Rights Exercising with DPV

This document provides guidelines and examples on how to express information about the management and exercising of rights, in particular related to the data subject rights enacted in the GDPR, using the Data Privacy Vocabulary (DPV) and other semantic standards.

Prefix	Namespace
dcat	http://www.w3.org/ns/dcat#
dcterms	http://purl.org/dc/terms/
dpv	https://w3id.org/dpv#
eu-gdpr	https://w3id.org/dpv/legal/eu/gdpr#
ex	https://example.org/
foaf	http://xmlns.com/foaf/0.1/
justifications	https://w3id.org/dpv/justifications#
legal-eu	https://w3id.org/dpv/legal/eu#
legal-gb	https://w3id.org/dpv/legal/gb#
loc	https://w3id.org/dpv/loc#
oac	https://w3id.org/oac#
odrl	http://www.w3.org/ns/odrl/2/
pd	https://w3id.org/dpv/pd#
prov	http://www.w3.org/ns/prov#
skos	http://www.w3.org/2004/02/skos/core#
time	http://www.w3.org/2006/time#
xsd	http://www.w3.org/2001/XMLSchema#

Notifying rights-related activities

This section outlines how to provide notices related with rights exercising management. Generic right notices can be provided to indicate which rights exist, when and where they are applicable, and other relevant information. Notices can be associated with specific processes or activities using the hasNotice property. dcterms:issued and dcterms:valid can be used to indicate temporal information related to notices, i.e., when it was issued and until when it is valid. Descriptions and identifiers of the notices and their creators/publishers can be recorded using DCMI Metadata Terms. The notices should also include information about the data controller as well as the entity implementing the notice, which can be the data controller or another entity acting on behalf of the data controller, using dpv:hasDataController and dpv:isImplementedByEntity, respectively. foaf:page can be used to indicate a document, e.g., Webpage, containing the contents of the notice and further functionalities.

Example of a notice that details the applicable rights under EU's GDPR, issued on December 1st, 2024, and valid until December 31st, 2024. The notice has information about the data controller as well as the entity implementing it. The webpage available at https://example.org/DataController/RightNotice can be consulted for a human-readable version of the notice.

                    ex:RightNotice a dpv:RightNotice ;
                        dcterms:description "Rights notice of data controller, valid until the end of December 2024"^^xsd:string ;
                        dcterms:issued "2024-01-01"^^xsd:date ;
                        dcterms:valid "2024-12-31"^^xsd:date ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        dpv:hasApplicableLaw legal-eu:law-GDPR ;
                        dpv:hasRight eu-gdpr:A7-3, eu-gdpr:A13, eu-gdpr:A14, eu-gdpr:A15, eu-gdpr:A16, 
                            eu-gdpr:A17, eu-gdpr:A18, eu-gdpr:A20, eu-gdpr:A22, eu-gdpr:A77 ;
                        foaf:page <https://example.org/DataController/RightNotice> .

Right exercise notices should be used to notify data subjects on where and how to exercise an active right, which information is required, or to provide updates on an exercised right request. Beyond the previously mentioned properties, DPV's isExercisedAt property can be used to associate rights with specific right exercise points, i.e., through right exercise notices, and information required to exercise a right through the association with a process, using DPV's hasProcess property. The hasRecipient, hasStatus, and hasJustification properties can be used to provide updates to the data subject on the status of a specific right exercising activity, including a justification to why such right is being exercised.

Example of a rights exercise notice that details the rights, under EU's GDPR, that can be exercised at https://example.org/DataController/RightExercisePoint. To exercise such rights, the data subject's account identifier needs to be provided to the data controller to collect and store, for the purpose of identity verification.

                    ex:RightExercisePoint a dpv:RightExerciseNotice ;
                        dcterms:description "Exercise notice of data controller, valid until the end of December 2024"^^xsd:string ;
                        dcterms:issued "2024-01-01"^^xsd:date ;
                        dcterms:valid "2024-12-31"^^xsd:date ;
                        dpv:hasRight eu-gdpr:A7-3, eu-gdpr:A15, eu-gdpr:A16, eu-gdpr:A17, eu-gdpr:A20 ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        foaf:page <https://example.org/DataController/RightExercisePoint> ;
                        dpv:hasProcess [
                            dpv:hasPurpose dpv:IdentityVerification ;
                            dpv:hasPersonalData pd:AccountIdentifier ;
                            dpv:hasProcessing dpv:Collect, dpv:Store ;
                            dpv:hasRecipientDataController ex:DataController ] .

                    # Associating specific rights with specific exercise notices
                    ex:RightToErasure a eu-gdpr:A17 ;
                        dpv:isExercisedAt ex:RightExercisePoint .

Example of a right exercise update notice that contains the status of the exercised right, that can be consulted in human-readable format at https://example.org/DataController/UpdateRightToErasure. The justification used by the data subject to initiate the request to erasure is based on the data processing not being necessary.

                    ex:UpdateRightToErasure a dpv:RightExerciseNotice ;
                        dcterms:description "Exercise notice update provided to the data subject"^^xsd:string ;
                        dcterms:issued "2024-08-24"^^xsd:date ;
                        dpv:hasRight ex:RightToErasure ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        foaf:page <https://example.org/DataController/UpdateRightToErasure> ;
                        dpv:hasRecipient ex:DataSubject ;
                        dpv:hasStatus dpv:RequestInitiated ;
                        dpv:hasJustification justifications:NonNecessityObjection .
                    
                    ex:DataSubject a dpv:DataSubject .

Specific notices to inform of the fulfilment, towards fulfilment or about the non-fulfilment of a right are also provided. Required actions that need to be performed by entities towards the fulfilment of a certain rights-related request, that cannot be sufficiently detailed using DPV, e.g., issuance of payment terms, can be attached to notices using policy languages such as Open Digital Rights Language (ODRL). The period of time the entities have to execute the required actions can also be expressed using ODRL constraints and/or can be included in the notices using DPV's Duration concepts.

Example of a notice of fulfillment related to an exercised right to erasure, that can be consulted in human-readable format at https://example.org/DataController/FulfilRightToErasure.

                    ex:FulfilRightToErasure a dpv:RightFulfilmentNotice ;
                        dcterms:description "Notice of fulfillment related to the exercised right to erasure"^^xsd:string ;
                        dcterms:issued "2024-08-27"^^xsd:date ;
                        dpv:hasRight ex:RightToErasure ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        foaf:page <https://example.org/DataController/FulfilRightToErasure> ;
                        dpv:hasRecipient ex:DataSubject ;
                        dpv:hasStatus dpv:RequestFulfilled .

