This is required.

This is required.

Introduction

One of the novelties of the European General Data Protection Regulation (GDPR) for regulating data controllers is the requirement of taking a risk-based approach in the processing of personal data; which means data controllers should consider the risks of their projects or processing activity proactively to prevent, as much as possible, causing any harm to individuals. The envisaged tool in the GDPR for this goal is Data Protection Impact Assessment (DPIA). DPIA is required to assess and manage the risks of any project or processing activity likely to result in a high risk to the rights and freedoms of natural persons. It is not only valuable for building compliance in the organizations but also to demonstrate it. In this sense, it can be considered a vital tool for following the Regulation's accountability principle.

The main objective of this ontology is to support the representation of the concepts and entities in the DPIA process to, first, provide a common set of vocabulary which helps the involved stakeholders to interoperate in the DPIA process, and second, to establish a basis for applications supporting DPIA and risk assessment.

The main steps of the DPIA are represented below:

Concepts associated with Scale of Processing Activities

As represented in the flowchar, DPIA consists of two main steps:

1. DPIA Necessity Assessment

2. Conducting a full DPIA

In the following sections we provide the competency questions related to each of these two steps.

DPIA Necessity Assessment

The first step is to decide whether a full DPIA is needed for a specific project or processing activity according to GDPR or not. Art. 35(1) ties in the necessity of DPIA with the risk level of the processing activity: if the activity is likely to pose high risk to the rights and freedoms of individuals, then a DPIA is required. Hence, it can be inferred that the main objective here is to decide whether the processing activity is of type high risk or not. This decision is critical and should be performed accurately as the fault decision of skipping the risk assessment when it is essential may lead to adverse consequences.

GDPR, Art. 35(3) lists three cases in which a DPIA is particularly mandatory:

1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person

2. Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.

3. A systematic monitoring of a publicly accessible area on a large scale.

Furthermore, based on GDPR Art.35(1), (3) and Recitals 71, 75, 76, 91, 92 and 116, Article 29 Working Party’s guideline on DPIA provides a more detailed list of the processing operations that need a DPIA. This list contains nine criteria: 1) Evaluation or Scoring, 2) Automated decision making with legal or similar significant effect, 3) Systematic monitoring, 4) Sensitive data or data of a highly personal nature, 5) Data processed on a large scale, 6) Matching or combining datasets, 7) Data concerning vulnerable data subjects, 8) Innovative use or applying new technological or organizational solutions, and 9) Processing preventing data subjects from exercising a right or using a service or contract.

Understanding if any of these nine criteria applies to the processing operation is not always straightforward for data controllers as it is needed to interpret and further explain each of them. As an example, consider the condition which indicates if the data is processed on a large scale, then a DPIA may be needed. Here, the first and main question of a data controller would be when a processing operation is considered as large scale? GDPR gives no complete information of what constitutes large-scale. The WP29 Guidelines on Data Protection Officer, however, defines four conditions for this criterion: when a large number of data subjects are involved, when large volume/ range of data is processed, when processing continues for large duration, and finally, when large geographical extent is affected.

Deciding about the applicability of some of the other criteria in this list, however, is not that straightforward. For instance, determining whether a new technology or organizational measure is used in the processing activity, or whether a data controller uses a technology in an innovative way is challenging and depends on the interpretation of these terms. This vocabulary aims to assist data controllers in better understanding the riskiness of their processing operations by investigating the elements of information that need to be considered for this purpose and modelling them using Semantic Web technologies. More specifically, the ontology represents the aspects and characteristics of the processing operations which should be considered to assess the risk level of operations.

