The Data Privacy Vocabulary (DPV) is an interoperable semantic model that provides a standardized taxonomy for describing personal data categories, processing purposes, legal bases, and technical-organizational measures. By serializing privacy concepts in RDF and OWL2, DPV enables automated compliance checking and bridges the semantic gap between legal privacy requirements and their technical implementation in enterprise systems.
Glossary
Data Privacy Vocabulary (DPV)

What is Data Privacy Vocabulary (DPV)?
The Data Privacy Vocabulary (DPV) is a formal, machine-readable ontology developed by the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG) to represent the legal and technical concepts associated with personal data processing and privacy policies.
DPV serves as a foundational layer for expressing machine-readable consent records, Records of Processing Activities (RoPA), and Data Protection Impact Assessments (DPIAs). Its extensible design allows domain-specific extensions for regulations like the GDPR, enabling privacy engineers to encode obligations such as the right to erasure and purpose limitation directly into software architectures for automated data subject rights fulfillment.
Core Characteristics of DPV
The Data Privacy Vocabulary provides a formal, machine-readable taxonomy for representing the core concepts of personal data processing, enabling interoperable policy expression and automated compliance checking.
Formal Semantic Modeling
DPV is built on W3C Semantic Web standards (RDF, OWL), providing a rigorous ontological structure rather than a flat list of terms. This allows machines to infer logical relationships between concepts.
- RDF Triples: All statements are structured as subject-predicate-object, enabling graph-based querying.
- OWL Axioms: Formal constraints define class hierarchies, property domains, and cardinality restrictions.
- Inference: A system can deduce that if data is 'Anonymized', it is no longer 'PersonalData' without explicit programming.
Core Taxonomical Hierarchy
DPV organizes privacy concepts into a strict, extensible class hierarchy rooted in Purpose, Processing, PersonalData, LegalBasis, and TechnicalOrganisationalMeasure.
- Purpose: Defines why data is processed (e.g.,
dpv:Marketing,dpv:ServiceProvision). - PersonalData: Categorizes what data is involved (e.g.,
dpv:SpecialCategoryPersonalData,dpv:Financial). - LegalBasis: Specifies the legal justification (e.g.,
dpv:Consent,dpv:LegitimateInterest). - Processing: Describes how data is handled (e.g.,
dpv:Collect,dpv:Store,dpv:AutomatedDecisionMaking).
Extensibility via Profiles
DPV is designed as a modular base ontology that can be extended with domain-specific profiles without breaking core interoperability. This prevents vendor lock-in while allowing for regulatory specificity.
- DPV-GDPR: Extends DPV with specific EU GDPR concepts like
dpv-gdpr:RightToErasureanddpv-gdpr:DPIA. - DPV-PD: A detailed taxonomy of personal data categories (e.g.,
dpv-pd:Biometric,dpv-pd:EthnicOrigin). - DPV-LEGAL: Jurisdiction-specific legal statuses and compliance records.
- Custom Extensions: Organizations can create proprietary subclasses while remaining compatible with the core DPV standard.
Machine-Readable Policy Serialization
DPV enables the creation of serialized privacy policies in formats like JSON-LD and Turtle that software agents can parse, compare, and validate automatically.
- Consent Receipts: A DPV-based record proving a specific user granted consent for a specific purpose at a specific time.
- Policy Matching: An agent can compare a user's expressed privacy preferences against a service's DPV-encoded policy to detect conflicts.
- Automated Compliance: A processor can check if a requested processing operation is permitted under the controller's declared DPV purposes.
Risk and Context Modeling
DPV includes constructs for modeling the context and risk of processing activities, moving beyond simple binary permissions to nuanced impact assessments.
