Harshvardhan J. Pandit The General Data Protection Regulation (GDPR) is comprised of several articles, each with points that refer to specific concepts. The general convention of referring to these points and concepts is to quote the specific article or point using a human-readable reference. This ontology provides a way to refer to the points within the GDPR using the EurLex ontology published by the European Publication Office. It also defines the concepts defined, mentioned, and requried by the GDPR using the Simple Knowledge Organization System (SKOS) ontology. GDPRtEXT The General Data Protection Regulation (GDPR) defines legal obligations over the use of personal data by organisations. This ontology aims to identify and model such terms and obligations as an OWL vocabulary and to directly link the terms to their occurence, usage, and influence in the GDPR text. 2017-08-15 http://purl.org/adaptcentre/people/HJP This ontology extends the canonical (official) GDPR text with additional annotations 2020-03-31 gdprtext https://w3id.org/GDPRtEXT GDPRtEXT provides a SKOS glossary of terms associated with GDPR and an ontology to represent the GDPR text as a set of RDF resources GDPR text EXTensions "GDPRtEXT - GDPR as a Linked Data Resource" by Harshvardhan J. Pandit*, Kaniz Fatema, Declan O'Sullivan, Dave Lewis. Published in Proceedigns of 15th European Semantic Web Conference (ESWC), Resource Track. Crete, Heraklion, Greece. 2018. https://doi.org/10.1007/978-3-319-93417-4_31 0.7 https://openscience.adaptcentre.ie/projects/GDPRtEXT/ It signifies that two concepts are related within the context of the GDPR. involves indicates the legal resource has the Article has Article indicates the legal resource has the Chapter has Chapter indicates that the legal resource has the referenced citation has Citation indicates the legal resource has the Point has Point indicates the legal resource has the Recital has Recital indicates the legal resource has the Section has Section indicates the legal resource has the SubPoint has SubPoint represents a legal resource subdivision to be part of a article is part of Article represents a legal resource subdivision to be part of a chapter is part of Chapter represents a legal resource subdivision to be part of a point is part of Point represents a legal resource subdivision to be part of a section is part of Section The principle of accountability states that the controller shall be responsible for, and be able to demonstrate compliance with the processing of personal data as defined by the justifications permissible under the GDPR Principle of Accountability The principle of accuracy states that personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. Principle of Accuracy The data subject can exercise the right to restrict processing of their personal data when the accuracy of personal data is contested Accuracy is contested This obligation specifies that the collection of (or collected) personal data should in an accurate form - i.e. the personal data should be accurate. Accurate Collection An Activity signifies some process(es) or step(s) towards specific deed(s), action(s), function(s), or sphere(s) of action. Activity Only the personal data adequat for required processing should be maintained Adequate for processing The seal or certification does not reduce or impact the responsiblity of the controller or processor for compliance with the GDPR Adherence Data is termed to be anonymous if it cannot be connected or associated with individual person or persons that have provided or are associated with it. Anonymous Data These are the obligations for Processors over appointing sub-processors Appointing Sub-Processors These are the obligations specified by the GDPR for the appointment of Processors by Controllers. Appointment of Processors An activity where personal data is archived Archive Data Article in GDPR text Article gdpr:article10 a eli:LegalResourceSubdivision, GDPRtEXT:Article ; eli:is_part_of gdpr:GDPR, gdpr:chapterII ; eli:number "10"^^xsd:string ; eli:title_alternative "Article 10"^^xsd:string ; GDPRtEXT:hasPoint gdpr:article10-1 ; GDPRtEXT:isPartOfChapter gdpr:chapterII . Processors must assist Controllers in complying with the various rights provided by the GDPR to data subjects which can be exercised at any time. Assist in complying with rights Automated decision making with significant effect This type of processing involves automated processing that does decision making having significant effects on the data subject. Automatic decision making with significant effect This is automated processing of data subject's personal data. Automated Processing This obligation states that the data subject should be able to withdraw the consent as easily as it was to give it. Can be withdrawn easily A certification pertaining to GDPR compliance Certification A Certification Body is an entity that can award/issue/renew a certification pertaining to compliance towards the GDPR. Certification Body Chapter in GDPR text Chapter gdpr:chapterI a eli:LegalResourceSubdivision, GDPRtEXT:Chapter ; eli:is_part_of gdpr:GDPR ; eli:number "I"^^xsd:string ; eli:title "General provisions"^^xsd:string ; eli:title_alternative "Chapter I"^^xsd:string ; GDPRtEXT:hasArticle gdpr:article1, gdpr:article2, gdpr:article3, gdpr:article4 . Citation in GDPR text Citation gdpr:citation1 a eli:LegalResourceSubdivision, GDPRtEXT:Citation ; eli:description "OJ C 229, 31.7.2012, p. 90."