Ontology Requirement Specification Document

Data Protection Impact Assessment Ontology
1. Purpose
The purpose of the ontology is to support determining whether a processing activity/ project is of type high-risk to the rights and freedom of individuals, by representing the concepts required to make the inference.
2. Scope
The scope of this ontology is limited to the identification of concepts mentioned in the European GDPR for reaching the abovementioned purpose. Other guidelines which give further explanations of GDPR Articles, such as WP29 guideline on DPIA [], as well as variouse case laws and DPAs decisions, have been considered in this work.
3. Implementation Language
OWL
4. Intended End-Users
1. Developers of applications supporting DPIA
2. Data controllers collecting personal data, or in particular, Data Protection Officers (DPO).
5. Intended Uses
1. Identification of high-risk processing avtivities/projects.
2. Understanding whether a DPIA is necessary for a processing avtivity/project.
3. Development of wizard tools/ applications assisting data controllers to detect processing operations with high risk.
6. Ontology Requirements
a. Non-Functional Requirements
NFR 1. The ontology should be published online, following the FAIR principle[].
b. Functional Requirements: Competency Questions
CQG1. Large-scale Data Processing
CQ1. What is the scale of the processing activity?
CQ1.1. What is the scale of data subject affected by the processing activity?
CQ1.2. What is the scale of personal data assoiciated with the processing activity?
CQ1.3. How many ranges of personal data items are going to be processed?
CQ1.4. What is the geographical extent of the processing activity?
CQ1.5. What is the frequency of the processing activity?
CQ1.6. For how long the processing activity last?
CQG2. Processing of Sensitive Data
CQ2. What is the category of personal data used in the processing operation?
CQ2.1. Does processing operation contain special categories of data listed in GDPR Art. 9?
CQ2.2. Does processing operation contain processing of personal data relating to criminal convictions and offences (Art. 10)?
CQ2.3. Does processing contain other types of personal data which have highly personal nature (such as electronic, communications, locations, etc.)?
CQG3. Data Concerning Vulnerable Data subjects
CQ3. Who are the data subjects affected by the processing activity?
CQ3.1. Does the processing activity target any vulnerable data subject?
CQ3.2.What is the relationship between data controller and data subject?
CQ3.3. Considering the purpose of the processing, is there any increased power imbalance between the data controller and data subjects?
CQ3.4. Are data subjects unable of easily give consent to, or oppose the processing of their data, or exercise their right (children, etc.)?
CQ3.5. Do data subjects need special protection (mentally ill persons, asylum seekers, the elderly, patients)?
CQG4. Use of New and Innovative Technology and Organizational Solution
CQ4. What type of technology or organizational solutions do you use in your processing operation?
CQ4.1. Do you use innovatively different technology or organizational solutions in your processing operation?
CQ4.2. Do you use new technological or organizational solutions in your processing operation?
CQG5. Automated decision making with legal or similar significant effect
CQ5. Does the processing include any automated decision making with legal or similar significant effect on individuals?
CQ5.1. Is personal data processed for making a decision?
CQ5.2. Does the processing operation involve some form of automation?
CQ5.3. Does any human involve in the processing activity?
CQ5.3.1. If the answer to CQ8.3 is yes, what is the influence of the human ont the result?
(does the person have the authority or competence to change the generated result/ have an actual influence on the result?)
CQ5.3.2. If the answer to CQ8.3 is yes, at what stage of the decison making process the human involves?
CQ5.4 What is the impact of processing on the individuals?
CQ5.4.1. What is the legal impact of processing on the individuals?
CQ5.4.1.1. What is the effect of processing on the individuals' legal rights?
CQ5.4.1.2. What is the effect of processing on the individuals legal status? CQ5.4.1.3. What is the effect of peocessing on the individuals right under a contract? CQ5.4.2. What are the similarly significant effects of the processing on individuals?
CQG6. Systematic Monitoring
CQ6. Does the processing activity include any systematic monitoring of data subjects?
CQ6.1. the processing activity include any monitoring of data subjects?
CQ6.1.2. Does processing activity include observing, monitoring, controlling, or tracking data subjects on the inernet?
CQ6.1.3. Does the processing operation include tracking or monitoring individuals in publicly accessible area? CQ6.1.4. What is the effect of peocessing on the individuals right under a contract? CQ6.2. If the answer to CQ.1. is yes, is the monitoring conducted in a systematic manner? CQ6.2.1. Is the monitoring part of a general plan for the data collection phase? CQ6.2.2. *Does the monitoring occur according to a system? CQ6.2.3. *Is it a pre-arranged, organised or methodical monitoring? CQ.2.4. *Does the monitoring taking place as part of a strategy?
CQG7. Matching or Combining Datasets
CQ7. Does data originate from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject?"
CQ7.1. What is the origin/source of the dataset used for data processing?
CQ7.2. If data is the result of a processing operation, what is the purpose for it?
CQ7.3. Who is the data controller/processor generated/collected the data?
CQG8. Evaluation or Scoring
CQ8.1.

