Bartolini, C., Muthuri, R., & Santos, C. (2015, November). Using ontologies to model data protection requirements in workflows. In JSAI International Symposium on Artificial Intelligence (pp. 233-248). Springer, Cham. https://openscience.adaptcentre.ie/projects/GDPRtEXT/ The General Data Protection Regulation (GDPR) defines legal obligations over the use of personal data by organisations. This ontology aims to identify and model such terms and obligations as an OWL vocabulary and to directly link the terms to their occurence, usage, and influence in the GDPR text. 2017-10-01 http://purl.org/adaptcentre/people/HJP 0.5 GDPRtEXT http://purl.org/adaptcentre/openscience/ontologies/GDPRtEXT This is an ontology to represent GDPR text as a set of RDF resources This ontology extends the canonical (official) GDPR text with additional annotations GDPR text EXTensions Harshvardhan J. Pandit 2017-08-15 http://creativecommons.org/licenses/by/4.0/ gdprtext This ontology extends the canonical (official) GDPR text with additional annotations It signifies that two concepts are related within the context of the GDPR. involves indicates the legal resource has the Article has Article indicates the legal resource has the Chapter has Chapter indicates the legal resource has the Point has Point indicates the legal resource has the Recital has Recital indicates the legal resource has the Section has Section indicates the legal resource has the SubPoint has SubPoint represents a legal resource subdivision to be part of a article is part of Article represents a legal resource subdivision to be part of a chapter is part of Chapter represents a legal resource subdivision to be part of a point is part of Point represents a legal resource subdivision to be part of a section is part of Section The principle of accountability states that the controller shall be responsible for, and be able to demonstrate compliance with the processing of personal data as defined by the justifications permissible under the GDPR Principle of Accountability The principle of accuracy states that personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. Principle of Accuracy The data subject can exercise the right to restrict processing of their personal data when the accuracy of personal data is contested when accuracy of personal data is contested This obligation specifies that the collection of (or collected) personal data should in an accurate form - i.e. the personal data should be accurate. collected personal data should be accurate An Activity signifies some process(es) or step(s) towards specific deed(s), action(s), function(s), or sphere(s) of action. Activity Only the personal data adequat for required processing should be maintained retention should be adequate for processing The seal or certification does not reduce or impact the responsiblity of the controller or processor for compliance with the GDPR adherence to Seals and Certifications Data is termed to be anonymous if it cannot be connected or associated with individual person or persons that have provided or are associated with it. anonymous data These are the obligations for Processors over appointing sub-processors appointing Sub-Processors These are the obligations specified by the GDPR for the appointment of Processors by Controllers. appointment of Processors An activity where personal data is archived Archive Data Article in GDPR text Article Processors must assist Controllers in complying with the various rights provided by the GDPR to data subjects which can be exercised at any time. assist Controller in complying with data subject's rights This type of processing involves automated processing that does decision making having significant effects on the data subject. automatic decision making with significant effect for data subject This is automated processing of data subject's personal data. automated processing of personal data This obligation states that the data subject should be able to withdraw the consent as easily as it was to give it. consent should be able to withdrawn as easily as it was given A certification pertaining to GDPR compliance Certification A Certification Body is an entity that can award/issue/renew a certification pertaining to compliance towards the GDPR. Certification Body Chapter in GDPR text Chapter Citation in GDPR text Citation Obtaining consent must provide clear explanations of the processing involved over the personal data should contain clear explanation of processing A Code of Conduct for the purpose of specifying the application of GDPR which may be monitored, evaluated, or processed by a third party appointed by the organisation. Code of Conduct Collection of Personal Data is an Activity that deals with acquiring data subject's personal data through some model of interaction. collection of personal data Represents the act of complying with the obligations and actions specified by the GDPR. Compliance towards GDPR The processor has an obligation to comply with the controller's instructions compliance with Controller's instructions GDPR mentions some conditions or criterion for the creation and issuing of seals and certifications pertaining to GDPR compliance conditions for awarding Seals and Certifications This type of processing involves matching data subject's identity or personal data in different datasets. confirming or matching using datasets of data subject's personal data Consent in the context of the GDPR refers to the assent or agreement by the data subject in relation to their personal data for the proposed processing activities associated with one or more organisations. Consent An activity involving data subject's consent. Consent Activity The right of erasure applies when the data subject withdraws given consent erase data if conesnt was withdrawn The purpose of new processing should take the context of how the original data was collected into consideration context of how personal data was collected The lawful basis for processing personal data is provided through a contract with the data subject. contract with data subject The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controller