Example of a notice with information towards the fulfillment of an exercised right to erasure, that can be consulted in human-readable format at https://example.org/DataController/PaymentRightToErasure. In this case, the data controller requires the data subject to make a payment as the data subject's request as been deemed excessive by the data controller. The terms of the payment are described in the ODRL policy identified in https://example.org/DataController/PaymentRightToErasure/terms>.

                    ex:PaymentRightToErasure a dpv:RightFulfilmentNotice ;
                        dcterms:description "Notice of needed payment towards the fulfillment of the exercised right to erasure"^^xsd:string ;
                        dcterms:issued "2024-08-29"^^xsd:date ;
                        dpv:hasRight ex:RightToErasure ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        foaf:page <https://example.org/DataController/PaymentRightToErasure> ;
                        dpv:hasRecipient ex:DataSubject ;
                        dpv:hasStatus dpv:RequestRequiresAction ;
                        dpv:hasJustification justifications:ProcessExcessive ;
                        odrl:hasPolicy ex:PaymentRequired .
                    
                    ex:PaymentRequired a odrl:Policy ;
                        odrl:uid <https://example.org/DataController/PaymentRightToErasure/terms>
                        odrl:obligation [
                            odrl:assigner ex:DataController ;
                            odrl:assignee ex:DataSubject ;
                            odrl:action [
                                rdf:value odrl:compensate ;
                                odrl:refinement [
                                    odrl:leftOperand odrl:payAmount ;
                                    odrl:operator odrl:eq ;
                                    odrl:rightOperand "100.00"^^xsd:decimal ;
                                    odrl:unit <http://dbpedia.org/resource/Euro>
                                ]
                            ] ;
                            odrl:constraint [
                                odrl:leftOperand odrl:elapsedTime ;
                                odrl:operator odrl:eq ;
                                odrl:rightOperand "P14D"^^xsd:duration
                            ]
                        ] .

Example of a notice of non-fulfillment related to an exercised right to erasure, that can be consulted in human-readable format at https://example.org/DataController/RejectRightToErasure. The request will not be fulfilled since it would interfere with the right of freedom of expression and information of others, as indicated by the FreedomOfExpressionImpaired justification.

                    ex:RejectRightToErasure a dpv:RightNonFulfilmentNotice ;
                        dcterms:description "Notice of non-fulfillment related to an exercised right to erasure"^^xsd:string ;
                        dcterms:issued "2024-09-06"^^xsd:date ;
                        dpv:hasRight ex:RightToErasure ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        foaf:page <https://example.org/DataController/RejectRightToErasure> ;
                        dpv:hasRecipient ex:DataSubject ;
                        dpv:hasStatus dpv:RequestUnfulfilled ;
                        dpv:hasJustification justifications:FreedomOfExpressionImpaired .

For GDPR-specific notices, the EU GDPR extension provides concepts for direct and indirect data collection notices, required by GDPR's Articles 13 and 14, respectively, Subject Access Request (SAR) notices to fulfil GDPR Right of Access, and recipient notices to fulfil GDPR's Art.19 notification requirements, regarding the recipients to whom a rights exercise has been communicated, such as the right to rectification (Art.16), right to erasure (Art.17) or right to restriction of processing (Art.18).

In the case of GDPR's Articles 13 and 14, the data subject should be notified of the identity and contacts of the data controller and of the controller's representative if applicable, as well as receive notice of the contact details of the controller's data protection officer. The notice should also include the purposes and legal basis for data processing, and, in case such basis is the legitimate interests pursued by the controller or by a third party, said interests should be specified. Data subjects should also be made aware of any recipients or categories of recipients of the personal data, and, if applicable, about transfers of personal data to a third country or international organisation, including the existence or absence of an adequacy decision for said country and applicable safeguards. Furthermore, data subjects should be notified with regards to the data storage period, as well as their existing rights, namely the rights to withdraw consent and to lodge a complaint and the rights of access, rectification, erasure, restriction of processing, object and data portability. In case the provision of personal data is necessary for statutory or contractual obligations or there is automated decision-making, it should also be disclosed to the data subject. Beyond the previously mentioned information, GDPR's Article 14 also requires the data subject to be notified about processed categories of data and their respective sources.

How does it related with the ISO/IEC 29184 Privacy Notice standard? Also see issue at https://github.com/w3c/dpv/issues/91.

In the case of the SAR notice, a DPV process can be used to notify the data subject about the type of personal data being processed, the purpose for the processing, and to which recipients it was disclosed. The storage period of the data is also indicated, as well as the existence of other data subject rights and the source of the data if not collected from the data subject. In case there is automated decision-making, it should also be disclosed to the data subject.

Is there a list of legitimate interests validated by authorities/case law?

According to GDPR's Articles 13, 14, and 15, in the case data is shared with any recipients, these can be notified to the data subject by their category type instead of naming each recipient individually. DPV currently does not have such a taxonomy. Can we reuse an existent one or should we define one in DPV itself?

According to GDPR's Articles 13, 14, and 15, in the case of the existence of automated decision-making, including profiling, the data subject must be informed about it when exercising its right of access. While DPV already includes concepts to model automation and decision-making, work still needs to be done to come up with a model to represent information "about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject".

Example of a notice of direct data collection related to GDPR's Article 13, that can be consulted in human-readable format at https://example.org/DataController/DataCollection. Identity and contact details of the data controller and its representative and DPO are provided. The collected data was used for ServiceProvision, under GDPR's Article 6.1(a) legal basis, and it was disclosed to CompanyX, CompanyY, and CompanyZ. The data was collected from the data subject, from January 1st, 2023 to December 31st, 2023.

                    ex:DataCollection_Notice a eu-gdpr:DirectDataCollectionNotice ;
                        dcterms:description "Notice of direct data collection related to GDPR's Article 13"^^xsd:string ;
                        dcterms:issued "2024-08-01"^^xsd:date ;
                        dpv:hasRight eu-gdpr:A13 ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        foaf:page <https://example.org/DataController/DataCollection> ;
                        dpv:hasRecipient ex:DataSubject ;
                        dpv:hasProcess [
                            dpv:hasPurpose dpv:ServiceProvision ;
                            dpv:hasLegalBasis eu-gdpr:A6-1-a ;
                            dpv:hasRecipient ex:CompanyX, ex:CompanyY, ex:CompanyZ ;
                            dpv:hasDuration [
                                time:hasBeginning "2023-01-01"^^xsd:date ;
                                time:hasEnd "2023-12-31"^^xsd:date
                            ] ;
                            dpv:hasRight A7-3, eu-gdpr:A15, eu-gdpr:A16, eu-gdpr:A17, eu-gdpr:A18, 
                                eu-gdpr:A20, eu-gdpr:A21, eu-gdpr:A77 ;

                            # In case it is an dpv:IndirectDataCollectionNotice data type and source should also be present
                            dpv:hasDataSource dpv:ThirdPartyDataSource ;
                            dpv:hasPersonalData pd:EmailAddress
                        ] .

                    ex:DataController a dpv:DataController ;
                        dpv:hasName "Data Controller Y"^^xsd:string ;
                        dpv:hasAddress "Address of Data Controller Y"^^xsd:string ;
                        dpv:hasContact "mailto:datacontrollery@mail.com"^^xsd:string ;
                        dpv:hasRepresentative ex:DataControllerRep ;
                        dpv:hasDataProtectionOfficer ex:DataControllerDPO .

