Charter of the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG)
This Charter: https://w3id.org/dpv/charter
Previous Charter: CG page (not formally adopted)
Start Date: 2026-01-28
Last Modified: 2026-01-26
Approval: Minutes 2026-01-21
The mission of the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG) is to develop ontologies and taxonomies that support the implementation of regulations, standards, and approaches relevant to privacy and data protection, and how these are addressed or implemented in technologies, including AI technologies.
The scope of the DPVCG is defined in terms of providing ontologies and taxonomies that represent information from normative sources (e.g., laws, standards) and their practical implementation considerations (e.g., use-cases, sectorial). The term 'ontologies' refers to modelling concepts and relationships between them, for example 'Personal Data' concept and its associative relation 'has personal data'. The term 'taxonomies' refers to providing an enumeration of ontological concepts based on real-world use and requirements, for example, defining 'email', 'name', 'likes/dislikes' as kinds of personal data. The DPVCG refers to both ontologies and taxonomies collectively as "vocabularies" (in its name).
The 'core vocabulary' for defining the scope of the DPVCG is as follows:
Personal Data and its categorisation as sensitive, special, and transformation into forms such as anonymisation and pseudonymisation
Operations (processing of personal data) such as collect, use, store, share, erase, including locations, durations, and other contextual information
Purpose or end-goals for why data is being processed or something is being done
Entities and their roles, such as controller, human or data subject, service provider, that assist in specifying responsibilities and ensuring accountability
Technologies involved and their provision and deployment
Measures including technical, organisational, legal, and physical measures, such as to ensure security or safeguard safety or to provide transparency through notices
Risks and impacts associated with their processes and how they can be mitigated
Contextual information such as controls, necessity, statuses, reuse, involvement (including human in the loop and oversight approaches)
Jurisdictional (i.e., legally defined) information such as applicable laws, defined legal bases, compliance requirements and outcomes, and defined rights and their exercise
Logical grouping of concepts into units or processes and indication of whether they are permitted, prohibited, obligated and other relevant rules
The work of the DPVCG is inspired by and arose out of a project associated with the EU and its General Data Protection Regulation (GDPR) requirements. However, the scope of the DPVCG is inclusive of all jurisdictions and their specific laws and topics associated with privacy and data protection. To accommodate this, the DPVCG has developed a modular structure that separates the 'main' and 'jurisdictional' aspects into separate namespaces.
To assist with the adoption of the DPVCG's outputs and to facilitate engagement and participation, the DPVCG provides materials such as guides, examples, and primers. These resources can be generic or address a specific need or requirement, for example, to assist with compliance with specific standards or legal measures.
The DPVCG can provide mappings and schemas to assist with the use of its outputs with other existing approaches and norms. For example, a mapping from the DPV to the W3C Open Digital Rights Language (ODRL) standard, or to represent consent records as per ISO/IEC TS 27560:2023.
The DPVCG's work consists of analysis of sources, modelling information concepts and requirements, and representing these as artefacts, primarily in RDF, which is a W3C standard for interoperable and machine-readable data. To express the semantics of concepts and relationships, the DPVCG makes use of the following additional W3C standards: RDFS, SKOS, and OWL. All other forms and outputs are derived from these in a consistent manner. The Turtle RDF serialisation format is used as the canonical representation, with other output forms being derived from this while ensuring compatibility and consistency.
Determination of legal compliance, conformity, or any other measure is out of scope. The DPVCG provides solely the means to represent information involved in determining these and to assist in the process through information modelling.
Developing software or other algorithmic methods as a specific implementation are out of scope. The DPVCG provides schema and specifications that can be used to develop such approaches.
Modelling of topics, laws, or other concerns that do not relate to privacy and data protection are considered out of scope unless otherwise justified and agreed by the group (e.g., considering AI technologies as involving personal data is within scope, and by extension, the AI Act is in scope)
Topics such as IP, copyright, trademarks, and trade secrets are out of scope beyond their acknowledgement as relevant measures (e.g., to protect personal data)
Implementation of the DPVCG's outputs for private or organisation-specific applications or projects is out of scope. The DPVCG members can be approached to provide advice and to participate in an individual capacity in such matters. Using an organisation's use-cases to improve the DPVCG's outputs, for example, through additional concepts, is within scope.