These obligations specify the accountability of the Controller. accountability of Controller The data subjects were not notified about the data breach because the controller had already taken action regarding the data breach. Controller has already taken action on the Data Breach These are the obligations specified by the GDPR as being specifically the responsbility of the Controller. obligations of Controller A natural or legal person established in the Union who, designated by the controllerin writing, represents the controller with regard to their respective obligations under the GDPR. representative of the Controller These obligations specify the responsiblity of the Controller responsibility of Controller This obligation specifies the Controller/Processor must co-operate with the Data Protection Authority (DPA). co-operate with DPA Personal data related to criminal convictions and offences. data related to crimes and criminal convictions Cross-border data transfer refers to data transfer crossing the boundaries of EU (legislative) region. cross-border transfer of personal data The Data Protection Authority (DPA) is a public institution responsible for monitoring the application of data protection laws. Data Protection Authority (DPA) The Data Protection Officer (DPO) is an individual(s) appointed by the organisation to monitor compliance and assist in complying with the GDPR. Data Protection Officer (DPO) These are the obligations specified for the Data Protection Office (DPO) within the GDPR obligations of DPO A generic term to refer to Data. data An activity involving personal data of data subject(s). Data Activity A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Data Breach The right to erasure applies where data is no longer needed for original purposes for which it was collected erase personal data if it is no longer needed for original purpose under which it was acquired The principle of data minimisation states that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Principle of Data Minimisation The data subject can exercise the right to restrict processing of their personal data when the personal data is no longer required for the original purpose it was collected under when data is no longer needed for original purpose it was acquired under This obligation requires Controllers to follow data protection by design and by default. data protection by design and by default These are obligations regarding security of data managed by the Controllers. Data Security An individual or entity to whom their personal data relates. data subject The obligation or activity coult not be completed because the data was inferred or derived, and therefore did not come from the data subject or other sources. data was inferred or derived from personal data The act of demonstrating consent is an activity whereby previously acquired consent is provided as sufficient justification for processing activities involving data subject's personal information. demonstrating valid consent given by data subject Type of Marketing that reaches data subjects directly by communications directly addressed to the data subject. Direct Marketing A general term for any institution, company, corporation, partnership, government agency, university, or any other organization including individuals. Entity An activity that erases data Erase Data Whether the proposed activity involves the evaluation of the data subject. evaluation of data subjects Exceptions associated with compliance for reporting data breach to the affected data subjects. exceptions on reporting data subjects about data breach Exclusions and Exemptions provided by the GDPR for not complying with the specified obligations. Exlcusions and Exceptions as applicable to compliance towards GDPR Lawful basis for processing is provided by National Law exempted under national law The request or activity could not or was not completed because there was no sufficient proof of the data subject's identity. exempted from action without sufficient proof of data subject's identity The activity represents exercising of rights provided by GDPR by the data subject. exercise rights by data subject The purpose of new processing should take into context the existence of appropriate safeguards existence of safeguards over personal data This obligation specifies that the collected (or collection) of personal data should be for/with explicit purposes. collection of personal data should be for explicit purpose Lawful basis for processing is provided by Employment Law covered by employment law These are the factors stated by the GDPR for Impact Assessment. factors involved in Impact Assessment GDPR obligation that specifies consent must be freely given by the data subject for it to be valid. consent must be freely given Personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained. data related to genetic identity Given Consent refers specifically to the form of consent given by the data subject in relation to their personal data and the proposed usage by activities. given consent The data subjects were not notified about the data breach because the harm was deemed to be remote. harm done in the data breach was only remote Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. data related to health, medical, or diagnosis records Lawful basis if provided by the GDPR for processing related to historic, statistical, or scientific purposes. for historic, statistical, or scientific purposes Retention of personal data should be identifiable for the requried processing retention where personal data is identifiable for required processing Activity where the data subject is explicitly identified through direct or indirect means. Identification of Data Subject The right to access personal data also includes information about whether and where the controller is processing the data subject's personal data if and where Controller is processing personal data The activity wherein the controller carries out an assessment of the impact of the envisaged processing operations on the protection of personal data. impact assessment This obligation requires