dpv icon indicating copy to clipboard operation
dpv copied to clipboard
verified publisher icon w3c

[NEW]: DPIA concepts (Conditions for when to conduct a DPIA)

Open TyttiKatariina opened this issue 6 months ago • 2 comments

Specs

DPV, Personal Data (PD), Technical (TECH), Locations (LOC), RISK, Other

New Concept(s)

After analysing the processing activities that require a DPIA across all 30 EU /EEA member states, I identified several conditions that highlight the need for additional concepts in the DPV to fully represent all DPIA-required criteria.

The proposal of the concepts can be found here: https://docs.google.com/spreadsheets/d/1_xj4D_3lppqIWQIWbQeDVKMOC5iWItqJpz1qbCNovk4/edit?usp=sharing or DPIA concepts for DPV Final - DPIA high-risk processing activity concepts-2.csv.

The "identifier" column consists of the identifiers assigned to each processing activity, and if you want to find out what overall processing statement is being represented, this can be found in Appendix A. of the preprint of our paper: https://osf.io/preprints/osf/6qhzj_v2.

Below are three examples of how these concepts could be used to represent DPIA required conditions:

ex:DPIARequiredC8 a eu-gdpr:DPIARequiredProcess ; dpv:hasAutomationLevel dpv:Automated; # Automated proposed dpv:hasConsequence risk:LegalEffect ; # LegalEffect proposed dpv:hasStatus eu-gdpr:DPIARequired ; skos:prefLabel "DPIA Required Process # 8" ; skos:definition "A process that has automated decision making and/or automated processing with legal or similar effect, , due to which it requires a DPIA"@en ; dct:source "GDPR, EDPB, AT, BE, BG, HR, CY, CZ, DK, EE, FI, FR, DE, GR, HU, IS, IE, IT, LV, LI, LT, LU, MT, NL, NO, PL, PT, RO, SK, SI, ES, SE" .

ex:DPIARequiredC21 a eu-gdpr:DPIARequiredProcess ; dpv:hasDataSubject dpv:AsylumSeeker, dpv:Immigrant ; dpv:hasStatus eu-gdpr:DPIARequired ; skos:prefLabel "DPIA Required Process # 21" ; skos:definition "A processing activity using data concerning asylum seekers and immigrants, due to which it requires a DPIA"@en ; dct:source "AT, CY, IE, IT, LV, MT, SI, SE" .

ex:DPIARequiredC76 a eu-gdpr:DPIARequiredProcess ; dpv:hasProcessing dpv:Monitoring ; dpv:isImplementedUsingTechnology tech:SmartMeter; # SmartMeter proposed dpv:hasDataController dpv:UtilityProvider ; # UtilityProvider proposed dpv:hasStatus eu-gdpr:DPIARequired ; skos:prefLabel "DPIA Required Process # 76" ; skos:definition "A processing activity that uses data from the application of smart meters set up by public utility providers (for monitoring of consumption habits), which requires a DPIA."@en ; dct:source "BE, HR, GR, HU, NL, PL, RO" .

TyttiKatariina avatar Jun 13 '25 16:06 TyttiKatariina

@TyttiKatariina thanks for creating this thread. I recommend two important actions before we discuss this with the broader group:

  1. Resolve the comments so the proposed concepts are clear and consistent (any remaining comments should be what we want to discuss with the group). It will also be helpful if you explain and consolidate the layout of the spreadsheet as at the moment the first tab contains all the concepts and again the rest of the tabs contain the same concepts.

  2. The proposal to model a DPIA required process needs to be refined and properly defined so others can understand what it is representing, how to contruct it, and how to interpret it. A separate issue would be better to track that as we would also have to think how to model similar requirements in other regulations e.g. FRIA in AI Act. We also have to see where these concepts go as the source (which should not be one long string) refers to the DPIA required activities defined by each DPA, which is a reference to a specific document, -- which makes them country-specific while those from EDPB (non-binding) and GDPR (binding) are EU level. So these would be defined in specific jurisdictional extension.

P.S. There are concepts in the above examples such as dpv:hasAutomationLevel dpv:Automated where dpv:Automated does not exist in DPV nor in the proposals sheet, another example is dpv:AssylumSeeker. There are also issues with relations, e.g. tech:SmartMeter is used with dpv:hasProcessing instead of dpv:isImplementedUsingTechnology.

coolharsh55 avatar Jun 13 '25 17:06 coolharsh55

@coolharsh55 Thanks Harsh for looking over the proposal and for the actions.

Comments have now been resolved in the document, and the first tab has been removed, so each sheet is now according to the extension. Hopefully, it is clear now.

I will create a separate issue for modelling a DPIA required process.

Lastly, I will revise the examples and provide further explanations in a comment below after tomorrow's DPV meeting.

TyttiKatariina avatar Jun 18 '25 15:06 TyttiKatariina