Analysis of Ontologies and Policy Languages to Represent Information Flows in GDPR

Tracking #: 3009-4223

Beatriz Esteves
Víctor Rodríguez-Doncel

Responsible editor: 
Guest Editors ST 4 Data and Algorithmic Governance 2020

Submission type: 
Survey Article
This article surveys existing vocabularies, ontologies and policy languages that can be used to represent informational items referenced in GDPR rights and obligations, such as the ‘notification of a data breach’, the ‘controller’s identity’ or a ‘DPIA’. Rights and obligations in GDPR are analyzed in terms of information flows between different stakeholders, and a complete collection of 57 different informational items that are mentioned by GDPR is described. 13 privacy-related policy languages and 9 data protection vocabularies and ontologies are studied in relation to this list of informational items. ODRL and LegalRuleML emerge as the languages that can respond positively to a greater number of the defined comparison criteria if complemented with DPV and GDPRtEXT, since 39 out of the 57 informational items can be modelled. Online supplementary material is provided, including a simple search application and a taxonomy of the identified entities.
Full PDF Version: 


Solicited Reviews:
Click to Expand/Collapse
Review #1
By Guido Governatori submitted on 02/Mar/2022
Review Comment:

The revised version fully addressed the comments on the previous version.

Just a very minor comment. The LegalRuleML example reported in the paper is not very representative of the capabilities of LegalRuleML. It serialises in the standard a way to implement in a specific logic a section/clause of GDPR; ideally, LegslRuleMzl should be written, as far as possible, in a way that is neutral of a specific implementation of a specific logic. However, as the authors point out with the reference it is a published version.