Controllers to implement the required technical measures necessary for compliance of the GDPR implement required technical measures for ensuring and demonstrating compliance The processor must impose confidentiality agreements on its personnel in relation to handling of personal data impose confidentiality obligations on personnel with access to data subject's personal data The right to access personal data also includes information about automated processing that has significant effects on the data subject. information about automated processing with significant effects on data subject The right to access personal data also includes information about the categories of recipients the data is shared with. information about categories of recipients personal data is shared with The right to access personal data also includes information about categories of data being processed information about categories of personal data being processed The right to access personal data also includes information about the existence of rights provided by the GDPR to the data subject information about existence of data subject's rights The right to access personal data also includes information about the processing of personal data of the data subject information about processing of personal data The right to access personal data also includes information about the source of the personal data information about source of personal data The right to access personal data also includes information about the storage period of the data subject's personal data information about storage period of personal data In case of conflict with the controller's intructions and the law, the processor must immediately inform the controller of this conflict inform Controller of conflicting obligations under Controller's instruction and legal obligations The right to basic information also provides data subject's with information about third parties involved in the processing. information about third parties involved The information provided under the right to transparency should be concise information should be concise The information provided under the right to transparency should be easily accessible information should be easily accessible The information provided under the right to transparency should be intelligible information should be intelligible The information provided under the right to transparency should be transparent and clear (i.e. not umambigious or vague) information should be transparent GDPR obligation that specifies consent must be informed for it be valid. consent must be given through informed decision The principle of integrity and confidentiality states that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Principle of Integrity and Confidentiality The obligation or activity could not be completed as it was deemed to be impossible. action is impossible A joint controller is two or more controllers jointly determine the purposes and means of processing. Joint Controller Retained personal data must be kept up-to-date personal data should be kept up to date The processing of personal data at a large scale of quantity or significant proportions. large scale processing of personal data This provides the basis for lawful processing of personal data. lawful basis for processing The principle of lawfulness, fairness, and transparency states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Principle of Lawfulness, Fairness, and Transparency Lawful basis for processing is provided by legal claims. covered by legal claims Lawful basis for processing is covered by legal obligation(s). covered by legal obligations Lawful basis for processing is provided through the legitimate interests pursued by the Controller or by a third party legitimate interests This specifies that the collection (or collected) personal data should be used/specified to be used for legitimate purposes. collection of personal data should be for legitimate purposes These specify the liability of Joint Controllers, i.e. cases where more than one Controller share the responsiblity. liability under Joint-Controllers Personal data retained should be limited in its use only for the requried processing personal data should be retained and limited for required processing Whether there is a link between the new and old purposes of processing link between new and old purpose of processing Lawful basis is provided through the data being publicly made available by the data subject was made public by data subject GDPR mandates the recording of data breaches and its effects. maintain record of breach This obligation requires the Controller/Processor to maintain adequate records about their processing activities. maintain records for processing activities involving personal data The process or technique of promoting, selling, and distributing a product or service. Marketing The maximum validity for all seals and certifications should be 3 years from the date of issue. maximum validty must be 3 years Lawful basis for processing is provided by the GDPR for medical or diagnostics purposes pertaining to the data subject for medical treatement or diagnostics purposes The activity or process of overseeing an organisation's compliance. monitor compliance The nature of the personal data involved, whether it is sensitive or confidential. nature of personal data involved The right to access personal data should not incur any undue charge levied on the data subject for exercising their right no undue or unreasonable charges must be levied for right to access Lawful basis is provided by the GDPR for activities of/for not-for-profit organisations by a not for profit organisation Consent should not be obtained from silence or inactivity of the data subject consent should not be taken from silence or inactivity This obligation specifies that the collected personal data should not be processed beyond the purpose for which it was originally collected without an updated consent for the proposed purposes. collected personal data should not be used for further processing other than the original purpose The data subjects were not notified about the