^^xsd:string ; eli:is_part_of gdpr:GDPR ; eli:number "1"^^xsd:string . Obtaining consent must provide clear explanations of the processing involved over the personal data Clear explanation A Code of Conduct for the purpose of specifying the application of GDPR which may be monitored, evaluated, or processed by a third party appointed by the organisation. Code of Conduct Specifies collection mechanism used to collect personal data Collection Mechanism Collection of Personal Data is an Activity that deals with acquiring data subject's personal data through some model of interaction. Collection of Personal Data Represents the act of complying with the obligations and actions specified by the GDPR. Compliance The processor has an obligation to comply with the controller's instructions Compliance with Controller's instructions GDPR mentions some conditions or criterion for the creation and issuing of seals and certifications pertaining to GDPR compliance Awarding Seals and Certifications This type of processing involves matching data subject's identity or personal data in different datasets. Confirming or matching datasets Consent in the context of the GDPR refers to the assent or agreement by the data subject in relation to their personal data for the proposed processing activities associated with one or more organisations. Consent An activity involving data subject's consent. Consent Activity The purpose of new processing should take the context of how the original data was collected into consideration Context of data collection The lawful basis for processing personal data is provided through a contract with the data subject. Contract with Data Subject The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controller These obligations specify the accountability of the Controller. Controller Accountability The data subjects were not notified about the data breach because the controller had already taken action regarding the data breach. Controller has taken action These are the obligations specified by the GDPR as being specifically the responsbility of the Controller. Controller Obligation A natural or legal person established in the Union who, designated by the controllerin writing, represents the controller with regard to their respective obligations under the GDPR. Controller Representative These obligations specify the responsiblity of the Controller Controller Responsibility This obligation specifies the Controller/Processor must co-operate with the Data Protection Authority (DPA). Co-operate with DPA Personal data related to criminal convictions and offences. Crime data Cross-border data transfer refers to data transfer crossing the boundaries of EU (legislative) region. Cross-border Transfer The Data Protection Authority (DPA) is a public institution responsible for monitoring the application of data protection laws. DPA The Data Protection Officer (DPO) is an individual(s) appointed by the organisation to monitor compliance and assist in complying with the GDPR. DPO These are the obligations specified for the Data Protection Office (DPO) within the GDPR DPO Obligation A generic term to refer to Data. Data An activity involving personal data of data subject(s). Data Activity A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Data Breach The principle of data minimisation states that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Principle of Data Minimisation The data subject can exercise the right to restrict processing of their personal data when the personal data is no longer required for the original purpose it was collected under Data no longer needed for original purpose This obligation requires Controllers to follow data protection by design and by default. Data protection by design and default These are obligations regarding security of data managed by the Controllers. Data Security An individual or entity to whom their personal data relates. Data Subject The obligation or activity coult not be completed because the data was inferred or derived, and therefore did not come from the data subject or other sources. Data inferred or derived The act of demonstrating consent is an activity whereby previously acquired consent is provided as sufficient justification for processing activities involving data subject's personal information. Demonstrating Consent Type of Marketing that reaches data subjects directly by communications directly addressed to the data subject. Direct Marketing Lawful basis for processing is provided by Employment Law Employment Law A general term for any institution, company, corporation, partnership, government agency, university, or any other organization including individuals. Entity An activity that erases data Erase Data The right of erasure applies when the data subject withdraws given consent Erase if conesnt was withdrawn The right to erasure applies where data is no longer needed for original purposes