Conformity assessments or certifications for guides, mappings, and schemas provided by the DPVCG are out of scope. This means the DPVCG will work on providing information and specifications, but will not act as a body to authorise or certify their implementations.
The Data Privacy Vocabulary (DPV), referred to by its canonical IRI https://w3id.org/dpv, is the primary output of the DPVCG. The DPVCG provides additional extensions that extend the DPV through a consensus-led decision process to ensure they are within the scope defined in this charter.
Documentation: This includes a Primer to assist with understanding the DPV, and Guides for assisting with specific objectives or topics. Guides can contain recommendations for consistent and interoperable use of the DPV.
Mappings: The DPVCG provides mappings that specify how the DPV's concepts align with the concepts provided in established external vocabularies. The goal of this is to assist in the use of the DPV with other existing vocabularies. For example, the mapping from DPV to ODRL to align with the established W3C standard for policy expression.
Schemas: For use of DPV in a well-defined and constrained manner for a specific topic or objective. For example, for indicating consent records as defined by ISO/IEC TS 27560:2023 and EU GDPR.
Examples that illustrate the use of DPV are non-normative
Use-cases that describe scenarios and requirements are non-normative and represent information that assists in the development of the DPV
The DPVCG is interested in maintaining liaisons with the following groups. The list of groups may be changed, and will be reflected when the charter is next updated.
W3C:
Liaison with the W3C ODRL CG, as there is an overlap in scope, outputs (e.g., DPV and ODRL both model policies and concepts). There are overlapping members between the DPVCG and ODRL CG who conduct the liaison.
Privacy Interest Group (PING) and Privacy CG are relevant regarding privacy, where their work may provide additional requirements, concepts, and guidance for the development of technical measures in DPV. Similarly, the outputs of the DPV may be of use to these stakeholders to understand and represent information.
Other Standards Development Organisations where the DPVCG members may utilise the outputs of the DPVCG directly (i.e., referenced in the document) or indirectly (e.g., by using DPV's concepts to understand information requirements)
ISO/IEC: JTC1/SC27 regarding cybersecurity and privacy, and JTC1/SC42 regarding artificial intelligence. There are overlapping members between the DPVCG and these groups. There is no formal liaison.
CEN/CENELEC: JTC13 regarding cybersecurity and privacy, and JTC21 regarding artificial intelligence. There are overlapping members between the DPVCG and these groups. There is no formal liaison.
IEEE: There are overlapping members between the DPVCG and efforts such as IEEE P7012. There is no formal liaison.
Interoperable Europe and SEMIC program: These represent similar initiatives for creating vocabularies and associated topics (e.g., legal compliance). There are overlapping members between the DPVCG and these groups. There is no formal liaison.
The group operates under the Community and Business Group Process. Terms in this Charter that conflict with those of the Community and Business Group Process are void.
As with other Community Groups, W3C seeks organizational licensing commitments under the W3C Community Contributor License Agreement (CLA). When people request to participate without representing their organization's legal interests, W3C will in general approve those requests for this group with the following understanding: W3C will seek and expect an organizational commitment under the CLA starting with the individual's first request to make a contribution to a group deliverable. The section on contribution mechanics describes how W3C expects to monitor these contribution requests.
The W3C Code of Ethics and Professional Conduct applies to participation in this group.
The group will not publish work on topics other than those listed under Deliverables
Substantive Contributions to Specifications can only be made by Community Group Participants who have agreed to the W3C Community Contributor License Agreement (CLA).
Specifications created in the Community Group must use the W3C Software and Document License. All other documents produced by the group should use that License where possible.
Community Group participants agree to make all contributions in the GitHub repo the group is using for the particular document. This may be in the form of raising an issue (preferred), a pull request, by adding a comment to an existing issue, or via the mailing list (which will then be managed as a github issue).
