Copyright © 2025 the Contributors to the Guide for using DPV for GDPR's ROPA Specification, published by the Data Privacy Vocabularies and Controls Community Group under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available.
This document will provide a guide for using DPV for GDPR's ROPA. Currently, it is a work in progress.
The GDPR Article 30 requires keeping records of processing activities (ROPA) involving personal data, where the information to be maintained in such records includes purpose, personal data categories, technical and organisational measures utilised, and others. This GUIDE-GDPR-ROPA will provide guidance to implement machine-readable ROPAs using the DPV. The scope as of now does not include providing tools or libraries for the creation of ROPA or interfaces or other means to work with this information.
This will be based on existing specifications developed using DPV called Data Processing Catalogue (DPCat) - see peer-reviewed article by DPVCG members Paul Ryan, Rob Brennan, and Harshvardhan J. Pandit.
DPV Specifications: The [DPV] is the core specification within the DPV family, with the following extensions: Personal Data [PD], Locations [LOC], Risk Management [RISK], Technology [TECH] and [AI], [JUSTIFICATIONS], [SECTOR] specific extensions, and [LEGAL] extensions modelling specific jurisdictions and regulations. A [PRIMER] introduces the concepts and modelling of DPV specifications, and [GUIDES] describe application of DPV for specific applications and use-cases. The Search Index page provides a searchable hierarchy of all concepts. The Data Privacy Vocabularies and Controls Community Group (DPVCG) develops and manages these specifications through GitHub. For meetings, see the DPVCG calendar.
To cite and understand the structure of DPV, the article "Data Privacy Vocabulary (DPV) - Version 2.0" (2024) describes the current state of DPV and extensions from version 2.0 onwards (open access version here). The earlier article "Creating A Vocabulary for Data Privacy" (2019) describes how the DPV was developed (open access versions here, here, and here).
Contributing: The DPVCG welcomes participation to improve the DPV and associated resources, including expansion or refinement of concepts, requesting information and applications, and addressing open issues. See contributing guide for further information.
This specification was published by the Data Privacy Vocabularies and Controls Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.
GitHub Issues are preferred for discussion of this specification.
The DPVCG was established as part of the SPECIAL H2020 Project, which received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 731601 from 2017 to 2019.
Harshvardhan J. Pandit was funded to work on DPV from 2020 to 2022 by the Irish Research Council's Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790.
The ADAPT SFI Centre for Digital Media Technology is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106 (2018 to 2020) and Grant#13/RC/2106_P2 (2021 onwards).
The contributions of Harshvardhan J. Pandit and Rob Brennan have been made with the financial support of Science Foundation Ireland under Grant Agreement No. 13/RC/2106_P2 at the ADAPT SFI Research Centre.