for which it was collected Erase if no longer needed for original purpose Whether the proposed activity involves the evaluation of the data subject. Evaluation of data subjects Exceptions associated with compliance for reporting data breach to the affected data subjects. Exceptions on reporting data breach Exclusions and Exemptions provided by the GDPR for not complying with the specified obligations. Exlcusions and Exceptions Lawful basis for processing is provided by National Law Exempted by National Law The request or activity could not or was not completed because there was no sufficient proof of the data subject's identity. Exempted without identity The activity represents exercising of rights provided by GDPR by the data subject. Exercise Rights The purpose of new processing should take into context the existence of appropriate safeguards Existence of safeguards This obligation specifies that the collected (or collection) of personal data should be for/with explicit purposes. Explicit Purpose These are the factors stated by the GDPR for Impact Assessment. Factors for Impact Assessment The stated obligation could not be completed as it concerns rights protection. Rights protection GDPR obligation that specifies consent must be freely given by the data subject for it to be valid. Freely given Personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained. Genetic Data Given Consent refers specifically to the form of consent given by the data subject in relation to their personal data and the proposed usage by activities. Given Consent The data subjects were not notified about the data breach because the harm was deemed to be remote. Harm was remote Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. Health data Lawful basis if provided by the GDPR for processing related to historic, statistical, or scientific purposes. Historic, Statistical, or Scientific purposes Retention of personal data should be identifiable for the requried processing Identifiable for required processing Activity where the data subject is explicitly identified through direct or indirect means. Identification of Data Subject The right to access personal data also includes information about whether and where the controller is processing the data subject's personal data If and where Controller is processing The activity wherein the controller carries out an assessment of the impact of the envisaged processing operations on the protection of personal data. Impact Assessment This obligation requires Controllers to implement the required technical measures necessary for compliance of the GDPR Implement technical measures The processor must impose confidentiality agreements on its personnel in relation to handling of personal data Impose confidentiality obligations on personnel The right to access personal data also includes information about automated processing that has significant effects on the data subject. Information about automated processing with significant effects The right to access personal data also includes information about the categories of recipients the data is shared with. Information about categories of recipients The right to access personal data also includes information about categories of data being processed Information about categories of data being processed The right to access personal data also includes information about the existence of rights provided by the GDPR to the data subject Information about rights The right to access personal data also includes information about the processing of personal data of the data subject Information about processing The right to access personal data also includes information about the source of the personal data Information about data source The right to access personal data also includes information about the storage period of the data subject's personal data Information about storage period In case of conflict with the controller's intructions and the law, the processor must immediately inform the controller of this conflict Inform Controller of conflict with law The right to basic information also provides data subject's with information about third parties involved in the processing. Information about third parties The information provided under the right to transparency should be concise Concise The information provided under the right to transparency should be easily accessible Easily Accessible The information provided under the right to transparency should be intelligible Intelligible The information provided under the right to transparency should be transparent and clear (i.e. not umambigious or vague) Transparent GDPR obligation that specifies consent must be informed for it be valid. Informed The principle of integrity and confidentiality states that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Principle of Integrity and Confidentiality The obligation or activity could not be completed as it was deemed to be impossible. Is impossible A joint controller is two or more controllers jointly determine the purposes and means of processing. Joint Controller Retained personal data must be kept up-to-date Kept up to date The processing of personal data at a large