data breach because it required disproportionate efforts. data breach notifications require disproportionate efforts Affected data subject's must be notified about the consequences of the data breach. notify data subject about consequences of data breach Affected data subjects must be notified with the name and contact of the DPO responsible/handling for the data breach. notify data subject about DPO contact regarding data breach Affected data subjects must be notified of the data breach and its effects. notify data subject of breach Affect data subjets must be notified of the measures taken against the data breach. notify data subject of measures taken regarding occured data breach These are the obligations specified by the GDPR. Following the obligations is necessary for compliance. Obligation specified under GDPR Collection of Personal Data is an Activity that deals with acquiring data subject's personal data through some model of interaction. collection of personal data These are the obligations specified by the GDPR for obtaining consent obligations for obtaining consent from data subjects The act of getting a data subject's consent. obtaining consent from data subject The processor must only act on the intructions provided and documented by the controller only act on documented instructions from Controller The activity was deemed to be outside the material scope of the GDPR. outside material scope of GDPR Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. personal data Point in GDPR text Point The possible consequences of the change in processing for the data subject possible consequences for data subjects A Principle is a rule or standard defined by the GDPR which is essential to be followed for compliance Principle Privacy by Design is the approach of taking privacy into consideration throughout the whole planning and execution processes. adopt Privacy by Design (PbD) Processing here refers to an Activity that acts on the Data Subject's personal information. processing personal data This type of processing involves data subjects that are vulnerable, such as children, or people with disabilities. processing affected and/or vulnerable individuals The data subject can exercise the right to restrict processing of their personal data when the processing is unlawful when processing is unlawful This involves processing involving sensitive personal data. processing sensitive personal data This type of processing uses technologies that are new or have not yet been deemed to be fit or stable for usage. processing personal data using untested technologies A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processor Signifies the agreement between Controller and Processors for processing of personal data Agreement between Processor and Controller These are the obligations specified by the GDPR in the context of Processors obligations of Processor A natural or legal person established in the Union who, designated by the processor in writing, represents the processor with regard to their respective obligations under the GDPR. representative of Processor To propogate a data subject's right once they have been exercised to other third parties that are involved through the data subject's personal data. propogate data subject rights to third parties Protection of data subject's personal data against accidental loss. protection against accidental loss of personal data Protection of data subject's personal data against damage to the data. protection against damage to personal data Protection of data subject's personal data against destruction of data. protection against destruction of personal data Protection of data subject's personal data against unlawful processing of data. protection against unlawful processing of personal data The processor must provide the controller with the information necessary to demonstrate compliance provide Controller with information required for demosntrating compliance The right of data portability requries providing a copy of the data subject's personal data provide copy of data subject's personal data Personal data that can no longer be attributed to a specific data subject without the use of additional information. pseudo-anonymous data Lawful basis is provided by the GDPR as being in the interest of the public in lieu of public interest The principle of purpose limitation states that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes. Principle of Purpose Limitation These are the obligations over determining the new or changed purposes of processing purpose of new processing The stated obligation could not be completed as it concerns rights and freedoms protection and/or issues of national security. does not apply over rights and freedoms protection and for national security Related to Regulation (EC) No. 45/2001 Regulation (EC) No 45/2001 should follow adoption of GDPR Exempted as the GDPR does not apply to personal or household activity that does not have a professional or commercial activity associated with it. does not apply to personal or household activity without any professional or commercial activity Exempted as it involves areas covered by Directive (EU) 2016/680 does not apply to areas covered by Directive (EU) 2016/680 Personal data revealing racial or ethnic origin. data identifying racial or regional origins Regulation in GDPR text Regulation This obligation requires Controllers to record the categories of data subjects and the personal data involved in processing/activities. record categories of data subjects and personal data involved This obligation requires Controllers to record the categories of recipients the personal data was shared with. record categories of recipients where personal data was shared This obligation requires Controllers to record the cross-border data transfers. record cross border transfers This obligation requires Controllers to record the data retention period of personal data. record data retention periods This obligation requires Controllers to record the purpose of processing associated with personal data and the given consent. record purpose of processing This obligation requires