Example of a notice of fulfillment related to an exercised GDPR's Right of Access, that can be consulted in human-readable format at https://example.org/DataController/SARFulfilled_Notice. EmailAddress was used for ServiceProvision and it was disclosed to CompanyX. The data was sourced from the data subject and collected from January 1st, 2022 to December 31st, 2022.

                    ex:SARFulfilled_Notice a eu-gdpr:SARNotice ;
                        dcterms:description "Notice of fulfillment related to GDPR's Right of Access"^^xsd:string ;
                        dcterms:issued "2024-08-07"^^xsd:date ;
                        dpv:hasRight eu-gdpr:A15 ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        foaf:page <https://example.org/DataController/SARFulfilled_Notice> ;
                        dpv:hasRecipient ex:DataSubject ;
                        dpv:hasStatus dpv:RequestFulfilled ;
                        dpv:hasProcess [
                            dpv:hasPurpose dpv:ServiceProvision ;
                            dpv:hasPersonalData pd:EmailAddress ;
                            dpv:hasRecipient ex:CompanyX ;
                            dpv:hasDuration [
                                time:hasBeginning "2022-01-01"^^xsd:date ;
                                time:hasEnd "2022-12-31"^^xsd:date
                            ] ;
                            dpv:hasRight eu-gdpr:A16, eu-gdpr:A17, eu-gdpr:A18, eu-gdpr:A21, eu-gdpr:A77 ;
                            dpv:hasDataSource dpv:DataSubjectDataSource
                        ] .

Example of a notice of recipients to whom an exercised right to erasure was communicated, that can be consulted in human-readable format at https://example.org/DataController/Recipients_Notice. dpv:hasProcess is used to effectively communicate which right was exercised by the data subject receiving the notice - eu-gdpr:A17 in the example - and the recipients to whom the personal data have been disclosed - ex:CompanyX, ex:CompanyY, ex:CompanyZ in the example.

                    ex:Recipients_Notice a eu-gdpr:RightsRecipientsNotice ;
                        dcterms:description "Notice of recipients to whom an exercised right to erasure was communicated"^^xsd:string ;
                        dcterms:issued "2024-08-08"^^xsd:date ;
                        dpv:hasRight eu-gdpr:A19 ;
                        dpv:hasRecipient ex:DataSubject ;
                        dpv:hasDataController ex:DataController ;
                        dpv:isImplementedByEntity ex:DataController ;
                        foaf:page <https://example.org/DataController/Recipients_Notice> ;
                        dpv:hasProcess [
                            dpv:hasRight eu-gdpr:A17 ;
                            dpv:hasRecipient ex:CompanyX, ex:CompanyY, ex:CompanyZ
                        ] .
                    
                    ex:CompanyX a dpv:Recipient ;
                        dpv:hasName "Company X"^^xsd:string ;
                        dpv:hasAddress "Address of Company X"^^xsd:string ;
                        dpv:hasContact "mailto:companyy@mail.com"^^xsd:string .

Recording rights being exercised

This section outlines the information that needs to be recorded and maintained when a concrete instance of a right was or is being exercised. Keeping such records is of interest to data controllers to have machine-readable information about the status and fulfillment of requests, which can be used, e.g., by auditors. To represent concrete records of rights being exercised, the RightExerciseRecord concept, a subclass of DPV's Record, can be used to associate a particular request, or even distinct requests from the same data subject, with corresponding activities exercised by entities towards fulfilling such requests, modelled as RightExerciseActivity.

Rights exercise activities

A RightExerciseActivity represents an instantiation of an activity being performed towards the exercising of a right. Such activity instances should include metadata, e.g., timestamps, duration, or involved entities, to track the provenance of a particular right exercising process, from the request itself to its acknowledgement by the data controller and to the fulfilment or non-fulfilment of the right. For easy record-keeping, each activity should be modelled as a RightExerciseActivity instance, which can be connected with other instances using DPV's isBefore and isAfter concepts.

In order to justify a certain right exercise activity, DPV contains a Justification extension to "enable representing specific justifications associated with non-fulfilment, non-requirement, delays, and exercising reasons involved in processes", which can be used to justify the non-fulfilment, non-requirement, delays, and exercising of rights.

How to connect a justification associated with a right exercising activity with the the GDPR provision that inspired its definition? The dcterms:source property can be used:

                ex:RightExerciseActivity a dpv:RightExerciseActivity ;
                    ...
                    dpv:hasJustification ex:Justification .

                ex:Justification a justifications:FreedomOfExpressionImpaired ;
                    dcterms:source "GDPR Article 17.3(a)"^^xsd:string .

Additionally, to track the status of rights exercising activities, DPV's RequestStatus concepts, including RequestAccepted for a request being accepted towards fulfilment, RequestRejected for a request being rejected towards non-fulfilment or RequestRequiresAction for a request requiring an action to be performed from another party. Figure 1 illustrates the sequence in which these concepts occur. Once the request is initiated, it should be then acknowledged by the entity implementing it and either accepted towards fulfilment or rejected towards non-fulfilment. Additionally, after being rejected, the entity fulfilling the request can also require further action from the requester (e.g., request additional data to be able to fulfil the request), which can delay the acceptance or rejection of the request, and after the required action is performed, the request can either be accepted towards fulfilment or get rejected again towards non-fulfilment or towards asking again for further action.

Lifecycle of DPV's concepts to model the status of a request.

DPV's concepts can be used in conjunction with the W3C's PROV-O recommendation to track the provenance of a right exercising activity instance. Using this standard, provenance information, regarding the entities whom the activity is associated with, i.e., prov:wasAssociatedWith, or what data/notice was generated, i.e., prov:generated, by the right exercise activity, can be represented. prov:actedOnBehalfOf can also be used to represent delegation or representation, for instance when a parent exercises a right on behalf of its child. Similarly to notices, temporal information, descriptions and identifiers of the activities and their creators/publishers can be recorded using DCMI Metadata Terms.

In this section, we include examples of rights exercising activities covering the lifecycle of statuses of requests, using an exercised GDPR right of access as an example.