scale of quantity or significant proportions. Large scale processing This provides the basis for lawful processing of personal data. Lawful Basis The principle of lawfulness, fairness, and transparency states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Principle of Lawfulness, Fairness, and Transparency Lawful basis for processing is provided by legal claims. Legal Claims Lawful basis for processing is covered by legal obligation(s). Legal Obligations Lawful basis for processing is provided through the legitimate interests pursued by the Controller or by a third party Legitimate Interests This specifies that the collection (or collected) personal data should be used/specified to be used for legitimate purposes. Legitimate purpose These specify the liability of Joint Controllers, i.e. cases where more than one Controller share the responsiblity. Liability of Joint-Controllers Personal data retained should be limited in its use only for the requried processing Limited for processing Whether there is a link between the new and old purposes of processing Lnk between new and old processing Lawful basis is provided through the data being publicly made available by the data subject Made Public GDPR mandates the recording of data breaches and its effects. Maintain Record of Breach This obligation requires the Controller/Processor to maintain adequate records about their processing activities. Maintain records for processing The process or technique of promoting, selling, and distributing a product or service. Marketing The maximum validity for all seals and certifications should be 3 years from the date of issue. Maximum validty 3 years Lawful basis for processing is provided by the GDPR for medical or diagnostics purposes pertaining to the data subject Medical or Diagnostics The activity or process of overseeing an organisation's compliance. Monitor Compliance The stated obligation could not be completed as it concerns national security. National Security The nature of the personal data involved, whether it is sensitive or confidential. Nature of data involved The right to access personal data should not incur any undue charge levied on the data subject for exercising their right No charges levied Lawful basis is provided by the GDPR for activities of/for not-for-profit organisations Not-for-profit organisation Consent should not be obtained from silence or inactivity of the data subject Not from silence or inactivity This obligation specifies that the collected personal data should not be processed beyond the purpose for which it was originally collected without an updated consent for the proposed purposes. Not further processed The data subjects were not notified about the data breach because it required disproportionate efforts. Notification requires disproportionate efforts Affected data subject's must be notified about the consequences of the data breach. Notify consequences of breach Affected data subjects must be notified with the name and contact of the DPO responsible/handling for the data breach. Notify about DPO Affected data subjects must be notified of the data breach and its effects. Notify Data Subject of Breach Affect data subjets must be notified of the measures taken against the data breach. Notify measures taken These are the obligations specified by the GDPR. Following the obligations is necessary for compliance. Obligation Collection of Personal Data is an Activity that deals with acquiring data subject's personal data through some model of interaction. Obligation for data collection These are the obligations specified by the GDPR for obtaining consent Obligation for obtaining consent The act of getting a data subject's consent. Obtaining Consent from Data Subject The processor must only act on the intructions provided and documented by the controller Only act on Controller instructions The activity was deemed to be outside the material scope of the GDPR. Outside Material Scope Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data Point in GDPR text Point gdpr:article27-2 a eli:LegalResourceSubdivision, GDPRtEXT:Point ; eli:description "The obligation laid down in paragraph 1 of this Article shall not apply to:"^^xsd:string ; eli:is_part_of gdpr:GDPR, gdpr:article27, gdpr:chapterIV, gdpr:chapterIV-1 ; eli:number "2"^^xsd:string ; eli:title_alternative "Article27(2)"^^xsd:string ; GDPRtEXT:hasSubPoint gdpr:article27-2-a, gdpr:article27-2-b ; GDPRtEXT:isPartOfArticle gdpr:article27 ; GDPRtEXT:isPartOfChapter gdpr:chapterIV ; GDPRtEXT:isPartOfSection gdpr:chapterIV-1 . The possible consequences of the change in processing for the data subject Consequences for data subjects A Principle is a rule or standard defined by the GDPR which is essential to be followed for compliance Principle Privacy by Design is the approach of taking privacy into consideration throughout the whole planning and execution processes. Privacy by Design Processing here refers to an Activity that acts on the Data Subject's personal information. Processing This type of processing involves data subjects that are vulnerable, such as children, or people with disabilities. Processing affected or vulnerable individuals The data