Conducting a Full DPIA

Ontology Requirement Specification Document

Data Protection Impact Assessment Ontology
1. Purpose
The purpose of the ontology is to represent pieces of information necessary to exist in a DPIA document.
2. Scope
The scope of this ontology is limited to the identification of concepts mentioned in the European GDPR for reaching the abovementioned purpose. Other guidelines which give further explanations of GDPR Articles, such as WP29 guideline on DPIA [], as well as variouse DPA guidelines such as CNIL [], ICO, and AEDP [], have been considered in this work.
3. Implementation Language
OWL
4. Intended End-Users
1. Developers of applications supporting DPIA
2. Data controllers collecting personal data.
5. Intended Uses
1. Representation of the necessary information in a DPIA in a machine-readable manner
2. Supporting development of applications that assist data controllers in conducting impact and risk assessment.
6. Ontology Requirements
a. Non-Functional Requirements
NFR 1. The ontology should be published online, following the FAIR principle[].
b. Functional Requirements: Competency Questions
CQG1. Specifications of Data Controller and other Stakeholders
CQ1. Who is/are the Data Controller(s) associated with the DPIA?
CQ2. What is/are the data controller(s) contact information?
CQ3.Who is the Data Protection Officer (DPO) associated with the DPIA?
CQ4. What is the identification information of the team leader who do the DPIA?
CQ5. What is the main dapartment in charge for the processing activity?
CQ6. What are the other departments involved in some of the phases of the processing operation?
CQ7. What is the identification information of the responsible units for managing the processing within the controller organisation?
CQ8. Who are the data processors involved in the processing?
CQ9. Who are the sub-processors involved in the processing?
CQ10.What are the identification information of the Point of Contact (POC), or DPO, for the processors/sub-processors?
CQ11.If there is any, who are the Joint-controllers?
CQ12.What are the identification information of the Point of Contact (POC), or DPO, for the controller/joint-controller?
CQ13.What are the identification information of the Point of Contact (POC) in each of the management units or functional units involved in processing?
CQ14.What are the responsibilities of each stakeholder?
CQ15.What is the Project or Processing Activity associated with the DPIA?
CQ16.What are the Data Protection Authoritie's guideline the DPIA pertained to?
CQ17.If there is any, what are the approved Code of Conducts this DPIA pertained to?
CQ18.What is the Law of the Member State to which the controller is subject?
CQ19.If there is any, what are the data protection certifications (GDPR, Art.42) issued by certification bodies to data controller/data processor?
CQG2. Describing the Processing
CQ1. What is the Processing Activitie(s) associated with the DPIA?
CQ2. What are the Purposes of the processing?
CQ3. What are the Personal Data associated with the processing?
CQ4. If there is any, what are the Sensitive data, Special Category of data or Criminal Offence Data associated with the processing?
CQ5. What is the data lifecycle? (from collection to destruction)?
CQ6. How much data will be collected and processed?
CQ7. What is the technology used to collect/use/store/destruct/transfer data?
CQ8. What is the source of personal data?
CQ9. Who has access to personal data?
CQ10. What are the data supporting assets? (Asset on which personal data rely. Note: this may be hardware, software, networks, people, paper or paper transmission channels. e.g, operating systems, business applications, database management systems, office suites, protocols, configurations, etc.)
CQ11. Who are the recepients of personal data?
CQ12. What is the data storage duration?
CQ13. What is the Legal Basis of the Processing?
CQ14. Who are the Data Subjects associated with the DPIA?
CQ15. If there is any, what are the Volnurable Data Subjects associated with the DPIA?
CQ16. What is the nature of relation between Data Subjects and Data Controllers?
CQ17. How many individuals will be affected by the processing activity?
CQ18. What is the frequency of the processing?
CQ19. What geographical area does the data collection/processing cover?
CQG3. Assessment of GDPR fundamental principle
CQ1. Is the processing activity necessary considering the purpose?
CQ1.1. What is the lawful basis for the processing?