Controllers to record the measures taken to ensure adequate safety measures of personal data and the involved activities. record security measures An activity that rectifies data Rectify Data Any inaccuracies or discrepancies in the retained data must be rectified any accuracies in personal data should be rectified The authority responsible for regulating data protection laws. Regulatory Authority Any retained personal data must be relevant for subsiquent processing retained personal data should be relevant for processing The act of reporting a data breach to entities mentioned within the GDPR. These are the Data Protection Authority (DPA), and in the case of Processors, the Controller they have an agreement with. report Data Breach The occurence of a data breach must be reported to the Controller. report data breach to controller The occurence of a data breach must be reported to the Data Protection Authority (DPA) within 72 hours report data breach to DPA within 72 hours The stated obligation or activity could not be completed as it requires disproportionate efforts to complete. requires disproportionate efforts Appointing a sub-processor requires the written consent of the controller specifying permission or consent requires written consent of Controller to appoint Sub-Processor These provide restrictions on cross-border transfers for Processors restrictions on cross border transfers These are the obligations specified by the GDPR on the retention of personal data retention of personal data The processor must return or destroy personal data at the end of term (of its agreement with the controller) return or destroy personal data at end of agreement term The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Right of Data Portability The data subject has the right to obtain erasure of their personal data Right of Erasure The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data along with additional information about it. Right to Access Personal Data The right to basic information about processing provides data subjects with information about the processing activities involving their personal data Right to basic information about processing of personal data The data subject has a right to not be evaluated through automated processing Right to not be evaluated through automated processing The data subject has a right to object to direct marketting based on their personal data Right to object for direct marketting The data subject has the right to object to processing of their personal data Right to object to processing of personal data The data subject has a right to recitify their personal data Right to rectify personal data The data subject has the rights to restrict the processing of their personal data Right to restrict processing of personal data The right to transparency requires controllers to provide information about the processing activities as well as personal data and its usage in a transparent manner Right to Transparency The GDPR provides several rights to the data subjects which may be exercised at any time by the data subject and which are mandatory for the organisation to provide, comply with, and inform the data subject about. Data Subject's Rights A seal pertaining to GDPR compliance Seal GDPR provides for the creation and provision of seals and certificates pertaining to compliance or related activities Seals and Certifications Section in GDPR text Section This activity refers to security of data subject's personal data. security of personal data Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. sensitive personal data This activity represents the sharing of data subject's personal data with a third party. share personal data with third party The provided copy of personal data should be in a commonly used format should be in a commonly used format Obtained consent should be in a demonstrable form consent should be demonstrable Obtained consent should be distinguishable from other related matters (in the context of the process) consent should be distinguishable from other matters The provided copy of personal data should be machine readable should be in a machine readable format The provided copy of personal data should be structured should be structured The provided copy of personal data should support reuse shoud support reuse GDPR obligation that specifies consent must be specific for it to be valid. given consent must be specific and must not be ambigious This obligation states that the collection of personal data should happen only for the specified purposes (for which the data subject has consented). collection of personal data should take place only for specified purpose The principle of storage limitation states that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject. Principle of Storage Limitation An activity where personal data is being stored Store Data SubPoint in GDPR text SubPoint A sub-processor is a processor acting under another processor. Sub-Processor Sub-processors must follow the same rules and obligations (or terms) as the agreement between processor and controller. Sub-Processor must follow same terms as Processor-Controller have agreed upon This activity provides a systematic monitoring or overview of processes/activities taking place within the context of the organisation. systematic monitoring of processing activities An activity that uses personal data Use Data Consent is termed to be valid if it passes all the criteria or obligations laid down by the GDPR. valid consent These are obligations pertaining to the vital interests of the data subjects vital interests of data subject Consent must be obtained through the data subject's voluntary action and should be opt-in and not opt-out or by default. consent must be voluntary and opt-in The seals and certifications should be a voluntary system of accredition volutary system of accredition This activity represents the data subject withdrawing given consent. withdrawing given consent An ontology for representing provenance traces pertainining to GDPR compliance. It uses concepts from GDPRtEXT along with extending PROV and P-Plan. TEST TEST2 TEST TEST2