Example of a right exercising activity related to a GDPR right of access request. The activity associated with the start of the request has the status dpv:RequestInitiated, the data subject is identified using the dpv:hasDataSubject property and the recipient of the request, a data controller, using dpv:hasRecipientDataController. Furthermore, a process instance can be used to express what personal data needs to be processed for the fulfilment of the right - in this case, an account identifier of the data subject will be collected and stored by the data controller for identity verification purposes. DPV's hasScope can also be used to specify the scope of the request, e.g., the data subject only wants to access data processed for service provision purposes during 2022.

                    ex:DataSubject a dpv:DataSubject .
                    ex:DataSubjectUsername a pd:AccountIdentifier ;
                        dpv:hasDataSubject ex:DataSubject .
                    
                    ex:SARequest a dpv:RightExerciseActivity, prov:Activity ;
                        dcterms:description "Data Subject makes a GDPR right of access request"^^xsd:string ;
                        dpv:hasRight eu-gdpr:A15 ;
                        dpv:isExercisedAt ex:RightExercisePoint ;
                        prov:wasAssociatedWith ex:DataSubject ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasRecipientDataController ex:DataController ;
                        dcterms:created "2023-11-02T11:08:05"^^xsd:dateTime ;
                        dpv:hasStatus dpv:RequestInitiated ;
                        dpv:hasProcess [
                            dpv:hasPurpose dpv:IdentityVerification ;
                            dpv:hasPersonalData ex:DataSubjectUsername ;
                            dpv:hasProcessing dpv:Collect, dpv:Store
                        ] ;
                        dpv:hasScope [
                            dpv:hasPurpose dpv:ServiceProvision ;
                            dpv:hasDuration [
                                time:hasBeginning "2022-01-01T00:00:00"^^xsd:dateTime ;
                                time:hasEnd "2022-12-31T23:59:59"^^xsd:dateTime
                            ]
                        ] .

Example of a right exercising activity related to the acknowledgement by the data controller of a GDPR right of access request. Following the start of the request, the controller acknowledges said request - a RightExerciseActivity can be modelled with dpv:RequestAcknowledged status, coming from the the ex:DataSubject that initiated the request. Additionally, if required, the data subject can receive a notice of said acknowledgement.

                    ex:SARAcknowledged a dpv:RightExerciseActivity, prov:Activity ;
                        dcterms:description "Data controller acknowledges the request"^^xsd:string ;
                        dcterms:created "2023-11-02T15:55:10"^^xsd:dateTime ;
                        prov:wasAssociatedWith ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasStatus dpv:RequestAcknowledged ;
                        dpv:isAfter ex:SARequest .

Example of a right exercising activity related to the rejection by the data controller of the GDPR right of access request - the request was rejected due to the data controller not being able to identify the data subject.

                    ex:SARRejected a dpv:RightExerciseActivity, prov:Activity ;
                        dcterms:description "Data controller rejects the request due to an identity verification failure"^^xsd:string ;
                        dcterms:created "2023-11-02T15:57:31"^^xsd:dateTime ;
                        prov:wasAssociatedWith ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasStatus dpv:RequestRejected ;
                        dpv:hasJustification justifications:IdentityVerificationFailure ;
                        dpv:isAfter ex:SARAcknowledged .

Example of a right exercising activity where the data controller requires further information from the data subject to be able to proceed with the request. Such right exercise activity is specified with the dpv:RequestRequiresAction status and contains a process instance expressing the action that the data subject needs to fulfil for the right exercise to continue - in this case the data subject must make available to the data controller an official ID for identity verification purposes.

                    ex:SARRequiresAction a dpv:RightExerciseActivity, prov:Activity ;
                        dcterms:description "Data controller requires further action from data subject"^^xsd:string ;
                        dcterms:created "2023-11-02T16:09:21"^^xsd:dateTime ;
                        prov:wasAssociatedWith ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasStatus dpv:RequestRequiresAction ;
                        dpv:hasJustification justifications:IdentityVerificationFailure ;
                        dpv:hasProcess [
                            dpv:hasPersonalData pd:OfficialID ;
                            dpv:hasProcessing dpv:MakeAvailable ;
                            dpv:hasPurpose dpv:IdentityVerification ;
                            dpv:hasRecipientDataController ex:DataController ;
                            dpv:isImplementedByEntity ex:DataSubject
                        ] ;
                        dpv:isAfter ex:SARRejected .

Example of a right exercising activity related to a delay in the exercising of the request as the data controller requires further information to identify the data subject. Such right exercise activity has a status of dpv:RequestActionDelayed, with the justification being that identity verification is still required by the data controller to proceed with the request, giving the data subject a duration of 1 month to reply with the required information.

                    ex:SARActionDelayed a dpv:RightExerciseActivity, prov:Activity ;
                        dcterms:description "Request is delayed as the data controller requires further information to identify the data subject"^^xsd:string ;
                        dcterms:created "2023-11-02T16:09:52"^^xsd:dateTime ;
                        prov:wasAssociatedWith ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasStatus dpv:RequestActionDelayed ;
                        dpv:hasJustification justifications:IdentityVerificationRequired ;
                        dpv:hasDuration "P1M"^^xsd:duration ;
                        dpv:isAfter ex:SARRequiresAction .

Example of a right exercise activity associated with the data subject and with a dpv:RequestRequiredActionPerformed status, which includes the official ID that the data subject made available to the data controller to effectively identify themself.

                    ex:DataSubjectOfficialID a pd:OfficialID ;
                        dpv:hasDataSubject ex:DataSubject .

                    ex:SARActionPerformed a dpv:RightExerciseActivity, prov:Activity ;
                        dcterms:description "Data Subject provides required information" ;
                        dcterms:created "2023-11-02T17:20:42"^^xsd:dateTime ;
                        prov:wasAssociatedWith ex:DataSubject ;
                        dpv:hasStatus dpv:RequestRequiredActionPerformed ;
                        dpv:hasProcess [
                            dpv:hasPersonalData ex:DataSubjectOfficialID ;
                            dpv:hasProcessing dpv:MakeAvailable ;
                            dpv:hasPurpose dpv:IdentityVerification ;
                            dpv:hasRecipientDataController ex:DataController ;
                            dpv:isImplementedByEntity ex:DataSubjectUsername ] ;
                        dpv:isAfter ex:SARActionDelayed .

Example of a right exercise activity associated with the data controller related to the acceptance of a request to fulfil. In this case, the data controller effectively already has the information that they need to fulfil the data subject's request and can proceed with said fulfilment.

                    ex:SARAccepted a dpv:RightExerciseActivity, prov:Activity ;
                        dcterms:description "Request accepted by data controller towards fulfilment" ;
                        dcterms:created "2023-11-03T08:15:04"^^xsd:dateTime ;
                        prov:wasAssociatedWith ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasStatus dpv:RequestAccepted ;
                        dpv:isAfter ex:SARActionPerformed .

