity Is an activity that modifies given consent. ModifyConsentActivity Modify Consent Activity ModifyConsentActivity ConsentModificationStep MonitorCompliance The process of monitoring compliance as mandated by the GDPR. MonitorCompliance gdprtext:MonitorCompliance MonitorCompliance Monitor Compliance NotifyController Step that notifies the controller of data breach. NotifyController gdprtext:ReportDataBreachToController NotifyController Notify Controller NotifyController NotifyControllerActivity NotifyControllerActivity Is an activity that notifies controller about data breach NotifyControllerActivity gdprtext:ReportDataBreachToController NotifyControllerActivity Notify Controller Activity NotifyControllerActivity NotifyController NotifyDPA Step that notifies the Data Protection Authorities of a data breach. NotifyDPA gdprtext:ReportDataBreachToDPAWithin72Hours NotifyDPA Notify Data Protection Authority NotifyDPA NotifyDPAActivity NotifyDPAActivity Is an activity that notifies data protection authorities about data breach NotifyDPAActivity gdprtext:ReportDataBreachToDPAWithin72Hours NotifyDPAActivity Notify DPA Activity NotifyDPAActivity NotifyDPA NotifyDataSubject Step that notifies the data subject of data breach. NotifyDataSubject gdprtext:NotifyDataSubjectOfBreach NotifyDataSubject Notify Data Subject NotifyDataSubject NotifyDataSubjectActivity NotifyDataSubjectActivity Is an activity that notifies data subjects about data breach NotifyDataSubjectActivity gdprtext:NotifyDataSubjectOfBreach NotifyDataSubjectActivity Notify Data Subject Activity NotifyDataSubjectActivity NotifyDataSubject PersonalData PersonalData is any data pertaining to the user which can contain personally identifiable information or a data set generated by the system using personally identifiable information acquired through direct or indirect means PersonalData gdprtext:PersonalData PersonalData PersonalData PersonalData PersonalDataEntity PersonalDataEntity Represents a personal data entity. PersonalDataEntity gdprtext:PersonalData PersonalDataEntity Personal Data Entity PersonalDataEntity PersonalData Process A Process describes a 'Plan' of action for carrying out a particular activity that uses or is related to Data or Consent Process Process Processor A ThirdPartyDataProcessor is a Third Party entity that acts as a Data Processor Processor gdprtext:Processor Processor Processor ProcessorRepresentative A representative of the Processor. ProcessorRepresentative gdprtext:ProcessorRepresentative ProcessorRepresentative Processor Representative ProvideCopyOfPersonalData A step that provides the data subject with a copy of their personal data. ProvideCopyOfPersonalData gdprtext:ProvideCopyOfPersonalData ProvideCopyOfPersonalData Provide copy of Personal Data PseudoAnonymised PseudoAnonymised represents the Anonymisation level where the data is anonymised but cannot be de-anonymised without additional data which is NOT accessible to the data-holding organisation to retrieve personally identifiable information. PseudoAnonymised PseudoAnonymised PseudoOrganisationalAnonymised PseudoOrganisationalAnonymised represents the Anonymisation level where the data is anonymised but cannot be de-anonymised without additional data which is accessible to the data-holding organisation to recreate the de-anonymised information. PseudoOrganisationalAnonymised PseudoOrganisationalOrganised RectifyData Rectifies existing data RectifyData gdprtext:RectifyData RectifyData Rectify Data RectifyData RectifyDataActivity RectifyDataActivity Is an activity that recitifies data. RectifyDataActivity Rectify Data Activity RectifyDataActivity RectifyData ReportDataBreach The process of reporting after a data breach has taken place. ReportDataBreach gdprtext:ReportDataBreach ReportDataBreach Report Data Breach SensitiveData Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. SensitiveData gdprtext:SensitivePersonalData SensitiveData Sensitive Personal Data SensitiveData SensitiveDataEntity SensitiveDataEntity Is an entity containing sensitive