The ISO/IEC TS 27560:2023 Privacy technologies — Consent record information structure provides guidance on the creation of information records for representing information about consent. It also provides guidance on the use of this information in the form of 'receipts' that can be provided to assert the information in records. This document is a guide for the implementation of ISO/IEC TS 27560:2023 by using the Data Privacy Vocabulary (DPV) to represent information. Additionally, this document also provides guidance on using ISO/IEC TS 27560:2023 for meeting GDPR requirements regarding consent records.

This document is published by the Data Privacy Vocabularies and Controls Community Group (DPVCG) as a deliverable and report of its work in creating and maintaining the Data Privacy Vocabulary (DPV).

Contributing to the DPV and its extensions The DPVCG welcomes participation regarding the DPV, including expansion or refinement of its terms, addressing open issues, and welcomes suggestions on their resolution or mitigation. For further information, please see the contribution section.

Namespaces

The schemas or profiles defined by DPVCG for the implementation of [[ISO-27560]] are provided under the IRI https://w3id.org/dpv/schema/iso-27560, prefixed hereafter as dpv-27560:

  1. https://w3id.org/dpv/schema/iso-27560#record for Consent Records
  2. https://w3id.org/dpv/schema/iso-27560#receipt-minimal for Consent Receipts with minimal information from corresponding consent record(s)
  3. https://w3id.org/dpv/schema/iso-27560#receipt-summary for Consent Receipts with summary information from corresponding consent record(s)
  4. https://w3id.org/dpv/schema/iso-27560#receipt-full for Consent Receipts with full information from corresponding consent record(s)
  5. https://w3id.org/dpv/schema/iso-27560#record-GDPR for Consent Records implemented as per GDPR's requirements for information to be maintained regarding processing of personal data
  6. https://w3id.org/dpv/schema/iso-27560#receipt-GDPR for Consent Receipts implemented as per GDPR's requirements for information to be provided to the data subject

The following namespaces and prefixes are used throughout this document:

prefixURI
dpv https://w3id.org/dpv#
dpv-gdpr https://w3id.org/dpv/dpv-gdpr#
dct http://purl.org/dc/terms/
ex https://example.com/

Introduction

Consent Records and Receipts

(Given) Consent is an important legal basis as it requires an affirmative action from data subjects or users that must fulfil certain conditions to be considered Valid Consent. Such requirements can be defined through regulations such as [[GDPR]] or through use of standards and codes of conduct. Informed Consent is one such requirement that requires information be provided, in the form of a Consent Notice, to inform the data subject about the processing that will occur based on the consent and to enable them to make an informed choice or decision.

In order to assess whether an instance of given consent is valid thus requires keeping records of information regarding how the consent was obtained i.e. the notice, and how the consent is being utilised i.e. the processing enabled through that consent. This same information is also required for the organisation to determine whether its processing activities should continue, e.g. depending on whether a particular user has given consent, and where different systems require this information, e.g. different processes using their own technologies to store and check consent. Such information that is documented and maintained regarding consent is called a Consent Record.

Where the information is to be communicated to another entity, it can be provided in the form of a Consent Receipt, which is an authoritative copy of the consent record - similar to how a shopping transaction invovles a merchant's copy and a receipt provided to the customer. While consent records have been maintained by organisations for some time now, the issuing of consent receipts is a relatively new activity.

[[[ISO-27560]]] is a Technical Specification (TS) that "specifies an interoperable, open and extensible information structure" for recording the data subject's consent to processing of their personal data i.e. as consent records, and to provide this information i.e. as consent receipts. The specification lists information fields that represent specific information associated with consent, and requirements over the form this information can take e.g. format, number of values, and whether it is mandatory or optional to be present. A [[ISO-27560]] conformant implementation is one that fulfils all requirements by either storing information in the form prescribed by [[ISO-27560]], or by storing information in a form that can be converted or transformed to fulfil its requirements.

[[ISO-27560]] allows for changes to made to the fields, for example to suit and match domain-specific labels or descriptions, or to introduce additional fields or information types that are needed. Such changes, expressed as schemas or profiles, are still required to be compatible with the requirements of [[ISO-27560]], such as by requiring the same fields to be mandatory. This document, referred to as [[DPV-27560]], is a schema or profile of [[ISO-27560]], and is intended to enable the use of [[DPV]] to represent information for the implementation of consent records and receipts.

Objectives

The following are the objectives of this document:

  1. To introduce [[[ISO-27560]]] for [[[DPV]]] audiences.
  2. To provide a mapping of [[ISO-27560]] to [[DPV]] concepts.
  3. To define [[DPV-27560]] as a schema or profile of [[ISO-27560]] that uses [[DPV]] concepts to represent information.
  4. To provide examples and guidance for the use of [[DPV-27560]].

Scope

The scope of this document is defined as follows:

Terminology

The terminology used in [[ISO-27560]], [[GDPR]], and [[DPV]] differ in terms or labels used, but largely represent the same semantic concepts. This guide uses the [[DPV]] terminology unless referring to specific fields or terms used in a particular document. To assist with understanding and applying the terminologies across these three sources, [[[#terms]]] provides a summary table mapping the terms.

Overview of 27560

Goals & Scope

[[[ISO-27560]]] has two broad goals: to guide the recording of information about consent for processing of personal data in a form that is interoperable, open, and extendable, and to provide information to individuals. To supplement this, it defines several requirements (as controls in ISO terminology) for ensuring the required information is maintained and is supported by appropriate processes within the organisation. [[ISO-27560]] is stated as a supplement to the earlier [[[ISO-29184]]], where [[ISO-29184]] defines how information is provided via notices in order to request consent, and [[ISO-27560]] defines how information is recorded for given consent and provided back to the individual (as receipts).