Example of a right exercise activity associated with the fulfilment of the request by the data controller. As such, the data controller provides the data subject with a notice of the fulfilment of GDPR's Art.15, ex:SARNotice, and a copy of the data whose access was requested, ex:DataCopy. Said copy can be retrieved from https://example.org/DataSubject/SAR_DataCopy in CSV format, from November 3rd, 2023, to December 3rd, 2023, according with the attached access policy, ex:access_policy.

                    ex:SARFulfilled a dpv:RightExerciseActivity, prov:Activity ;
                        dcterms:description "Request fulfilled by data controller" ;
                        dcterms:created "2023-11-03T08:37:25"^^xsd:dateTime ;
                        prov:wasAssociatedWith ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasStatus dpv:RequestFulfilled ;
                        prov:generated ex:DataCopy, ex:SARNotice ;
                        dpv:isAfter ex:SARAccepted .

                    ex:DataCopy a dcat:Dataset ;
                        dcterms:format <https://www.iana.org/assignments/media-types/text/csv> ;
                        odrl:hasPolicy ex:access_policy ;
                        dcterms:issued "2023-11-03T08:35:42"^^xsd:dateTime ;
                        dcterms:valid "2023-12-03T08:35:42"^^xsd:dateTime ;
                        dcat:landingPage <https://example.org/DataSubject/SAR_DataCopy> .

In this latest example, a SAR notice is not included as Section 3 already includes a set of modelled notices, including an example of a modelled SAR Notice.

Moreover, DCAT can be used to model resources beyond notices, for instance, a copy of the personal data, which is required in both GDPR's access and data portability rights. DCAT promotes the usage of the properties such as dcterms:format, dcterms:valid, and dcat:landingPage to include information regarding the format, validity and dataset provision location, respectively, to characterize the dataset in question. Additionally, DCAT promotes the usage of ODRL to express license and rights statements, by linking the dataset with an ODRL policy using the odrl:hasPolicy property, or the usage of DCMI Metadata Terms' license, accessRights or rights properties to link datasets with licenses, access rights statements or other types of rights statements, e.g., copyrights, respectively. The latter can be used to express 'high-level' access control statements, e.g., embargoed, restricted or open access, while the former has the advantage of also being a W3C Recommendation, for policy expression, which provides a model to represent complex policies and an easy mechanism to extend its model to cover other use cases.

In this Section, the GDPR's Right of Access is used as an example to showcase how to model right exercising activities using DPV, DCMI Metadata Terms, PROV-O and DCAT. However, a similar pattern can be followed by data controllers to fulfil the other rights as in most cases the only substantial change would be the notice concept that needs to be used for a particular right instance, e.g., eu-gdpr:DirectDataCollectionNotice for the right fulfilment notice related to GDPR's Article 13, eu-gdpr:IndirectDataCollectionNotice for the right fulfilment notice related to GDPR's Article 14 or eu-gdpr:RightsRecipientsNotice for the right fulfilment notice related to GDPR's Article 19. Additionally, the proposed model for right exercising activities is generic enough to support the representation of rights from other jurisdictions and can be easily extended if the need arises.

Rights exercise records

As previously mentioned, RightExerciseRecords can be used to associate a particular request, or even distinct requests from the same data subject, with corresponding activities exercised by entities towards the fulfilment or non-fulfilment of such requests, e.g., using the dcterms:hasPart property.

Example of a right exercise record related to a GDPR Right of Access request, which was already fulfilled, as represented by the dpv:RequestFulfilled status. The activities performed for the fulfilment of the right are all connected with the record using the dcterms:hasPart property.

                    ex:SAR-DS-record a dpv:RightExerciseRecord ;
                        dcterms:description "Record maintained by the data controller for a GDPR Right of Access request" ;
                        dcterms:created "2023-11-02T11:08:05"^^xsd:dateTime ;
                        dcterms:modified "2023-11-03T08:37:25"^^xsd:dateTime ;
                        dpv:hasDataController ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasRight eu-gdpr:A15 ;
                        dpv:hasStatus dpv:RequestFulfilled ;
                        dcterms:hasPart ex:SARequest, ex:SARAcknowledged, ex:SARRejected, ex:SARRequiresAction, ex:SARActionDelayed,
                            ex:SARActionPerformed, ex:SARAccepted, ex:SARFulfilled .

Example of a right exercise record maintained by the data controller for all the data subject's rights-related requests. Distinct recorded requests are connected by the dcterms:hasPart property to the main record maintained by the data controller for that particular data subject. Each individual request is then modelled as a separate record related to a particular right request, which uses DPV's hasRight and hasStatus to establish the right being exercised and to maintain the status of the request - in this case ex:request-1 has already been fulfilled, while ex:request-2 has as its latest status being acknowledged by the data controller. The activities performed for the fulfilment of the right are all connected with the record using the dcterms:hasPart property.

                    ex:DS-record a dpv:RightExerciseRecord ;
                        dcterms:description "Record maintained by the data controller for the data subject's rights-related requests" ;
                        dcterms:created "2023-10-23T08:37:25"^^xsd:dateTime ;
                        dcterms:modified "2023-11-03T08:37:25"^^xsd:dateTime ;
                        dpv:hasDataController ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dcterms:hasPart ex:request-1, ex-request-2 .
                    
                    ex:request-1 a dpv:RightExerciseRecord ;
                        dcterms:description "Record maintained by the data controller for a GDPR Right of Access request" ;
                        dcterms:created "2023-10-23T08:37:25"^^xsd:dateTime ;
                        dcterms:modified "2023-10-25T08:37:25"^^xsd:dateTime ;
                        dpv:hasDataController ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasRight eu-gdpr:A15 ;
                        dpv:hasStatus dpv:RequestFulfilled ;
                        dcterms:hasPart ex:SARequest, ex:SARAcknowledged, ex:SARRejected, ex:SARRequiresAction, ex:SARActionDelayed,
                            ex:SARActionPerformed, ex:SARAccepted, ex:SARFulfilled .

                    ex:request-2 a dpv:RightExerciseRecord ;
                        dcterms:description "Record maintained by the data controller for a GDPR Right of data portability" ;
                        dcterms:created "2023-11-02T18:36:14"^^xsd:dateTime ;
                        dcterms:modified "2023-11-03T08:37:25"^^xsd:dateTime ;
                        dpv:hasDataController ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dpv:hasRight eu-gdpr:A20 ;
                        dpv:hasStatus dpv:RequestAcknowledged ;
                        dcterms:hasPart ex:portabilityRequest, ex:portabilityAcknowledged .

For integration with DCAT-based systems, right exercise records can also adapt DCAT's standard to represent data catalogs - a right exercise record can also be modelled as a dcat:Catalog and right exercise activities as dcat:Resources, which can be bundled and ordered using dcat:DatasetSeries. This also brings the advantage of using DCAT's ordering properties, i.e., dcat:first, dcat:last, and dcat:prev, to retrieve the latest activity related to a particular rights-related request.