personal information. SensitiveDataEntity gdprtext:SensitivePersonalData SensitiveDataEntity Sensitive Data Entity SensitiveDataEntity SensitiveData SubProcessor A Processor appointed under or by another Processor is a Sub-Processor. SubProcessor gdprtext:SubProcessor SubProcessor Sub-Processor TermsAndConditions Terms and Conditions of usage as provided to the user in agreement of provided service TermsAndConditions TermsAndConditions TermsAndConditions TermsAndConditionsEntity TermsAndConditionsEntity Represents the Terms and Conditions entity. TermsAndConditionsEntity Terms and Conditions Entity TermsAndConditionsEntity TermsAndConditions ThirdParty A ThirdParty is any external entitiy associated with some internal activity ThirdParty gdprtext:Entity ThirdParty ThirdParty UserIdentifier An UserIdentifier is a specific way to identify the user through a unique ID or a combination of other attributes UserIdentifier UserIdentifier UserIdentifier UserIdentifierEntity UserIdentifierEntity Is an entity acting as the user identifier. Or contains an identifier. UserIdentifierEntity User Identifier Entity UserIdentifierEntity UserIdentifier WithdrawConsentActivity Is an activity that withdraws given consent. Can also term it so as to depict withdrawal as a modification of consent. WithdrawConsentActivity gdprtext:WithdrawingConsent WithdrawConsentActivity Withdraw Consent Activity WithdrawConsentActivity ConsentWithdrawalStep anonymityLevel anonymity level anonymityLevel true archivesConsentAs Archives the consent into some entity archivesConsentAs archives consent as collectsData Links data obtained (collected) by the step/activity that acquired it collectsData collectsData generatesAnonymisedData Indicates that an DataAnonymisationStep transforms a Data object into AnonymisedData generatesAnonymisedData generatesAnonymisedData generatesConsentAgreement Generates ConsentAgreement which is a the consent granted by the user based on the ConsentAgreementTemplate through a ConsentAcquisitionStep generatesConsentAgreement generatesConsentAgreement generatesData produces data generatesData generatesData hasAnonymityLevel Indicates the anonymity level of an AnonymisedData object using instances of the AnonymityLevel class hasAnonymityLevel hasAnonymityLevel hasCollectionMechanism Data collection has the specified collection mechanism hasCollectionMechanism has collection mechanism hasLegalBasis hasLegalBasis hasLegalJustification has legal justification hasLegalJustification true hasSharedDataWith hasSharedDataWith isAnonymisedByStep isAnonymisedByStep isConsentAgreementTemplateForStep isConsentAgreementTemplateForStep isDataCollectedByStep isDataCollectedByStep isDataGeneratedBy isDataGeneratedByStep isGeneratedByStep isGeneratedByStep isJustificationForDataStep isJustificationForDataStep isJustifiedUsingConsentAgreement justifies use of data by step through specified consent agreement isJustifiedUsingConsentAgreement isJustifiedUsingConsentAgreement isPartOfProcess isPartOfProcess isTermsAndConditionsForStep isTermsAndConditionsForStep isUsedByStep isUsedByStep sharesData Indicates sharing of Data through a DataStep sharesData sharesData sharesDataForProcess shares data to be used in specified process sharesDataForProcess shares data for process sharesDataWith sharesDataWith sharesDataWithThirdParty Shares data with a third party sharesDataWithThirdParty sharesDataWithThirdParty sharesDataWithThirdParty true transferredDataToRegion transferredDataToRegion transfersDataToRegion transfersDataToRegion usesConsentAgreement uses Consent Agreement entity usesConsentAgreement uses Consent Agreement usesConsentAgreementTemplate links a Consent Acquisition Step with the Consent Agreement Template used to acquire consent usesConsentAgreementTemplate usesConsentAgreementTemplate usesData links step with data used usesData usesData usesTermsAndConditions Links a Consent Acquisition Step with the Terms and Conditions presented to the user when acquiring Consent usesTermsAndConditions usesTermsAndConditions