All GitHub repositories attached to the Community Group must contain a copy of the CONTRIBUTING and LICENSE files.
The group will conduct all of its technical work in public. If the group uses GitHub, all technical work will occur in its GitHub repositories (and not in mailing list discussions). This is to ensure contributions can be tracked through a software tool. Mailing lists may still be used for discussions and communications, but all work must be consolidated and then managed through the Github repo and issues.
Meetings may be restricted to Community Group participants, but a public summary or minutes must be posted to the group's public mailing list, or to a GitHub issue if the group uses GitHub.
If the decision policy is documented somewhere, update this section accordingly to link to it.
This group will seek to make decisions where there is consensus. Groups are free to decide how to make decisions (e.g. Participants who have earned Committer status for a history of useful contributions assess consensus, or the Chair assesses consensus, or where consensus isn't clear there is a Call for Consensus [CfC] to allow multi-day online feedback for a proposed course of action). It is expected that participants can earn Committer status through a history of valuable contributions as is common in open source projects. After discussion and due consideration of different opinions, a decision should be publicly recorded (where GitHub is used as the resolution of an Issue).
If substantial disagreement remains (e.g. the group is divided) and the group needs to decide an Issue in order to continue to make progress, the Committers will choose an alternative that had substantial support (with a vote of Committers if necessary). Individuals who disagree with the choice are strongly encouraged to take ownership of their objection by taking ownership of an alternative fork. This is explicitly allowed (and preferred to blocking progress) with a goal of letting implementation experience inform which spec is ultimately chosen by the group to move ahead with.
Any decisions reached at any meeting are tentative and should be recorded in a GitHub Issue for groups that use GitHub and otherwise on the group's public mail list. Any group participant may object to a decision reached at an online or in-person meeting within 7 days of publication of the decision provided that they include clear technical reasons for their objection. The Chairs will facilitate discussion to try to resolve the objection according to this decision process.
It is the Chairs' responsibility to ensure that the decision process is fair, respects the consensus of the CG, and does not unreasonably favour or discriminate against any group participant or their employer.
Participants in this group choose their Chair(s) and can replace their Chair(s) at any time using whatever means they prefer. However, if 5 participants, no two from the same organisation, call for an election, the group must use the following process to replace any current Chair(s) with a new Chair, consulting the Community Development Lead on election operations (e.g., voting infrastructure and using RFC 2777).
The call for an election should be made on the public mailing list and by current member(s) of the DPVCG. If such a call is made within a meeting, the minutes should be posted to the mailing list with the call.
Participants that are DPVCG members announce their candidacies. Participants have at least 14 days to announce their candidacies, but this period ends as soon as all participants have announced their intentions. If there is only one candidate, that person becomes the Chair. If there are two or more candidates, there is a vote. Otherwise, nothing changes. If the chair fails to inform the group about the election within 2 weeks of accumulating 5 votes, the process can be assumed to have automatically started and members can announce their candidacy.
Participants that are DPVCG members vote. Participants have at least 21 days to vote for a single candidate or for multiple positions (if applicable), but this period ends as soon as all participants have voted. The individual(s) who receives the most votes, no two from the same organisation, is elected chair. In case of a tie, RFC2777 is used to break the tie. An elected Chair may appoint co-Chairs directly if there are no objections, or may use the election process for the same.
Participants dissatisfied with the outcome of an election may ask the Community Development Lead to intervene. The Community Development Lead, after evaluating the election, may take any action including no action. For information, see https://www.w3.org/community/about/process/
The group can decide to work on a proposed amended charter, editing the text using the decision process described above. The decision on whether to adopt the amended charter is made by conducting a 30-day vote on the proposed new charter. The new charter, if approved, takes effect on either the proposed date in the charter itself, or 7 days after the result of the election is announced, whichever is later. A new charter must receive 2/3 of the votes cast in the approval vote to pass. The group may make simple corrections to the charter such as deliverable dates by the simpler group decision process rather than this charter amendment process. The group will use the amendment process for any substantive changes to the goals, scope, deliverables, decision process or rules for amending the charter.