Example of a right exercise record maintained by the data controller for all the data subject's rights-related requests. A catalog record is maintained to describe metadata about the right exercise record, including the involved data controller and data subject. As it stands, the data subject has opened two requests, ex:request-001 and ex-request-002. The right exercising activities pertaining to these requests are collected and ordered in ex:request-001-series and ex:request-002-series, respectively. As such, the dcat:last property can be used to retrieve the latest activity of each request.

                    ex:catalog-001 a dpv:RightExerciseRecord, dcat:Catalog ;
                        dcterms:description "Record maintained by the data controller for the data subject's rights-related requests" ;
                        dcterms:publisher ex:DataController ;
                        dcterms:created "2023-10-23T08:37:25"^^xsd:dateTime ;
                        dcterms:modified "2023-11-03T08:37:25"^^xsd:dateTime ;
                        dcat:record ex:DS-record ;
                        dcat:catalog ex:request-001, ex-request-002 .

                    ex:record-001 a dcat:CatalogRecord ;
                        dcterms:description "Metadata about catalog-001" ;
                        foaf:primaryTopic ex:DataSubject ;
                        dcterms:publisher ex:DataController ;
                        dpv:hasDataController ex:DataController ;
                        dpv:hasDataSubject ex:DataSubject ;
                        dcterms:issued "2023-10-23T08:37:25"^^xsd:dateTime .
                    
                    ex:request-001 a dpv:RightExerciseRecord, dcat:Catalog ;
                        dcterms:description "Record maintained by the data controller for a GDPR Right of Access request" ;
                        dcterms:created "2023-10-23T08:37:25"^^xsd:dateTime ;
                        dcterms:modified "2023-10-25T08:37:25"^^xsd:dateTime ;
                        dpv:hasRight eu-gdpr:A15 ;
                        dpv:hasStatus dpv:RequestFulfilled ;
                        dcat:resource ex:SARequest, ex:SARAcknowledged, ex:SARRejected, ex:SARRequiresAction, ex:SARActionDelayed,
                            ex:SARActionPerformed, ex:SARAccepted, ex:SARFulfilled .

                    ex:request-001-series a dcat:DatasetSeries ;
                        dcat:first ex:SARequest ;
                        dcat:last ex:SARFulfilled .

                    ex:SARequest a dpv:RightExerciseActivity, dcat:Resource ;
                        dcat:inSeries ex:request-001-series ;
                        # further data is modelled as in the examples in Section 3 .

                    ex:SARAcknowledged a dpv:RightExerciseActivity, dcat:Resource ;
                        dcat:inSeries ex:request-001-series ;
                        dcat:prev  ex:SARequest .

                    # Other dcat:Resource in the series have the same structure

                    ex:request-002 a dpv:RightExerciseRecord ;
                        dcterms:description "Record maintained by the data controller for a GDPR Right of data portability" ;
                        dcterms:created "2023-11-02T18:36:14"^^xsd:dateTime ;
                        dcterms:modified "2023-11-03T08:37:25"^^xsd:dateTime ;
                        dpv:hasRight eu-gdpr:A20 ;
                        dpv:hasStatus dpv:RequestAcknowledged ;
                        dcat:resource ex:portabilityRequest, ex:portabilityAcknowledged .
                    
                    ex:request-002-series a dcat:DatasetSeries ;
                        dcat:first ex:portabilityRequest ;
                        dcat:last ex:portabilityAcknowledged .

Automating the execution of GDPR-related rights requests with policies

This section outlines how to use DPV and the Open Digital Rights Language (ODRL) for data subjects to send GDPR-related right requests in a machine-interpretable format to data controllers, which can integrate an automated response in their rights management processes to easily reply to data subjects. For instance, systems implementing an ODRL evaluator according to the formal semantics of ODRL can evaluate policies in order to understand which ones are active, have been violated or fulfiled, and act accordingly in a constant, interoperable manner.

See related issue at https://github.com/w3c/dpv/issues/4.

GDPR's data subject rights described in Articles 15 to 22 can be instantiated as ODRL policies containing permissions, prohibitions and obligations to data controllers to act upon or fulfil.

See generic instances of modelled rights at https://github.com/besteves4/dpv-rights-exercising.

Right of access

In particular, GDPR's right of access can be interpreted as a duty to the data controller to provide a copy of the data subject's personal data, as well as a notice with information about the purpose(s) to which it is being used, recipients to which the data has been disclosed, and so on.

Example of a request sent in by Alice to have access to her personal data according to GDPR's Article 15. Alice's right to get a copy of her data is modelled as a duty to the data controller, i.e., ex:alice-access-data, where Alice is the recipient of the data. As Article 15 also expresses that Alice must have confirmation about the processing of her data, a second obligation, i.e., ex:alice-access-notice, is included for the data controller to inform Alice about such processing, which is described in a eu-gdpr:SARNotice.

                    ex:alice-access a odrl:Request ;
                        odrl:uid "1234-5678-9012-3456-7890"^^xsd:string ;
                        dpv:hasRight eu-gdpr:A15 ;
                        dcterms:description "Alice requests access to her data processed by HCP X." ;
                        odrl:obligation ex:alice-access-data ;
                        odrl:obligation ex:alice-access-notice .

                    ex:alice-access-data a odrl:Duty ;
                        odrl:action [
                            rdf:value odrl:reproduce ;
                            # or using the OAC profile (https://w3id.org/oac): rdf:value oac:Access ;
                            # or using directly DPV (not following best practices though): rdf:value dpv:Access ;
                            odrl:refinement ex:copy-recipient
                        ] ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx .

                    ex:copy-recipient a odrl:Constraint ;
                        odrl:leftOperand odrl:recipient ;
                        odrl:operator odrl:eq ;
                        odrl:rightOperand ex:alice .

                    ex:alice-access-notice a odrl:Duty ;
                        odrl:action odrl:inform ;
                        odrl:informedParty ex:alice ;
                        odrl:informingParty ex:HCPx ;
                        odrl:target ex:alice-SARNotice .

                    ex:alice a dpv:DataSubject .
                    ex:alice-data a dpv:PersonalData ;
                        dpv:hasDataSubject ex:alice .
                    ex:HCPx a dpv:DataController .
                    ex:alice-SARNotice a eu-gdpr:SARNotice .

ODRL policies also allow restrictions in the scope of the right: let's say that the data subject only wishes to have access to a certain type of data or to all data that has been processed for only a particular purpose - these restrictions can be modelled with a odrl:Constraint.