CQ1.2. Why the proposed processing operations are necessary for your organisation to fulfil the mandate assigned to it?
CQ1.3. What are the alternative processing operations to achive the purpose?
CQ1.4. What are the alternative processing operations' level of risk (why the chosen one is the less intrusive?)?
CQ2. Are the Processing Activities Proportional considering the Purpose?
CQ3. What are the controls used to ensure fundamental principles of GDPR? (Lawfulness, data minimization, data quality, storage limitation)?
CQ4. What are the controls to support data subjects' rights under the GDPR?
CQ5. What are the justifications when processing benefits from an exemption from right of data subjects?
CQ6. What are the safegaurds for international transfer (if any)?
CQ7. What are the measures to ensure processors comply?
CQG4. Nessecity of DPIA
CQ1. Why a DPIA is necessary for the Processing activity(s)/project(s)?
CQ1.1. Does Processing activity(s)/project(s) belong to the category of the high-risk processing activities for which a DPIA is required, mentioned in the GDPR or by the DPA?(see Necessity of DPIA-competency questions)"
CQ1.1.1. If yes, which type of high-risk processing activities it is?
CQ1.1.2. If no, what are the other reason for conducting a DPIA (e.g., further protection and assurance in case of doubt)
CQ2. Why a DPIA is not necessary for the Processing activity(s)/project(s)?
CQ2.1. Is the Processing activity necessary for compliance with a Legal Obligation to which the Controller is subject?
CQ2.2. Is Processing activity necessary for the performance of a task carried out in the Public Interest or in the exercise of official authority vested in the controller?
CQ2.3. Is the Processing operation/project of a type not resulting in a high risk to the rights and freedoms of individuals?
CQ2.4. Has the Processing operation previously found not to be at risk by DPIA?
CQ2.5. Has any other DPIA been conducted in the past which addressed the impacts of similar Processing Activities/projects?
CQ2.6. Has the Processing operation already been authorised by supervisory authority?
CQ2.7. Has the supervisory authority chosen to enumerate the processing operation in accordance with GDPR Article 35(5)?
CQ2.8. Does the Processing operation pursuant to point (c) or (e) of Article 6(1) already has an existing clear and specific legal basis in EU or the Member State to which the controller is subject? (where a DPIA has already been carried out as part of the establishment of that legal basis as per Article 35(10))
CQG5. Risk Assessment
CQ1. What are the Risks associated with the processing or project in general, to the rights and freedoms of data subjects?
CQ2. What is the Origin (Source) of the Risk? (processing, personal data, technology, data subject, etc.)
CQ3. What are the Impacts of each risk on the data subjects, data protection, and personal data?
CQ4. What are the likelihood, severity and overall score of the risk?
CQ5. What are the compliance risks for your organization?
CQ6. What are the possible Mitigation Measures for each Risk?
CQ7. What are the effects of the Mitigation Measures on Risks?
CQ8. What are the Residual Risks after applying the Measures?
CQ9. What is the level of Residual Risk? (Low, Medium, High)
CQ10. What is the status/state of the Risk?(Accepted, Rejected, Pending)
CQ11. Who sets the status/state of the Risk?
CQ12. What is the timestamp associated with the status/state of the Risk?
CQ13. What is the status/state of the Mitigation Measures?(Accepted, Rejected, Pending)
CQ14. Who sets the status/state of the Mitigation Measures?
CQ15. What is the timestamp associated with the status/state of the Mitigation Measures?
CQG6. Advices and Consultation
CQ1. What is the Advice of Data Protection Officer about the DPIA?
CQ2. If the level of Residual Risk is High, has a Prior Consultation with DPAs been performed?
CQ2.1. If the prior consultation has been performed, with which Supervisory Authority?
CQ2.2. If the prior consultation has been performed, when?
CQ2.3. If the prior consultation with DPAs has been performed, what is the result? (Processing operation/project authorized, Processing operation/project not authorized, Recommendations provided)
CQ2.4. If applicable, what are the Views of affected Data Subjects or their Representative on the intended Processing?
CQ2.5. If it is not appropriate to consult with the affected Data Subject, what is the reason?
CQ3. What other stakeholder have the data controller consulted with?

