Copyright © 2025 the Contributors to the Guide for using DPV with ODRL Specification, published by the Data Privacy Vocabularies and Controls Community Group under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available.
This document will provide a guide for using DPV with ODRL. Currently, it is a work in progress.
DPV Specifications: The [DPV] is the core specification within the DPV family, with the following extensions: Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH] and [AI], [JUSTIFICATIONS], [SECTOR] specific extensions, and [LEGAL] extensions modelling specific jurisdictions and regulations. A [PRIMER] introduces the concepts and modelling of DPV specifications, and [GUIDES] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
To cite and understand the structure of DPV, the article "Data Privacy Vocabulary (DPV) - Version 2.0" (2024) describes the current state of DPV and extensions from version 2.0 onwards (open access version here). The earlier article "Creating A Vocabulary for Data Privacy" (2019) describes how the DPV was developed (open access versions here, here, and here).
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.
GitHub Issues are preferred for discussion of this specification.
The following namespaces and prefixes are used throughout this document:
| prefix | URI |
|---|---|
| dpv | https://w3id.org/dpv# |
| ai | https://w3id.org/dpv/ai# |
| pd | https://w3id.org/dpv/pd# |
| loc | https://w3id.org/dpv/loc# |
| tech | https://w3id.org/dpv/tech# |
| eu-gdpr | https://w3id.org/dpv/legal/eu/gdpr# |
| dcterms | http://purl.org/dc/terms/ |
| dcat | http://www.w3.org/ns/dcat# |
| odrl | http://www.w3.org/ns/odrl/2/ |
| dpv-odrl | https://w3id.org/dpv/odrl# |
| xsd | http://www.w3.org/2001/XMLSchema# |
| ex | https://example.com/ |
The ODRL Information Model 2.2 recommendation is a W3C standard for the expression of policies regarding the usage of data and services. It allows the representation of rules (e.g., permissions, prohibitions, and obligations) in a domain-agnostic manner. These rules allow, deny, or oblige parties to perform actions over assets, which can be further restricted using constraints and duties.
Since ODRL is a domain-agnostic policy language, DPV can be used as a controlled vocabulary for invoking privacy and data protection-specific terms within deontic logic-based policies.
Mapping of how each DPV term should be used within an ODRL policy. This information will be represented in machine-readable form as an ODRL profile, which is being developed by the DPVCG at https://w3id.org/dpv/mappings/odrl#, following the best practices documented in the ODRL V2.2 Profile Best Practices report.
| DPV (rows), ODRL (columns) | Party | Action | Asset | LeftOperand |
|---|---|---|---|---|
| dpv:Entity | X | X | ||
| dpv:Processing | X | |||
| dpv:Data | X | X | ||
| dpv:PersonalData | X | X | ||
| ai:AISystem | X | |||
| ai:Model | X | |||
| dpv:Purpose | X | |||
| dpv:TechnicalOrganisationalMeasure | X | |||
| dpv:TechnicalMeasure | X | |||
| dpv:OrganisationalMeasure | X | |||
| dpv:LegalMeasure | X | |||
| dpv:PhysicalMeasure | X | |||
| dpv:Location | X | |||
| dpv:Law | X | |||
| dpv:LegalBasis | X | |||
| dpv:Recipient | X | |||
| dpv:Right | X | |||
| dpv:Risk | X | |||
| dpv:DataController | X | |||
| dpv:DataProcessor | X | |||
| dpv:HumanSubject | X | |||
| dpv:DataSubject | X | |||
| dpv:Duration | X | |||
| dpv:Frequency | X | |||
| dpv:Justification | X | |||
| dpv:Technology | X | |||
| dpv:DataSource | X |
Unless stated otherwise, i.e., using DPV Rules, a DPV process instantiation must be interpreted as a permissive policy.
DPV entities can be used as assigners or assignees of ODRL policies, as well as a left operand to filter ODRL party collections.
DPV processing operations can be used as actions of ODRL policies,
which can be further restricted using constraints,
e.g., dpv-odrl:Location as a left operand to restrict processing to a certain location.
DPV data and personal data types can be used as assets of ODRL policies, as well as a left operand to filter ODRL asset collections. The AI system and model concepts, specified in DPV's extension for AI technologies, can also be used as assets of ODRL policies.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Beatriz Esteves have received funding through the PROTECT ITN Project from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813497.
The contributions of Harshvardhan J. Pandit have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.