- Context: Defines the processing environment, including
dpv:StorageLocation,dpv:Recipient, anddpv:Scale. - Risk: Links processing to potential
dpv:Consequenceanddpv:Impact(e.g.,dpv:Discrimination,dpv:FinancialLoss). - Mitigation: Associates
dpv:TechnicalOrganisationalMeasure(likedpv:Encryptionordpv:Pseudonymisation) to specific risks. - This structure directly supports automated generation of Data Protection Impact Assessments (DPIAs).
Interoperability with External Standards
DPV is designed to map to and align with other major privacy and data governance frameworks, acting as a semantic bridge between regulatory silos.
- ISO/IEC 29184: Maps to ISO's privacy notice requirements.
- GDPR & CCPA: Provides explicit legal basis and right taxonomies for these regulations.
- W3C Data Privacy Controls: Aligns with the W3C's technical privacy architecture for the web platform.
- Solid Protocol: Used within Tim Berners-Lee's decentralized web project to manage data access permissions in personal online datastores (Pods).
Frequently Asked Questions
Clear, technical answers to the most common questions about the W3C Data Privacy Vocabulary (DPV) standard, its implementation, and its role in automating enterprise privacy compliance.
The Data Privacy Vocabulary (DPV) is a formal, machine-readable ontology developed by the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG) that provides a standardized semantic framework for describing the legal and technical concepts involved in personal data processing. It works by defining a taxonomy of interoperable terms—represented as RDF (Resource Description Framework) classes and properties—that model the core entities of privacy: Purpose, PersonalData, Processing, LegalBasis, TechnicalOrganisationalMeasure, and Recipient. By serializing privacy policies into this structured format, DPV enables automated compliance checking, policy comparison, and the generation of machine-readable transparency notices. The vocabulary is modular, with extensions for specific regulations like GDPR (the dpv-gdpr module) and technical domains like AI (the dpv-ai module), allowing organizations to encode complex legal obligations into software logic rather than relying on ambiguous natural language documents.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The Data Privacy Vocabulary (DPV) provides a formal ontology for describing personal data processing. These related concepts form the operational and legal backbone of privacy engineering.
Record of Processing Activities (RoPA)
A mandatory internal inventory required by GDPR Article 30 that documents all personal data processing. DPV provides the machine-readable vocabulary to populate RoPA fields, including purpose, legal basis, data categories, and recipients. Automating RoPA generation using DPV ensures consistency across privacy documentation and enables real-time compliance monitoring.
Data Protection Impact Assessment (DPIA)
A risk assessment process mandated for high-risk processing under GDPR Article 35. DPV's ontology models the risk taxonomy, mitigation measures, and necessity analysis required in a DPIA. By encoding DPIA logic in DPV, organizations can automate the identification of processing activities that trigger mandatory assessments based on predefined risk thresholds.
Purpose-Based Access Control
An authorization model that grants data access based on the declared processing purpose rather than user role alone. DPV's formal purpose taxonomy enables policy enforcement points to validate access requests against a machine-readable purpose hierarchy. This ensures that data accessed for 'Service Provision' cannot be repurposed for 'Marketing Analytics' without explicit re-authorization.
Consent Audit Trail
An immutable, time-stamped log recording the full history of a user's consent actions. DPV standardizes the vocabulary for consent events, including:
- Consent status (given, withdrawn, expired)
- Purpose specification linked to DPV purpose taxonomy
- Notice version presented at time of collection This enables interoperable consent receipts across platforms and jurisdictions.
Data Lineage for PII
The automated mapping of origin, movement, transformation, and storage locations of personally identifiable information. DPV enriches lineage graphs with semantic metadata, tagging each data flow with its legal basis, retention period, and data category. This transforms raw technical lineage into a compliance-aware data map suitable for regulatory inspection.
Legitimate Interest Assessment (LIA)
A three-part balancing test required when relying on legitimate interest as a legal basis under GDPR Article 6(1)(f). DPV models the LIA structure:
- Purpose identification
- Necessity test
- Balancing test against data subject rights Encoding LIA logic in DPV allows automated validation that the assessment has been completed before processing commences.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us