Namespaces

Prefix Namespace
rdf http://www.w3.org/1999/02/22-rdf-syntax-ns#
rdfs http://www.w3.org/2000/01/rdf-schema#
owl http://www.w3.org/2002/07/owl#
dct http://purl.org/dc/terms/
ns1 http://purl.org/vocab/vann/
xsd http://www.w3.org/2001/XMLSchema#
dpv http://www.w3.org/ns/dpv#

Specification

In this section, the classes and properties for representation of each of the nine criteria mentioned earlier, are listed.

Large-scale Data Processing

WP29 guideline on DPIA mention the scale of the processing as a determinant criterion in understanding the risk level of processing operations. It recommends the following factors to be considered when determining whether the processing is conducted on a large scale:

1. the number of data subjects concerned, either as a specific number or as a proportion of the relevant population

2. the volume of data and/or the range of different data items being processed

3. the duration, or permanence, of the data processing activity

4. the geographical extent of the processing activity

Accordingly, the following classes and properties are defined to represent the concepts indicated in the guideline.

Diagram

Concepts associated with the scale of processing activities are represented below:

Concepts associated with Scale of Processing Activities

processing Affects Scale of Data Subject

Definition: Property to associate processing activity to the scale of affected data subjects
Label: gdpia:processingAffectsScaleOfDataSubject
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

processing Affects PersonalData Volume

Definition: Property to associate processing activity to the volume of used/processed personal data.
Label: gdpia:processingAffectsPersonalDataVolume
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

processing Affects Data Range Scale

Definition: Property to associate processing activity to the scale of the ranges of personal data processed.
Label: gdpia:processingAffectsDataRangeScale
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

processingHasDuration

Definition: Property to associate processing activity to its duration or permanence.
Label: gdpia:processingHasDuration
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

processingHasFrequency

Definition: Property to associate processing activity to its frequency.
Label: gdpia:processingHasFrequency
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

processing Has Geographical Extent

Definition: Property to associate processing activity to its geographical extent.
Label: gdpia:processingHasGeographicalExtent
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

ProcessingScale

Definition: Scale of the processing activity in general.
Label: gdpia:ProcessingScale
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

DataSubjectScale

Definition: Scale of data subjects affected by the processing activity.
Label: gdpia:DataSubjectScale
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

Personal Data Volume

Definition: The volume of data being processed.
Label: gdpia:PersonalDataVolume
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

Duration

Definition: The duration, or permanence, of the data processing activity.
Label: gdpia:Duration
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

Frequency

Definition: The frequency of data processing activity.
Label: gdpia:Frequency
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

GeographicalExtent

Definition: The geographical extent of the processing activity.
Label: gdpia:geographicalExtent
Source: WP29 Guidelines on Data Protection Officer 16/EN WP 243,

Processing Sensitive Data

WP29 guideline on DPIA specifies 3 kinds of personal data which their processing may lead to high risk to the rights and freedom of individuals:

1.Special categories of personal data mentioned in GDPR, Article 9 (such as health data, political belief, sexual orientation, etc.).

2.Personal data associated to criminal convictions or offences as defined in GDPR, Article 10.

3.Personal data of highly personal nature, or as commonly known, sensitiv data. These personal data are considered sensitive as whether they strongly linked to the private activities (electronic communications), affect the exercise of fundamental rights, or their leak may have significant impact on individuals.

Diagram

Concepts associated with the sensitive data are represented below:

Concepts associated with Processing of sensitive data

Personal Data

Definition: Personal data being processed.
Label: gdpia:PersonalData
Source:

Sensitive Data

Definition: Sensitive data includes special category of data, criminal convictions and offences, as well as data with highly personal nature such as electronic communication which its confidentiality should be protected.
Label: gdpia:SensitiveData
Source:

Special Category of Data

Definition: Special categories of personal data mentioned in GDPR, Article 9(1) which their processing is prohibited unless in cases mentioned in Article 9(2).
Label: gdpia:SpecialCategoryOfData
Source: GDPR, Art.9(1)

Criminal Convictions or Offences

Definition: Personal data relating to criminal convictions and offences.
Label: gdpia:CriminalConvictionsOffences
Source: GDPR, Art.10

Data concerning vulnerable data subjects

Diagram

Concepts associated with the processing operations affecting vulnerable data subjects are represented below:

Concepts associated with processing affecting vulnerable data subjects

Vulnerable Data Subject

Definition: Data subjects who considered to be vulnerable.
Label: gdpia:VulnerableDataSubjects
Source: GDPR, Recital 75

Subject-Controller Relationship

Definition: Type of relation between data subject and data controller
Label: gdpia:SubjectControllerRelationship
Source:

Child

Definition: A 'child' is a natural legal person who is below a certain legal age depending on the legal jurisdiction.
Label: gdpia:Child
Source: GDPR, Recital 38

Employee

Definition: Employee
Label: gdpia:Employee
Source: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

Patient

Definition:
Label: gdpia:Patient
Source: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

Asylum Seeker

Definition: Asylum Seeker
Label: gdpia:AsylumSeeker
Source: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

Elderly

Definition: Elderly
Label: gdpia:Elderly
Source: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

Mentally Ill Person

Definition: Person with mental illness
Label: gdpia:MentallyIllPerson
Source: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679.