The objective of [[ISO-27560]] is to define an information structure for consent record which contains information about: (1) Personal data associated with processing activities; (2) Notices describing the processing activities; (3) Sources of data with methods and timestamps for how it was obtained; and (4) When consent was given. It also defines the information structure for the optional provision of this information or a reference to this information - to the data subject in the form of a consent receipt.

Specific implementations and considerations are defined to be out of scope and as 'implementation details'. Annexes in [[ISO-27560]] provide informative guidance on: Performance and efficiency considerations (Annex C), Format and encoding structures (Annex D), Security of records and receipts (Annex E), and application in PIMS or privacy information management systems (Annex G). Further uses of consent records or receipts, such as how data subjects can obtain consent receipts or maintain their own consent records - it not within the scope of [[ISO-27560]].

Structure

Most of [[ISO-27560]] describes the information and fields in a Consent Record, which are reused in the section for Consent Receipt. A Consent Record contains four sections as described below and depicted visually in the figure:

  1. Header: metadata about the record e.g. its unique identifier and timestamp of creation.
  2. Processing: information about the processing activities e.g. purposes, personal data.
  3. Parties: information about entities involved in the processing e.g. controllers.
  4. Events: information about consent events e.g. consent given, consent withdrawn.
Summary of fields in ISO/IEC TS 27560:2023. The field names have been modified for alignment with DPV concepts. Field names in bold are required to be present.

Each section contains fields which describe the information that must be represented along with the form (e.g. timestamp format) and its necessity (e.g. required or optional). Certain fields are expressed as references to other fields (e.g. controller in Processing is a reference to a value in Parties).

Consent Receipt

The Consent Receipt in [[ISO-27560]] contains only two required fields representing a unique identifier for the receipt and the schema version used for the structuring of information. The information and contents are undefined and left to each implementor to specify. A receipt can optionally contain the entirety of the information within a consent record or can also multiple records or contain other information not within a record. Alternatively, a receipt can contain references to information within a record without containing the information itself e.g. as the consent record identifier.

Mapping 27560 to DPV and GDPR

The table below provides a comparison between the terms and concepts used in [[ISO-27560]], [[GDPR]], and [[DPV]]. It is neither exhaustive nor authoritative, and is provided as an informative resource to better understand and apply the concepts as they are expressed in the two normative documents ([[ISO-27560]] and [[GDPR]]). The column req.? reflects whether maintaining information on the concept is mandatory or optional. Where the value of this is expressed as a dash (-) it means not applicable to reflect the concept is not present or is covered by another term in the table. Note that for GDPR, the table only reflects the information to be maintained - either directly associated with the consent or elsewhere, and does not cover any specific requirements such as the validity of consent as per Art.4-11 or application of principles in Art.6.

27560 term req.? relevant GDPR clause req.? DPV concept
definitions
consent - 4-11 consent - dpv:ExpressedConsent
consent record - 7-1 demonstrate consent - dpv:ConsentRecord
consent receipt - 13 info on legal basis - dpv:ConsentReceipt
consent type - 4-11; 9-2a - dpv:Consent subtypes
PII Principal - 4-1 data subject - dpv:DataSubject
PII Controller - 4-7 controller; 26-1 joint controllers - dpv:DataController, dpv:JointDataControllers
PII Processor - 4-8 processor; 28-2 processor appointed by processor - dpv:DataProcessor, dpv:DataSubProcessor
Third Party - 4-10 third party - dpv:ThirdParty
Processing of PII - 4-2 processing - dpv:Processing
Sensitive PII - 9 special categories of data - dpv:SensitivePersonalData, dpv:SpecialCategoryPersonalData
PII - 4-1 personal data - dpv:PersonalData
metadata
schema version Y N/A - dct:conformsTo
record id Y N/A - dct:identifier, dpv:hasIdentifier
receipt id Y N/A - dct:identifier, dpv:hasIdentifier
pii principal id Y N/A - dpv:DataSubject, or dpv:hasDataSubject with dct:identifier
processing fields
privacy notice Y 13, 14 information to be provided Y dpv:PrivacyNotice, dpv:ConsentNotice
language Y N/A - dct:language
purpose Y 6-1a purpose Y dpv:Purpose
purpose type N N/A - dpv:Purpose parent in taxonomy
lawful basis N 6 legal basis Y dpv:LegalBasis
pii information Y N/A - dpv:hasPersonalData (reference to information)
pii controllers Y N/A - dpv:hasDataController (reference to information)
collection method N 13-1 collected from data subject; 14-2f source Y dpv:DataSource, dpv:Collect
processing method N 4-2 processing; 30-2b processing categories; 13-2f, 14-2g, 151-h automated decision making, logic, consequences; 35-1b large scale processing of special categories; 35-1c large scale of processing Y dpv:Processing and parent in taxonomy, dpv:AutomationOfProcessing, dpv:Profiling, dpv:AlgorithmicLogic, dpv:Consequence; dpv:DataVolume, dpv:ScaleOfProcessing
storage locations Y 15-2 third country Y dpv:StorageLocation. dpv:Jurisdiction
retention period Y 13-2a, 14-2a, 15-1d storage period or criteria; 30-1f erasure time limit Y dpv:StorageCondition, dpv:StorageDuration, dpv:StorageDeletion
processing location N 13-1f, 14-1f, 15-2 transfer to third country Y dpv:Location, dpv:Jurisdiction
geographic restrictions N 13-1f, 14-1f, 15-2, 30-1e, 30-2c, 44, 45, 46, 47, 48, 49-1a transfer to third country Y dpv:Location, dpv:Jurisdiction, dpv:Rule
service N N/A - dpv:Service (proposed)
jurisdiction Y N/A - dpv:Jurisdiction
recipient third parties Y 4-9 recipient; 4-10 third party Y dpv:Recipient, dpv:ThirdParty
withdrawal method Y 7-3, 13-2c, 14-2d withdrawing consent Y dpv:ConsetWithdrawalProcess (proposed Organisational measure)
privacy rights N 13-22 rights Y dpv:DataSubjectRight, dpv:RightExerciseNotice
codes of conduct N 24-3, 32-3, 35-8, 40 codes of conduct; 42 certification N dpv:CodeOfConduct, dpv:CertificationSeal
impact assessment N 35 DPIA N dpv:ImpactAssessment
authority party N 13-2d, 14-2e, 15-1f complaint to authority; 51 supervisory authority; 56 lead authority. Y dpv:Authority
personal data fields
pii type Y 4-1, 14-1d, 15-1b personal data categories Y dpv:PersonalData
pii attribute id N N/A - dct:identifier
pii optional N 13-2e, 35 necessity of personal data Y dpv:Necessity
sensitive pii category N N/A - dpv:SensitivePersonalData
special pii category N 9 special categories of data Y dpv:SpecialCategoryPersonalData
party fields
party id Y N/A - dct:identifier, dpv:hasIdentifier
party address Y 13-1a, 14-1a identity of controller Y dpv:hasAddress
party email N N/A - dpv:hasContact
party url N N/A - dpv:hasContact
party phone N N/A - dpv:hasContact
party name Y 13-1a, 14-1a identity of controller Y dpv:hasName
party role N 4-1 data subject; 4-7 controller; 4-8 processor; 4-9 recipient; 4-10 third party; 4-17 representative; 4-21 supervisory authority Y dpv:DataSubject, dpv:DataController, dpv:DataProcessor, dpv:Recipient, dpv:ThirdParty, dpv:Representative; dpv:Authority
party contact Y 13-1a, 14-1a contact details of controller Y dpv:hasContact
party type Y 4-9 recipient, data importer and data exporter (external concepts) Y dpv:Recipient, dpv:DataImporter, dpv:DataExporter, dpv:DataSource
event fields
event time Y 7-1 demonstrate consent Y dct:date
validity duration Y N/A (external guidance requires validity) Y dct:valid
entity id Y N/A (assumed roles, e.g. data subject, controller) Y dpv:isImplementedByEntity
event type Y 4-11 (regular or expressed) consent; 9-2a explicit consent Y dpv:Consent subtype
event state Y 4-11, 9-2a consent given; 7-3 withdrawal of consent; 13, 14 notice for consent; (from derivations) lapsed validity, invalidation authorities, termination by controller dpv:ConsentStatus

DPV-27560 Consent Record

The IRI `https://w3id.org/dpv/schema/iso-27560` defines the [[DPV-27560]] as a schema or profile for [[ISO-27560]].

Due to way DPV is utilised and expressed (e.g. RDF graph, JSON) - there is no necessity to replicate the four sections of [[ISO-27560]] as information is linked and expressed as a single graph. Therefore, the DPV implementation ignores the structuring into sections.

Record Metadata

Information representing the metadata in the header field containing information about the record.

Field Cardinality DPV Concept DPV Property
Schema Version 1 N/A dct:conformsTo
Record Identifier 1..* N/A dpv:hasIdentifier
Data Subject 1 dpv:DataSubject dpv:hasDataSubject

Schema Version

This field MUST be present.

The specific version of the schema (`schema_version` in [[ISO-27560]]) used to interpret the record and its information, indicated using dct:conformsTo with the corresponding IRI from [[[#namespaces]]]. Future changes to the schema will result in suffixes to this IRI e.g. `iso-27560-v2`. To indicate conformance with specific requirements such as from GDPR, a separate schema or profile IRI must be utilised, as seen in [[[#namespaces]]].

Record Identifier

This field MUST be present.

The unique identifier (`record_id` in [[ISO-27560]]) associated with this record, indicated using dct:identifier. This can be a [[ISO-27560]] recommended UUID-4 string or an IRI.

Even if the IRI or `@id` field represents a unique identifier, this information must be specified using `dct:identifier` as the IRI may refer to a copy or alternate location of the same record.

Data Subject

This field MUST be present.

The data subject (`pii_principal_id` in [[ISO-27560]]) associated with the consent (record), indicated using dpv:hasDataSubject. The data subject can be represented by an instance of dpv:DataSubject or an identifier.

Additional Metadata

Information such as who maintains or published the record, when was it created or modified, and its provenance is not covered by [[ISO-27560]] as it is considered "implementation detail". To assist in maintaining this information, the following fields from [[DC-TERMS]] are suggested for documenting this information in an optional and non-normative manner:

Notice Fields

These fields refer to information about the notice that has been shown to request consent. In [[ISO-27560]], these fields are part of the Processing section.

Field Cardinality DPV Concept DPV Property
Notice 1..* dpv:Notice dpv:hasNotice
Notice Language 1..* N/A dct:language

Notice

This field MUST be present.

Reference to the specific version of the notice (`privacy_notice` in [[ISO-27560]]) associated with consent, indicated using `dpv:hasNotice` and a reference to the notice or an instance of `dpv:ConsentNotice`. If there are multiple notices - then each must be indicated separately. Multiple notices can be associated where such notices are part of the same context e.g. shown one after the other, or where they are associated over time, e.g. one notice shown initially when requesting and another when re-confirming it at a later time.

In DPV, the concepts `dpv:PrivacyNotice` and `dpv:ConsentNotice` have different intended meanings - a consent notice is a specific privacy notice associated with consent, most commonly providing information in order to request consent. Whereas, a privacy notice can also refer to other documents providing information, such as what is commonly called as 'privacy policy'. For the purposes of the consent record, both documents can be included, but `dpv:ConsentNotice` MUST be used when referring to the notice used for providing information for consent.

Notice Language

This field MUST be present.

The language used in the communications regarding consent, such as the information provided within a notice. The language is indicated using `dct:language`, and it is recommende to use standardised notations for representing langauges such as the ISO 639.

For examples, please refer to [[[#notice]]] section.

Processing Fields

[[ISO-27560]] contains 22 fields related to processing activities, and 5 additional fields regarding personal data involved in processing. The structuring of these fields within [[ISO-27560]] is of the form where the "PII Processing" section contains an array of "purposes" where each "purpose" is expressed with its own fields regarding legal basis, collection method, storage locations, and so on. Within the DPV implementation, this is replaced with dpv:PersonalDataHandling so that each instance represents a distinct processing activity with its fields e.g. purposes, personal data, recipients.

Field Cardinality DPV Concept DPV Property
Personal Data Handling 1..* dpv:PersonalDataHandling dpv:hasPersonalDataHandling
Purpose 1..* dpv:Purpose dpv:hasPurpose
Personal Data 1..* dpv:PersonalData dpv:hasPersonalData
Personal Data Type 1..* Personal Data taxonomy rdf:type
Personal Data Identifier 0..* N/A dct:identifier
Personal Data Necessity 0..* dpv:Necessity dpv:hasNecessity
Sensitive/Special Category 0..* dpv:SensitivePersonalData, dpv:SpecialCategoryPersonalData rdf:type
Processing Operations 0..* dpv:Processing dpv:hasProcessing
Data Source 0..* dpv:DataSource dpv:hasDataSource
Storage Condition 1..* dpv:StorageCondition, dpv:StorageLocation, dpv:StorageDuration, dpv:StorageDeletion dpv:hasStorageCondition
Processing Condition 0..* dpv:ProcessingCondition, dpv:ProcessingLocation, dpv:ProcessingDuration dpv:hasProcessingCondition
Geographic Restriction 0..* dpv:Rule dpv:hasRule
Data Controller 1..* dpv:DataController dpv:hasDataController
Legal Basis 0..* dpv:LegalBasis dpv:hasLegalBasis
Recipients 1..* dpv:Recipient dpv:hasRecipient
Consent Change & Withdrawal 1..* dpv:ConsentManagement, dpv:ProvideConsent, dpv:ChangeConsent, dpv:WithdrawConsent dpv:hasConsentManagement
Jurisdiction 1..* dpv:Jurisdiction dpv:hasJurisdiction
Rights 1..* dpv:Right dpv:hasRight
Services 0..* dpv:Service dpv:hasService
Code of Conduct 0..* dpv:CodeOfConduct dpv:hasOrganisationalMeasure
Impact Assessment 0..* dpv:ImpactAssessment dpv:hasAssessment

Personal Data Handling

This field MUST be present.

`dpv:PersonalDataHandling` is a concept that represents a process or 'unit' for combining relevant details such as purposes, processing, personal data categories, recipients, and so on. Instances of `dpv:PersonalDataHandling` can be used to differentiate between information regarding processing - such as where different purposes are used or that lead to different recipients. Such instances can also be nested within other instances to create a 'modular' structuring of processing activities.

Following the [[ISO-27560]] model requires creating a concept called 'purposes' and to utilise an array or a list to hold the associated 'purpose' instances. Given that DPV prefers a strict taxonomy expressed in a graph representation, following the same model would lead to non-intuitive structures. Further, other similar lists such as those for 'pii_type' also require creation of new concepts to represent groups or collections of the actual intended concepts.

The term 'Personal Data Handling' is non-intuitive and difficult to grasp. By contrast, the term 'Process' is commonly used and is intuitive. Therefore, a new concept called `Process` should be added, and for backwards compatibility be declared as a subtype of `PersonalDataHandling`. The existing relations benefit from this by use of phrasing such as "personal data associated with a process".

Purpose

This field MUST be present.

The purpose of processing personal data, expressed in DPV using hasPurpose as an instance of Purpose.

[[ISO-27560]] has an additional field called 'purpose_type' that describes the category of the purpose. In DPV, this is declared by using concepts from the purpose along with `rdf:type`. For additional information, such as descriptions, relevant DCT relations should be used.

Where multiple purposes are present within the same or single context, for example the consent record or a personal data handling instance, the interpretation is that they are all applicable for that context. For example, if a personal data handling instance contains 3 purposes - then it is presumed that the consent is for carrying out each of the 3 purposes.

To declare that ALL purposes must occur together i.e. they cannot be carried out independently, the appropriate semantic relations should be used to express this information - for e.g. by declaring the 3 required purposes as the 'type' for a new combined purpose.

Caution is advised when modelling consent as jurisdictional requirements such as those from GDPR e.g. Recital 32 states "Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.". This means all purposes listed within a record pertaining to a single consent are to be used with that single consent as the legal basis.

Personal Data

This field MUST be present.

The personal data ('pii information' in [[ISO-27560]]) involved in processing activities, associated using dpv:hasPersonalData and instances of dpv:PersonalData.

In [[ISO-27560]], the personal data fields are used to describe aspects of personal data as - type, identifier, optionality, being sensitive and being special category. In the DPV implementation, these are described as annotations or additional relations over the personal data instance.

Personal Data Type

This field MUST be present.

The type or category of personal data ('pii type' in [[ISO-27560]]), expressed in DPV using rdf:type, and optionally using concepts from the [[DPV-PD]] taxonomy. The value for this field must use a data category from DPV either through an explicit declaration i.e. using rdf:type or through an implicit definition e.g. [[DPV-PD]] taxonomy.

Personal Data Identifier

This field MAY be present.

The identifier representing the data values or instances e.g. within a database, expressed in DPV using dct:identifier.

Personal Data Necessity

This field MAY be present.

The necessity or optionality of this data ('pii optional' in [[ISO-27560]]) for the processing, expressed in DPV using hasNecessity and one of the provided instances of Necessity. If this field is absent, it should be inferred as the data being necessary.

Sensitive and Special Category

This field MAY be present.

Indicates whether the personal data is considered sensitive ('sensitive pii category' in [[ISO-27560]]), and separately whether it is also of special category ('special pii category' in [[ISO-27560]]). Declaring either in DPV is done using rdf:type with value SensitivePersonalData or SpecialCategoryPersonalData. Its absence indicates the data does not belong to either sensitive or special categories.

Processing Operations

This field MAY be present.

Indicates the processing operations or activities carried out over the specific personal data, and indicated using dpv:hasProcessing with instances of dpv:Processing. In [[ISO-27560]], this field also represents information about automated decision making - which is represented in DPV through the dpv:AutomationOfProcessing concepts and associated with dpv:hasProcessingAutomation, as well as large scale of processing which is represented through dpv:ScaleOfProcessing and associated using dpv:hasScale.

Data Source(s)

This field MAY be present.

This field represents the source of data being processed. In [[ISO-27560]], this field is called collection method and can be about The data provided by or observed from activities of the data subjects, be inferred from existing data, or be collected from another entity or third party. In DPV, this information is represented using dpv:DataSource and associated using dpv:hasDataSource.

Concepts within the DPV taxonomy have an exact meaning - for example data being obtained through observation should not be stated as being collected, but as observed - even if the data source is still the same data subject. Therefore, it is best to separate the data source entity and the processing operation.

Storage Condition(s)

This field MUST be present.

Indicates information about the storage of personal data such as regarding its duration, location, and erasure, represented using dpv:StorageCondition and associated using dpv:hasStorageCondition. The existence of Storage Condition implies storing data as a processing operation. In [[ISO-27560]], this information is represented through two fields - storage locations and retention period - both of which are required to be present.

Processing Condition(s)

This field MAY be present.

Indicates information about conditions regarding the processing operations, such as regarding its duration and location, represented using dpv:ProcessingCondition and associated using dpv:hasProcessingCondition. Given that storing data is a specific type of processing operation, this field is useful for other processing activities such as collection of data. In [[ISO-27560]], the field only relates to processing locations.

Geographic Restriction(s)

This field MAY be present.

Geographic restrictions are defined in [[ISO-27560]] as restrictions related to geo-locations or jurisdictions. While DPV prefers a declarative interpretation where, for e.g., if processing location is mentioned as EU then it implies that processing will only take place within EU since no other locations are mentioned. If the intention is to explicitly state this as a restriction, it can utilise the dpv:Rule concept which provides (simplified) Permissions, Prohibitions, and Obligations. For further expressivity or complexity, specifications such as [[[odrl-model]]] should be considered.

Note that while [[ISO-27560]] only considers restrictions over geographic locations for processing (including storing), DPV (and ODRL)support specifying information and restrictions over a much wider range of concepts. In theory, restrictions can be expressed over any concept or combination of concepts.

Data Controller(s)

This field MUST be present.

Indicates the Data Controllers (pii controllers in [[ISO-27560]]) responsible for the specified processing activities, expressed in DPV using hasDataController with instances of DataController.

Note that the notion of a 'Controller' is regarding accountability, and does not necessarily correlate with who performs the processing or has access to data - for example in GDPR. To indicate who performs the processing, DPV provides dpv:isImplementedByEntity.

Information about the Data Controller, such as its name or address, is described through the Entity Fields later in the document based on a similar structure in [[ISO-27560]].

Legal Basis

This field MAY be present.

The legal basis (lawful basis in [[ISO-27560]] for processing of personal data. Though the lawful basis for a consent record would always be consent, the presence of the field enables extensions of the record to other legal bases (e.g. contract) in the future. In DPV, the legal basis is associated using hasLegalBasis with a concept from the LegalBasis taxonomy.

In addition to defining consent as a legal basis, DPV also provides a taxonomy to express various categories of consent - such as InformedConsent and ExpressedConsent which provide a more granular and accurate definition of the legal basis being utilised. For expressing specific consent based on specific jurisdictions and regulations, the appropriate extended concept should be used, for e.g. [[DPV-GDPR]] defines consent as a legal basis based on the specific clauses and requirements of the [[GDPR]].

Recipients

This field MUST be present.

Indicates the recipients of personal data associated with the specific processing activities, expressed as dpv:Recipient and associated using dpv:hasRecipient. In [[ISO-27560]], this field is only limited to Recipients who are Third Parties, which excludes the Data Controllers and Processors. In DPV, recipients can be any of Data Controllers, or Processors, or Third Parties.

Note that recipients can be specific entities i.e. their identity is known, or groups or categories of entities - for example as in GDPR's Article 13-1e. However, [[ISO-27560]] only considered explicitly indicated third parties for the recipients field.

In [[ISO-27560]], the recipient field is also associated with information regarding the geo-location of data being transferred to the recipient third party's and whether this constitutes a jurisdictional change. To represent this in DPV, the location of the transfer should be indicated within the processing information along with the recipient entity. The jurisdiction can also be represented in the same context - to indicate the transfer to that jurisdiction, or it can be specified in association with the recipient entity.

Consent Change & Withdrawal

This field MUST be present.

Indicates the information on how the data subject can change or withdraw the specified consent, expressed using processes part of ConsentManagement and associated using hasConsentManagement. To indicate how the data subject should take action, the relation isExercisedAt is to be used.

In [[ISO-27560]], this field is specific to the withdrawal method or a link to the information on withdrawal. It also allows this field to be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

Jurisdiction(s)

This field MUST be present.

Indicates the applicable jurisdiction for the processing indicated within the receipt. The acknolwedgement of jurisdiction(s) is necessary to convey applicable laws and requirements regarding consent validity and applicable rights as well as indicating the obligations on parties involved. To indicate the jurisdiction, the concept Location is to be associated using hasJurisdiction.

In [[ISO-27560]], this field can also be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

Rights

This field MUST be present.

Indicates the applicable rights and provides information on how to avail or exercise them. The rights are indicated using DataSubjectRight and associated using hasRight. To indicate how to exercise them, the relation isExercisedAt is to be used. To indicate provision of information regarding rights exercise, the concept RightExerciseNotice is to be used and associated using hasNotice.

In [[ISO-27560]], this field is optional, and is used to provide a link to information on how to exercise rights. It also allows this field to allow changes to the consent conditions such as the retention period. In [[ISO-27560]], this field can also be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

Service(s)

This field MAY be present.

Indicates the services the described processing activities are a part of or assist with, expressed as an instance of dpv:Service and associated using dpv:hasService.

In [[ISO-27560]], a Service can be as broad or granular as desired. A service is related to a purpose by providing a context through which the specific purpose can be understood within their context, and also to enable related purposes and activities to be associated and explained with a common service being provided.

Code of conduct(s)

This field MAY be present.

Indicates the applicability of a Code of Conduct for the specified processing activity. A code of conduct is a voluntary set of rules and responsibilities undertaken by an organisation. It is indicated using an instance of dpv:CodeOfConduct and associated using dpv:hasOrganisationalMeasure.

In [[ISO-27560]], this field is described as providing information regarding the name of the code of conduct and a publicly accessible reference to it. A code of conduct can also be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

Impact assessment(s)

This field MAY be present.

Indicates the existence of an Impact Assessment for the specified processing activity. An impact assessment in this record refers to the impact of the specified processing activities on the data subject. Impact assessments are indicated using instances of dpv:ImpactAssessment and associated using dpv:hasAssessment. DPV provides concepts for specific types of impact assessments, such as dpv:PIA for Privacy Impact Assessment and dpv:DPIA for Data Protection Impact Assessment.

In [[ISO-27560]], this field is limited to assessments of privacy risks and potential impacts of "non-compliance" on the data subjects, whereas in common practice assessments such as PIA and DPIA concern the impact of the processing on the data subject - which is what DPV and this specification considers. Impact assessments can also be associated with the Data Controller (in the Party/Entity section) rather than per-processing activity.

Entity Fields

[[ISO-27560]] refers to Entity as Party.

Entities are expressed using instances of dpv:Entity and associated using dpv:hasEntity.

Field Cardinality DPV Concept DPV Property
Name 1..* N/A dpv:hasName
Identifier 1..* N/A dpv:hasIdentifier
Role 1..* dpv:DataController, dpv:DataProcessor, dpv:ThirdParty, dpv:Authority, dpv:DataSubject rdf:type, dpv:hasDataController, dpv:hasDataProcessor, dpv:hasThirdParty, dpv:hasAuthority, dpv:hasDataSubject
Contact 1..* schema:ContactPoint schema:contactPoint
Postal Address 1..* schema:PostalAddress schema:contactPoint
Email 0..* N/A schema:email
Phone 0..* N/A schema:telephone
URL 0..* N/A schema:url

Name

This field MUST be present.

Indicates the legal name and identity of the Entity, expressed using dpv:hasLegalName and a string.

Identifier

This field MUST be present.

Indicates the unique identifier for the entity within the record. In linked data and semantic web methods of expressing information, the IRI already acts as an unique identifier. To support interoperability, the IRI identifier MUST be declared explicitly using dpv:hasIdentifier. To denote other (unique or otherwise) identifiers as a reference to the entity, dct:identifier should be used.

In this specification and in [[ISO-27560]], the (IRI) identifier is used to associate the entity with specific processing roles, which is described in the next section.

Role

This field MUST be present.

Indicates the role of the entity within the process activities, indicated using rdf:type and an appropriate role such as dpv:DataController, dpv:DataProcessor, dpv:ThirdParty, dpv:Authority, and dpv:DataSubject.

In [[ISO-27560]], the entity (party) fields are separate from the processing section and therefore the role of the entity is expressed separate from processing. In DPV, the role MUST be expressed contextually within the processing fields by using an appropriate property e.g. dpv:hasDataController and the identifier of the entity. Optionally, the entity description field can also contain an explicit acknowledgement of the role by stating the entity is of type e.g. dpv:DataController.

Contact

This field MUST be present.

Indicates the contact for an entity for communication purposes, indicated using schema:contactPoint and an instance of schema:ContactPoint.

NOTE: As in [[ISO-27560]], this field MUST be present for all entities EXCEPT data subjects as in a record it may not be necessary to record the contact for data subjects. This follows best practices regarding data minimisation and purpose limitation.

Postal Address

This field MUST be present.

Indicates the potal address of the entity, expressed using schema:address and an instance of schema:PostalAddress.

NOTE: As in [[ISO-27560]], this field MUST be present for all entities EXCEPT data subjects as in a record it may not be necessary to record the postal address of data subjects. This follows best practices regarding data minimisation and purpose limitation.

Email

This field MAY be present.

Indicates the email of the entity, expressed using schema:email.

Phone

This field MAY be present.

Indicates the telephone of the entity, expressed using schema:telephone.

URL

This field MAY be present.

Indicates the url of the entity, expressed using schema:url. The type of the page can be expressed using appropriate concepts, such as dpv:PrivacyNotice.

Consent Event Fields

[[ISO-27560]] contains 5 fields to describe events associated with consent.

Field Cardinality DPV Concept DPV Property
Consent Type 1..* dpv:Consent taxonomy dpv:hasLegalBasis
Consent State 1..* dpv:ConsentStatus taxonomy dpv:hasConsentStatus
Event Time 1..* N/A dpv:isIndicatedAtTime
Event Duration 1..* dpv:Duration dpv:hasDuration
Expression by Entity 1..* dpv:Entity dpv:isIndicatedBy
Expression Method 0..* N/A dpv:hasIndicationMethod

Consent Type

This field MUST be present.

Indicates the type of consent (e.g. Implicit, Expressed, Explicit) expressed by the data subject. In [[ISO-27560]], this field is called event type.