subject can exercise the right to restrict processing of their personal data when the processing is unlawful Processing is unlawful This involves processing involving sensitive personal data. Processing sensitive data This type of processing uses technologies that are new or have not yet been deemed to be fit or stable for usage. Processing using untested technologies A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processor Signifies the agreement between Controller and Processors for processing of personal data Agreement between Processor and Controller These are the obligations specified by the GDPR in the context of Processors Processor Obligations A natural or legal person established in the Union who, designated by the processor in writing, represents the processor with regard to their respective obligations under the GDPR. Processor Representative To propogate a data subject's right once they have been exercised to other third parties that are involved through the data subject's personal data. Propogate rights to Third Parties Protection of data subject's personal data against accidental loss. Protection against accidental loss Protection of data subject's personal data against damage to the data. Protection against damage Protection of data subject's personal data against destruction of data. Protection against destruction Protection of data subject's personal data against unlawful processing of data. Protection against unlawful processing The processor must provide the controller with the information necessary to demonstrate compliance Provide information for compliance The right of data portability requries providing a copy of the data subject's personal data Provide copy of Personal Data Personal data that can no longer be attributed to a specific data subject without the use of additional information. Pseudo-anonymous data Lawful basis is provided by the GDPR as being in the interest of the public Public Interest The principle of purpose limitation states that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes. Principle of Purpose Limitation These are the obligations over determining the new or changed purposes of processing Purpose of new processing Related to Regulation (EC) No. 45/2001 Regulation (EC) No 45/2001 Exempted as the GDPR does not apply to personal or household activity that does not have a professional or commercial activity associated with it. Personal or Household activity Exempted as it involves areas covered by Directive (EU) 2016/680 Covered by Directive (EU) 2016/680 Personal data revealing racial or ethnic origin. Racial origin data Regulation in GDPR text Regulation gdpr:recital1 a eli:LegalResourceSubdivision, GDPRtEXT:Recital ; eli:description "The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her."^^xsd:string ; eli:is_part_of gdpr:GDPR ; eli:number "1"^^xsd:string . This obligation requires Controllers to record the categories of data subjects and the personal data involved in processing/activities. Categories of data subjects and personal data This obligation requires Controllers to record the categories of recipients the personal data was shared with. Record categories of recipients This obligation requires Controllers to record the cross-border data transfers. Record cross-border transfers This obligation requires Controllers to record the data retention period of personal data. Record data retention periods This obligation requires Controllers to record the purpose of processing associated with personal data and the given consent. Record purpose of processing This obligation requires Controllers to record the measures taken to ensure adequate safety measures of personal data and the involved activities. Record security measures An activity that rectifies data Rectify Data Any inaccuracies or discrepancies in the retained data must be rectified Rectify Inaccuracies The authority responsible for regulating data protection laws. Regulatory Authority Any retained personal data must be relevant for subsiquent processing Relevant for processing The act of reporting a data breach to entities mentioned within the GDPR. These are the Data Protection Authority (DPA), and in the case of Processors, the Controller they have an agreement with. Report Data Breach The occurence of a data breach must be reported to the Controller. Report data breach to Controller The occurence of a data breach must be reported to the Data Protection Authority (DPA) within 72 hours Report breach to DPA within 72 hours The stated obligation or activity could not be completed as it requires disproportionate efforts to complete. Requires disproportionate efforts Appointing a sub-processor requires the written consent of the controller specifying permission or consent Written consent of Controller These provide restrictions on cross-border transfers for Processors Restrictions on cross-border transfers These are the obligations specified by the GDPR on the retention of personal data Data Retention The processor must return or destroy personal data at the end of term (of its agreement with the controller) Return or destroy data The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Right of