Special Category of Data

Definition: Special categories of personal data mentioned in GDPR, Article 9(1) which their processing is prohibited unless in cases mentioned in Article 9(2).
Label: gdpia:SpecialCategoryOfData
Source: GDPR, Art.9(1)

Criminal Convictions or Offences

Definition: Personal data relating to criminal convictions and offences.
Label: gdpia:CriminalConvictionsOffences
Source: GDPR, Art.10

Use of New and Innovative Technology and Organizational Solution

Diagram

Concepts associated with the new and innovative use of technology:

Technology

Definition: Technology used to implement the processing operation or technical measure.
Label: gdpia:Technology
Source:

New Technology

Definition:
Label: gdpia:NewTechnology
SubClass of: gdpia:Technology
Source:

Innovative Use of Technology

Definition: Using existing technologies in a new or innovative way.
Label: gdpia:InnovativeUseOfTechnology
Source:

implemented Using Technology

Definition: Property to associate a processing activity or a technical measure to the technology used for its implementation.
Label: gdpia:implementedUsingTechnology
Source:

Automated decision making with legal or similar significant effect

Diagram

Concepts to represent Automated-decision making with legal or similar significant effect:

Decision Making

Definition: The process of making choice based on certain criteria from two or more alternatives. It covers a vast type of operations such as authentication and anonymization to recommendation and profiling, through the use of tools ranging in complexity from simple spreadsheet formulas, to advanced statistical modeling, rules-based artificial intelligence, or machine learning.
Label: gdpia:DecisionMaking
Source:

Human Involvement

Definition:
Label: gdpia:HumanInvolvement
Source:

has Human Involvement

Definition: Property to model whether the processing activity has any form of human involvement.
Label: gdpia:hasHumanInvolvement
Domain: gdpia: ProcessingActivity
Range: xsd:boolean
Source:

has Form of Automation

Definition: Property to determine whether the processing activity has any form of automation.
Label: gdpia:hasFormOfAutomation
Domain: gdpia: ProcessingActivity
Range: xsd:boolean
Source:

Decision Making Stage

Definition: A stage in the process of Decision Making.
Label: gdpia:DecisionMakingStage
Source:

has Authority Level

Definition: The authority level of the human (in terms of his power to modify the results) involved in the processing.
Label: gdpia:hasAuthorityLevel
Source:

Impact

Definition: Impact of the processing activity on individuals.
Label: gdpia:Impact
Source:

Significant Impact

Definition: Impact significantly affects data subject, e.g, affects the circumstances, behaviour or choices of the individuals concerned; have a prolonged or permanent impact on the data subject; or at its most extreme, lead to the exclusion or discrimination of individuals.
Label: gdpia:SignificantImpact
SubClass of: gdpia:Impact
Source:

Impact with Legal Consequence

Definition: Any effects on someone's legal situations such as legal rights, legal status, etc.
Label: gdpia:ImpactWithLegalConsequence
SubClass of: gdpia:SignificantImpact
Source:

Impact on Rights

Definition: Impact of the processing activity on someones' legal rights such as the freedom to associate with others, vote in an election, or take legal action.
Label: gdpia:ImpactOnRights
SubClass of: gdpia:ImpactWithLegalConsequence
Source:

Impact on Legal Status

Definition: Impact of the processing activity on someones' legal status.
Label: gdpia:ImpactOnRights
SubClass of: gdpia:ImpactWithLegalConsequence
Source:

Impact on Contract Rights

Definition: Impact of the processing activity on someone's rights under a contract; for example, cancellation of a contract.
Label: gdpia:ImpactOnRights
SubClass of: gdpia:ImpactWithLegalConsequence
Source: