How to Manage My Data? With Machine--Interpretable GDPR Rights!

TL;DR

The paper addresses the lack of standardized tooling for exercising GDPR rights by proposing a machine-interpretable specification built on semantic web standards, centered on the Data Privacy Vocabulary (DPV). It integrates DPV with ODRL, DCAT, PROV-O, and related standards to model rights, notices, records, and machine-executable requests, enabling automated and interoperable rights management. Key contributions include a DPV-based rights-exercise model, a Justification taxonomy, provenance-enabled records, and machine-actionable rights requests to support GDPR-compliant workflows in increasingly data-driven ecosystems. The work aims to enable GDPR-by-design rights management within Data Spaces and EUDI wallets, with planned integration with protocols like the Data Rights Protocol and Advanced Data Protection Control to broaden adoption and implementation.

Abstract

The EU GDPR is a landmark regulation that introduced several rights for individuals to obtain information and control how their personal data is being processed, as well as receive a copy of it. However, there are gaps in the effective use of rights due to each organisation developing custom methods for rights declaration and management. Simultaneously, there is a technological gap as there is no single consistent standards-based mechanism that can automate the handling of rights for both organisations and individuals. In this article, we present a specification for exercising and managing rights in a machine-interpretable format based on semantic web standards. Our approach uses the comprehensive Data Privacy Vocabulary to create a streamlined workflow for individuals to understand what rights exist, how and where to exercise them, and for organisations to effectively manage them. This work pushes the state of the art in GDPR rights management and is crucial for data reuse and rights management under technologically intensive developments, such as Data Spaces.