In DPV, dpv:ConsentType represents consent types to be used as a legal basis (dpv:hasLegalBasis) and has the following different types: dpv:InformedConsent and dpv:UninformedConsent to indicate whether the consent is informed or not. Informed consent is further specialised as: dpv:ImpliedConsent for consent indicated through an implied or indirect action (e.g. merely browsing a website), dpv:ExpressedConsent for consent indicated through a direct expressed action (e.g. a checkbox), and dpv:ExplicitlyExpressedConsent for consent indicated through a direct action concerning solely the consent in context.

Consent types are also dependent on jurisdictional requirements, such as GDPR's various consent types. These can be represented by expanding on the relevant DPV concepts. For GDPR, the following consent types are provided in [[DPV-GDPR]]: dpv-gdpr:A6-1-a expressed consent and dpv-gdpr:A9-2-a explicit consent.

Best practice for choosing approprite consent types concern expressing the correct legal basis for a specific jurisdiction where possible (e.g. GDPR A.6-1a) or to indicate the type of consent (e.g. Expressed Consent) where the jurisdiction is explicitly provided or is understood from available context. Following this, the most appropriate consent types for most cases would be dpv:ExpressedConsent and dpv:ExplicitlyExpressedConsent.

Consent State

This field MUST be present.

Indicate the state or status of consent reflecting its applicability or suitability to be used as a legal basis to justify the specified processing. In DPV, it is represented through dpv:ConsentStatus and associated using dpv:hasConsentStatus. Instances of consent states represent specific events concerning the use of consent as a legal basis, e.g. requesting consent, giving consent, withdrawing consent. Each event may have corresponding processes, such as giving consent enables the processing to take place and withdrawing consent stops the processing taking place.

DPV provides several states broadly categorised under those valid for processing and those that are not. These are:

Event Time

This field MUST be present.

The time of the associated event (e.g. giving consent, withdrawing consent), indicated using dpv:isIndicatedAtTime. [[ISO-27560]] defines this field as the time the event was expressed or exercised by the specified entity (e.g. when data subject gave consent), and requires this field use a value as per [[ISO 8601]] UTC time to declare the timestamp associated with the event.

Event Duration

This field MUST be present.

Indicates the duration or the condition for determining validity of the duration for the event. It is indicated using dpv:Duration and associated using dpv:hasDuration. DPV provides the following duration concepts:

[[ISO-27560]] specifies that where the duration relates to the validity of given consent, the duration also indicates that the Data Controller should request the data subject to confirm or 'refresh' their consent without which the consent cannot be valid for processing.

Expression by Entity

This field MUST be present.

Indicates which entity or agent (party in [[ISO-27560]]) exercised or expressed the specified event. For example, if it was the data subject or their guardian who expressed the given consent. In DPV, this is indicated using the appropriate dpv:Entity concept and associated using dpv:isIndicatedBy.

In [[ISO-27560]], this field is called entity id and is used to link to the relevant entity through their identifier (e.g. data subject identifier or to an entry in the party section). As this field MUST be present in [[ISO-27560]], the most common value expected here will be a reference to the data subject. In DPV, this can also be indicated using dpv:DataSubject instead of the identifier.

Expression Method

This field MAY be present.

Indicates how the specified entity expressed or exercisde the indicated event, e.g. a data subject clicked the button to give consent. This field is not present in [[ISO-27560]], but is considered best practice to document so as to record information relevant to the assessment of consent validity and legal compliance. In DPV, it is associated using dpv:hasIndicationMethod.

Examples

DPV-27560 Consent Receipts

Header Fields

Field Cardinality DPV Concept DPV Property
Schema Version 1 N/A dct:conformsTo
Record Identifier 1..* N/A dpv:hasIdentifier

Schema Version

This field MUST be present.

The specific version of the schema (`schema_version` in [[ISO-27560]]) used to interpret the record and its information, indicated using dct:conformsTo with the corresponding IRI from [[[#namespaces]]]. Future changes to the schema will result in suffixes to this IRI e.g. `iso-27560-v2`. To indicate conformance with specific requirements such as from GDPR, a separate schema or profile IRI must be utilised, as seen in [[[#namespaces]]].

Record Identifier

This field MUST be present.

The unique identifier (`record_id` in [[ISO-27560]]) associated with this consent receipt, indicated using dpv:hasIdentifier. This can be a ([[ISO-27560]] recommended) UUID-4 string or an IRI.

Associated Consent Record

This field MUST be present.

The information to be provided within a consent receipt is in the form of consent records, which are associated using dpv:hasConsentRecord.

Creation Timestamp

This field MUST be present.

Indicates the date/time for when the receipt was generated, indicated using dct:created. NOTE: This field is not present in [[ISO-27560]].

Additional Metadata

Information such as who maintains or published the receipt, when was it created or modified, and its provenance is not covered by [[ISO-27560]] as it is considered "implementation detail". To assist in maintaining this information, the following fields from [[DC-TERMS]] are suggested for documenting this information in an optional and non-normative manner:

Information in Receipt

[[ISO-27560]] states the receipt can contain and provide the same information as the consent record it is associated with. It also states that the fields indicated as required for consent records are also required within consent receipts. Since receipts are intended to provide information already documented within a consent record, the same fields and information can also be used to create and provide a receipt. However, to enable the receipt to be a broader communication mechanism also capable of providing relevant information in future (e.g. exercised rights), the DPV's receipts are instead a 'wrapper' around a consent record.

Examples

Extending with Profiles

Considerations

Security and Privacy

Information Modelling

Recording Privacy Signals

Additional Schemas and Profiles

Lifecycle of Consent

Processing of personal data utilises Consent as one of the possible legal bases. In the current regulatory environment, such consent has to be valid according to several criterion such as being informed, freely given, and being unambiguous. For consent to be informed, the data subject must have been provided or be aware of relevant information regarding the processing of personal data, typically through a Consent Notice, which describes the effect of their decision i.e. if consent is given which processing activities will take place, over which data, and who is involved in terms of entities. Other criterion, such as freely given and being unambiguous is determined through the manner in which this information is presented to request consent and how that consent is expressed.