Example of a request sent in by Alice to have access to her personal data being processed for service provision, i.e., dpv:ServiceProvision, according to GDPR's Article 15.

                    ex:alice-access a odrl:Request ;
                        odrl:uid "1234-5678-9012-3456-7890"^^xsd:string ;
                        dpv:hasRight eu-gdpr:A15 ;
                        dcterms:description "Alice requests access to her data processed by HCP X for service provision." ;
                        odrl:obligation ex:alice-access-data ;
                        odrl:obligation ex:alice-access-notice .

                    ex:alice-access-data a odrl:Duty ;
                        odrl:action [
                            rdf:value odrl:reproduce ;
                            odrl:refinement ex:copy-recipient
                        ] ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx ;
                        odr:constraint ex:purpose .

                    ex:purpose a odrl:Constraint ;
                        odrl:leftOperand odrl:purpose ;
                        odrl:operator odrl:isA ;
                        odrl:rightOperand dpv:ServiceProvision .

Right to rectification

GDPR's right to rectification can be modelled as a permission to use the corrected data with the duty to delete the data that is incorrect. Moreover, according to Article 19, if the data has been disclosed to recipients, the data controller has the duty to inform the data subject about said recipients.

Example of a request sent in by Alice to have her personal data corrected according to GDPR's Article 16. Alice's right to rectification is modelled as a permission to the data controller, i.e., ex:alice-correct-data, with a duty to delete the incorrect data, i.e., ex:alice-delete-data. An obligation to inform the data subject about recipients to which the data has been disclosed, i.e., ex:alice-rectify-recipients is also included.

                    ex:alice-rectify a odrl:Request ;
                        odrl:uid "7890-1234-5678-9012-3456"^^xsd:string ;
                        dcterms:description "Alice requests HCP X to rectify her data." ;
                        odrl:permission ex:alice-correct-data ;
                        odrl:obligation ex:alice-rectify-recipients .

                    ex:alice-correct-data a odrl:Permission ;
                        dpv:hasRight eu-gdpr:A16 ;
                        odrl:action odrl:use ;
                        odrl:target ex:alice-data-corrected ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx ;
                        odrl:duty ex:alice-delete-data .

                    ex:alice-delete-data a odrl:Duty ;
                        odrl:action odrl:delete ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx .

                    ex:alice-rectify-recipients a odrl:Duty ;
                        dpv:hasRight eu-gdpr:A19 ;
                        odrl:action odrl:inform ;
                        odrl:informedParty ex:alice ;
                        odrl:informingParty ex:HCPx ;
                        odrl:target ex:alice-RightsRecipientsNotice .

                    ex:alice-data-corrected a dpv:PersonalData ;
                        dpv:hasDataSubject ex:alice .
                    ex:alice-RightsRecipientsNotice a eu-gdpr:RightsRecipientsNotice .

Right to erasure

GDPR's right to erasure can be modelled as an obligation to delete the personal data of the data subject, on one of the grounds established in Article 17.1. Such grounds can be expressed using DPV's Justification concepts. Moreover, according to Article 19, if the data has been disclosed to recipients, the data controller has the duty to inform the data subject about said recipients.

Example of a request sent in by Alice to have her personal data deleted according to GDPR's Article 17. Alice bases her request on the ground that the data is no longer necessary in relation to the purposes for which it was processed, i.e., justifications:NonNecessityObjection.

                    ex:alice-delete a odrl:Request ;
                        odrl:uid "3456-7890-1234-5678-9012"^^xsd:string ;
                        dcterms:description "Alice requests HCP X to delete her data." ;
                        odrl:obligation ex:alice-delete-data ;
                        odrl:obligation ex:alice-delete-notice .

                    ex:alice-delete-data a odrl:Duty ;
                        dpv:hasRight eu-gdpr:A17 ;
                        odrl:action [
                            rdf:value odrl:delete ;
                            odrl:refinement ex:alice-delete-justification
                        ] ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx .

                    ex:alice-delete-justification a odrl:Constraint ;
                        odrl:leftOperand dpv:Justification ;
                        odrl:operator odrl:eq ;
                        odrl:rightOperand justifications:NonNecessityObjection .

                    ex:alice-delete-notice a odrl:Duty ;
                        dpv:hasRight eu-gdpr:A19 ;
                        odrl:action odrl:inform ;
                        odrl:informedParty ex:alice ;
                        odrl:informingParty ex:HCPx ;
                        odrl:target ex:alice-RightsRecipientsNotice .

Right to restriction of processing

GDPR's right to restriction of processing can be modelled as a prohibition to further process the personal data of the data subject, on one of the grounds established in Article 18.1. Such grounds can be expressed using DPV's Justification concepts. Moreover, according to Article 19, if the data has been disclosed to recipients, the data controller has the duty to inform the data subject about said recipients.

Example of a request sent in by Alice for the data controller to restrict the processing of her personal data according to GDPR's Article 18. Alice bases her request on the ground that the data is not accurate, i.e., justifications:ContestAccuracy.

                    ex:alice-restrict a odrl:Request ;
                        odrl:uid "9012-3456-7890-1234-5678"^^xsd:string ;
                        dcterms:description "Alice requests HCP X to stop processing her data." ;
                        odrl:prohibition ex:alice-restrict-data ;
                        odrl:obligation ex:alice-restrict-notice .

                    ex:alice-restrict-data a odrl:Prohibition ;
                        dpv:hasRight eu-gdpr:A18 ;
                        odrl:action [
                            rdf:value odrl:use ;
                            odrl:refinement ex:alice-restrict-justification
                        ] ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx .

                    ex:alice-restrict-justification a odrl:Constraint ;
                        odrl:leftOperand dpv:Justification ;
                        odrl:operator odrl:eq ;
                        odrl:rightOperand justifications:ContestAccuracy .

                    ex:alice-restrict-notice a odrl:Duty ;
                        dpv:hasRight eu-gdpr:A19 ;
                        odrl:action odrl:inform ;
                        odrl:informedParty ex:alice ;
                        odrl:informingParty ex:HCPx ;
                        odrl:target ex:alice-RightsRecipientsNotice .

Right to data portability

GDPR's right to data portability can be modelled as an obligation to the data controller to send the personal data of the data subject upon request, which can be constrained to be in a certain format. The data subject can also request the data to be transmitted directly to another controller - this can be modelled as an obligation as well, where the data controller has the obligation send the data to another data controller, which is modelled as the recipient of the rule.

Example of a data portability request sent in by Alice according to GDPR's Article 20. Alice wishes to receive her data in CSV format, as modelled in the odrl:fileFormat constraint. Furthermore, Alice wishes her data to be transmitted by the data controller ex:HCPx to the data controller ex:HCPy, as modelled in the duty ex:transmit.

                    ex:alice-portability a odrl:Request ;
                        odrl:uid "0987-6543-2109-8765-4321"^^xsd:string ;
                        dpv:hasRight eu-gdpr:A20 ;
                        dcterms:description "Alice requests HCP X to receive her data in CSV format and for HCP X to transmit it to HCP Y." ;
                        odrl:obligation ex:receive ;
                        odrl:obligation ex:transmit .
                    
                    ex:receive a odrl:Duty ;
                        odrl:action [
                            rdf:value odrl:reproduce ;
                            odrl:refinement ex:receive-recipient, ex:receive-format
                        ] ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx .
                    
                    ex:receive-recipient a odrl:Constraint ;
                        odrl:leftOperand odrl:recipient ;
                        odrl:operator odrl:eq ;
                        odrl:rightOperand ex:alice .
                    
                    ex:receive-format a odrl:Constraint ;
                        odrl:leftOperand odrl:fileFormat ;
                        odrl:operator odrl:eq ;
                        odrl:rightOperand <https://www.iana.org/assignments/media-types/text/csv> .
                    
                    ex:transmit a odrl:Duty ;
                        odrl:action [
                            rdf:value odrl:reproduce ;
                            odrl:refinement ex:transmit-recipient
                        ] ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx .
                    
                    ex:transmit-recipient a odrl:Constraint ;
                        odrl:leftOperand odrl:recipient ;
                        odrl:operator odrl:eq ;
                        odrl:rightOperand ex:HCPy .
                    
                    ex:HCPy a dpv:DataController .

Right to object

GDPR's right to object can be modelled as an prohibition to the data controller to use the personal data of the data subject when said processing is based on legitimate or public interests described in Article 6.1(e)(f). The data subject can also request the controller to stop processing personal data for direct marketing purposes - this can be modelled as an prohibition to use data with a dpv:DirectMarketing purpose constraint, or to stop processing her data for scientific or historical research purposes or statistical purposes - again, this can be modelled as an prohibition to use data with a purpose constraint. In the examples below, we express each of these rules as independent odrl:Request policies, however if necessary they can be merged, e.g., into a single policy.

The usage of OAC (ODRL profile for Access Control) will be substituted by the work being done on aligning DPV with the ODRL information model (being maintained by the ODRL CG) towards the publication of a joint report. The following issues track this work: https://github.com/w3c/dpv/issues/130 and https://github.com/w3c/odrl/issues/46.

Example of a request sent in by Alice for the data controller to stop processing her data based on legitimate interest, according to GDPR's Article 21. The restriction on the legal basis can be modelled with the GDPR legal basis eu-gdpr:A6-1-f.

                    ex:alice-object-legalbasis a odrl:Request ;
                        odrl:profile oac: ;
                        odrl:uid "4321-0987-6543-2109-8765"^^xsd:string ;
                        dpv:hasRight eu-gdpr:A21 ;
                        dcterms:description "Alice requests HCP X to stop processing her data based on legitimate interest." ;
                        odrl:prohibition ex:object-legalbasis .

                    ex:object-legalbasis a odrl:Prohibition ;
                        odrl:action odrl:use ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx ;
                        odrl:constraint ex:legalbasis .

                    ex:legalbasis a odrl:Constraint ;
                        odrl:leftOperand oac:LegalBasis ;
                        odrl:operator odrl:eq ;
                        odrl:rightOperand eu-gdpr:A6-1-f .

Example of a request sent in by Alice for the data controller to stop processing her data for direct marketing purposes, according to GDPR's Article 21. The restriction on the purpose can be modelled with dpv:DirectMarketing.

                    ex:alice-object-marketing a odrl:Request ;
                        odrl:profile oac: ;
                        odrl:uid "8765-4321-0987-6543-2109"^^xsd:string ;
                        dpv:hasRight eu-gdpr:A21 ;
                        dcterms:description "Alice requests HCP X to stop processing her data for direct marketing purposes." ;
                        odrl:prohibition ex:object-marketing .

                    ex:object-marketing a odrl:Prohibition ;
                        odrl:action odrl:use ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx ;
                        odrl:constraint ex:purpose .

                    ex:purpose a odrl:Constraint ;
                        odrl:leftOperand oac:Purpose ;
                        odrl:operator odrl:isA ;
                        odrl:rightOperand dpv:DirectMarketing .

Example of a request sent in by Alice for the data controller to stop processing her data for scientific or historical research purposes or statistical purposes, according to GDPR's Article 21. The restriction on the purposes can be modelled with dpv:ProvideOfficialStatistics and dpv:ScientificResearch.

                    ex:alice-object-research a odrl:Request ;
                        odrl:profile oac: ;
                        odrl:uid "2109-8765-4321-0987-6543"^^xsd:string ;
                        dpv:hasRight eu-gdpr:A21 ;
                        dcterms:description "Alice requests HCP X to stop processing her data for scientific or historical research purposes or statistical purposes." ;
                        odrl:prohibition ex:object-research .

                    ex:object-research a odrl:Prohibition ;
                        odrl:action odrl:use ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx ;
                        odrl:constraint ex:purpose-research .

                    ex:purpose-research a odrl:Constraint ;
                        odrl:leftOperand oac:Purpose ;
                        odrl:operator odrl:isAnyOf ;
                        odrl:rightOperand dpv:ProvideOfficialStatistics, dpv:ScientificResearch .

Currently, DPV does not include a purpose term for historical research.

Right not to be subject to a decision based solely on automated processing

GDPR's right not to be subject to a decision based solely on automated processing, including profiling, can be modelled as a prohibition to use personal data when the processing context, i.e., dpv:ProcessingContext, is based on automated decision-making, i.e., dpv:AutomatedDecisionMaking.

Example of a request sent in by Alice for the data controller to stop processing her data based solely on automated processing, according to GDPR's Article 22. The restriction on the processing context can be modelled with dpv:AutomatedDecisionMaking.

                    ex:alice-object-automation a odrl:Request ;
                        odrl:uid "6543-2109-8765-4321-0987"^^xsd:string ;
                        dpv:hasRight eu-gdpr:A22 ;
                        dcterms:description "Alice requests HCP X to stop processing her data based solely on automated processing." ;
                        odrl:prohibition ex:object-automation .

                    ex:object-automation a odrl:Prohibition ;
                        odrl:action [
                            rdf:value odrl:use ;
                            odrl:refinement ex:processing-context
                        ] ;
                        odrl:target ex:alice-data ;
                        odrl:assigner ex:alice ;
                        odrl:assignee ex:HCPx .

                    ex:processing-context a odrl:Constraint ;
                        odrl:leftOperand dpv:ProcessingContext ;
                        odrl:operator odrl:isA ;
                        odrl:rightOperand dpv:AutomatedDecisionMaking .

Overview

Namespaces

Associating processes with rights