Data Portability The data subject has the right to obtain erasure of their personal data Right of Erasure The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data along with additional information about it. Right to Access Personal Data The right to basic information about processing provides data subjects with information about the processing activities involving their personal data Right to basic information about processing of personal data The data subject has a right to not be evaluated through automated processing Right to not be evaluated through automated processing The data subject has a right to object to direct marketting based on their personal data Right to object direct marketting The data subject has the right to object to processing of their personal data Right to object processing The data subject has a right to recitify their personal data Right to rectify The data subject has the rights to restrict the processing of their personal data Right to restrict processing The right to transparency requires controllers to provide information about the processing activities as well as personal data and its usage in a transparent manner Right to Transparency The GDPR provides several rights to the data subjects which may be exercised at any time by the data subject and which are mandatory for the organisation to provide, comply with, and inform the data subject about. Data Subject's Rights The stated obligation could not be completed as it concerns freedoms protection. Freedoms protection A seal pertaining to GDPR compliance Seal GDPR provides for the creation and provision of seals and certificates pertaining to compliance or related activities Seals and Certifications Section in GDPR text Section gdpr:chapterIV-5 a eli:LegalResourceSubdivision, GDPRtEXT:Section ; eli:is_part_of gdpr:GDPR, gdpr:chapterIV ; eli:number "5"^^xsd:string ; eli:title "Codes of conduct and certification"^^xsd:string ; eli:title_alternative "Section 5"^^xsd:string ; GDPRtEXT:hasArticle gdpr:article40, gdpr:article41, gdpr:article42, gdpr:article43 ; GDPRtEXT:isPartOfChapter gdpr:chapterIV . This activity refers to security of data subject's personal data. Security of Personal Data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Sensitive Personal Data This activity represents the sharing of data subject's personal data with a third party. Share Personal Data with Third Party The provided copy of personal data should be in a commonly used format Copy should be in a commonly used format Obtained consent should be in a demonstrable form Demonstrable Obtained consent should be distinguishable from other related matters (in the context of the process) Distinguishable from other matters The provided copy of personal data should be machine readable Copy should be in a machine readable format The provided copy of personal data should be structured Should be structured The provided copy of personal data should support reuse Shoud support reuse GDPR obligation that specifies consent must be specific for it to be valid. Specific This obligation states that the collection of personal data should happen only for the specified purposes (for which the data subject has consented). Specified purpose The principle of storage limitation states that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject. Principle of Storage Limitation An activity where personal data is being stored Store Data SubPoint in GDPR text SubPoint gdpr:article12-5-b a eli:LegalResourceSubdivision, GDPRtEXT:SubPoint ; eli:description "refuse to act on the request."^^xsd:string ; eli:is_part_of gdpr:GDPR, gdpr:article12, gdpr:article12-5, gdpr:chapterIII, gdpr:chapterIII-1 ; eli:number "b"^^xsd:string ; eli:title_alternative "Article12(5)(b)"^^xsd:string ; GDPRtEXT:isPartOfArticle gdpr:article12 ; GDPRtEXT:isPartOfChapter gdpr:chapterIII ; GDPRtEXT:isPartOfPoint gdpr:article12-5 ; GDPRtEXT:isPartOfSection gdpr:chapterIII-1 . A sub-processor is a processor acting under another processor. Sub-Processor Sub-processors must follow the same rules and obligations (or terms) as the agreement between processor and controller. Follow same terms This activity provides a systematic monitoring or overview of processes/activities taking place within the context of the organisation. Systematic Monitoring Processing of personal data that is termed to be unlawful in the context of the GDPR or other relevant laws and regulations Unlawful Processing An activity that uses personal data Use Data Consent is termed to be valid if it passes all the criteria or obligations laid down by the GDPR. Valid Consent These are obligations pertaining to the vital interests of the data subjects Vital Interests Consent must be obtained through the data subject's voluntary action and should be opt-in and not opt-out or by default. Voluntary & Opt-in The seals and certifications should be a voluntary system of accredition Voluntary accredition This activity represents the data subject withdrawing given consent. Withdrawing Given Consent TEST TEST2 An ontology for representing provenance traces pertainining to GDPR compliance. It uses concepts from GDPRtEXT along with extending PROV and P-Plan. TEST TEST2