Once a consent has been given by the individual, they may also have the ability to regulate its use by withdrawing it at a later time. Such termination of consent results in the halting of its associated processing activities. Other causes of termination can be the expiry of duration for which the consent would be considered valid, termination by the Controller, or the consent being declared invalid by an authority such as the court.

Based on these, a lifecycle can be charted regarding the various states that 'consent' can be stated to be in, which is essential to understand which states can be considered 'valid' for the processing of personal data. In the diagram below, consent states begin with a notice being shown to inform the individual and request their consent. Following this, the individual may make the decision to give or grant their consent, or to refuse it. If consent has been given, it can be re-confirmed or re-affirmed to assert its validity, or it can be terminated for several reasons such as its withdrawal by the individual. In all these, only when consent continues to be in a 'given' state can it be used to justify processing.

Therefore, when creating records of consent - such as to demonstrate compliance, it is essential to not only have information regarding the processing activities governed by that consent, but to also have information which relates to determination of it being valid at a given time. This includes how the notice was provided, the type of consent that was expressed, and to associate these with relevant regulatory requirements that dictate the requirements for validity. In addition, changes to consent must also be recorded, whether they relate to an update to information resulting in a new notice, or the confirmation of an existing consent, or the termination of consent for reasons such as being withdrawn.

Consent Records

[[[ISO-27560]]] defines Consent Record as the documentation of information about a data subject's consent for the processing of their personal data in terms of the details about the processing as well as the interactions related to consent (e.g. giving or withdrawing it). Consent Records are an essential part of keeping records regarding whether consent has been obtained and is valid for processing, and to keep this information for correctly conducting processing relying on it. [[ISO-27560]] as well as regulatory requirements such as [[GDPR]] Article 7-1 require maintaining consent records where consent is used as the legal basis. While GDPR Article 7-1 only states that consent should be demonstrable, [[ISO-27560]] provides an information structure for how this information should be maintained and what processes should exist within an organisation in connection with it.

It is important to distinguish between a Consent Record with several relevant but distinct concepts. A consent record only refers to the information recorded regarding consent, whereas a Consent Notice refers to the notice and information provided to the data subject in order to inform them about the processing - such as while requesting consent. While there is a significant overlap between a consent record and a consent notice, there are key differences such as notices orienting information for human consumption (e.g. layering of dialogues to provide summaries and detailed descriptions) and dictating the manner in which consent is expressed (e.g. checkboxes for options and confirmation by clicking a button). In contrast, a consent record is not required to accurately reflect the manner in which this information was presented to the user, but to only record it in a manner that enables assessing whether the consent is given and if so for which processing activities.

This distinction is evident in [[[ISO-29184]]] being the standard for consent notices - which specifies what information should be present in a notice and the manner in which it is presented. In turn, [[ISO-27560]] only refers to notices to limit its scope to representing information necessary within a consent record. Therefore a consent record, despite containing a link to the notice, is not by itself sufficient to determine the validity of consent, and instead acts as the primary record containing information or links to information for conducting such assessments. Its primary purpose is therefore limited to provide an indication of the state of consent (e.g. request, given, terminated) for specific processing activities (e.g. which purpose, what recipients) and to document where additional information can be found on specific matters such as the notice shown when requesting consent.

A [[ISO-27560]] conformant consent record typically has the following sections representing relevant information:

  1. metadata about the consent record such as its identifier
  2. the individual associated with the consent i.e. data subject
  3. the subject of consent i.e. specifics of the processing of personal data
  4. entities involved e.g. data controller and third parties
  5. relevant contextual information e.g. notice, rights, restrictions
  6. provenance of events associated with the consent e.g. given, withdrawn

Under GDPR, the obligation to maintain records of consent is explicitly stated in Article 7-1 and Recital 42. This information includes, at a minimum, the identity of the Controller and the purposes of processing (Recital 42). Further Articles 13 and 14 dictate the information that must be provided to the data subject which includes recipients, transfers to third countries, data storage periods and conditions, existence of rights (including consent withdrawal), and specific information regarding processing such as the use of automated decision making or profiling.

Consent Receipts

[[ISO-27560]] defines a consent receipt as an authoritative document that is used to communicate the existence of a consent record or to provide information contained within it. It is effectively an 'authoritative copy' of a consent record provided by one entity to another, where it may contain all, some, or no information from the consent record regarding the consent and its relevance to processing activities. Such receipts may be useful to communicate the existence of consent decisions, or enable entities to exercise of rights or raise issues and complaint regarding processing activities.

Consent receipts are a relatively newer and under-utilised practice, with no legal requirements existing that refer to the concept (or receipts) or state how they should be used. [[ISO-27560]] follows this by leaving it up to the organisations to decide how they want to implement receipts and what information is be provided through it. It defines a minimal structure consisting of some fields representing the receipt metadata, but does not have any requirements on the information within the receipt or its correspondence to fields within the record.

A [[ISO-27560]] conformant consent receipt only requires a metadata section providing information about the consent receipt such as its identifier. Deciding on which additional information is to be provided and in what forms and using which structures is left up to implementing entities. In this guide, we presume that the consent receipt is intended for providing a copy of all information within the consent record.

According to [[ISO-27560]], records are generated and maintained by organisations (Controller, Third Party), and are utilised to provide receipts to a Data Subject. In contrast, the Kantara Consent Receipts specification [ref], upon which [[ISO-27560]] is based, defines Consent Receipts as being provided by a Data Subject to a Controller.

For this document and the general use of DPV, we make no presumptions or enact restrictions on the use of records and receipts. Any entity, be it a Controller or a Data Subject, can maintain their own consent record or issue receipts. Though the phrasing of some sections may imply the Controller as the implementing entity, it does not preclude another entity from also implementing [[[ISO-27560]]].