The Open Digital Rights Language (ODRL) is a policy expression language that provides a flexible and interoperable information model, vocabulary, and encoding mechanisms for representing statements about the usage of content and services.

This document constitutes an ODRL profile that adapts the ODRL Core Model and Vocabulary with concepts and terms to support regulatory compliance checking of business policies.

In essence, ODRL Regulatory Compliance Profile policies are used to represent regulatory permissions, prohibitions, obligations, and dispensations, which may be limited by constraints (e.g., temporal, spatial).

Significant portions of this document are reproduced from the ODRL Information Model standard. We would particularly like to thank Benedict Whittamsmith (Refinitiv) and Piero Bonatti (CeRICT) for their comments on this draft specification.

Introduction

This document provides and overview of the ODRL Regulatory Compliance Profile classes and properties. The work is guided by our analysis of Article 6 "Lawfulness of processing" and and Article 46 "Transfers subject to appropriate safeguards" of the GDPR. At this stage we are not aiming to be exhaustive in terms of modelling the GDPR but rather to demonstrate the potential of ODRL for modelling regulatory obligations.

Aims of the Model

The primary aim of the ODRL Regulatory Compliance Profile model is to provide a model and vocabularies that can be used to express permissions, prohibitions, obligations, and dispensations in a manner such that they can be checked automatically.

The examples throughout the document are serialized as [[json-ld]]. and [[turtle]].

The examples presented here make use if the following prefixes:

@prefix orcp: <http://example.com/odrl:profile:regulatory-compliance/> .

@prefix odrl: <http://www.w3.org/ns/odrl/2/> .

@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .

Terminology

Policy
One or more Rules.
Set
A set of one or more Rules.
ConflictTerm
A means to specific the conflict resolution strategy.
Rule
An abstract concept that represents the common characteristics of Permissions, Prohibitions, Obligations and Dispensations.
Action
Something done or performed.
Resource
An object or a collection of objects that are the subject of a Rule.
Party
An entity or a collection of entities that undertake roles in a Rule.
Permission
Indication that an Action is allowed.
Prohibition
Indication that an Action is not allowed.
Obligation
An Action that must be performed.
Dispensation
The exemption from an obligation.
Constraint
An expression that refines a Rule.
PredicateConstraint
A constraint that relates to a given predicate.
ODRL Core Vocabulary
The set of terms that are represented by the ODRL Information Model.
ODRL Profile
An adaption of the ODRL Core Model and Vocabulary in order to meet the needs of a specific community or sector.
ODRL Common Vocabulary
A set of generic terms that may be re-used by ODRL Profiles.
ODRL Regulatory Compliance Profile Vocabulary
A set of terms used to specify regulatory policies.

ODRL Regulatory Compliance Profile

The ODRL Regulatory Compliance Profile model represents Policies that express Permissions, Prohibitions, Obligations, and Dispensations related to actions.

The figure below shows the ODRL Regulatory Compliance Profile model, which is an adaptation of the ODRL Information model.

ODRL Regulatory Compliance Profile model
The ODRL Regulatory Compliance Profile model (Also available in SVG format)

The ODRL Regulatory Compliance Profile model has the following core classes:

Policy Class

The Policy class has the following properties:

Set subClass

An ODRL Policy of subclass Set represents any combination of Rules. The Set Policy subclass is also the default subclass of Policy (if none is specified).

conflict property

The conflict property is used to establish strategies to resolve conflicts that arise from the merging of Policies or conflicts between Permissions, Prohibitions and Obligations in the same Policy. Conflicts may arise when merging Policies as a result of policy inheritance and the resultant Rules are inconsistent.

inheritedFrom property

A property which is used to cater for policies inheritance.

profile property

A property which is used to specify the policies profile.

permission/prohibition/obligation/dispensation properties

Properties that relate rules of type Permission, Prohibition, Obligation, or Dispensation to a Policy.

ConflictTerm Class

The conflict property is used to establish strategies to resolve conflicts that arise from the merging of Policies or conflicts between Permissions/Obligations and Prohibitions in the same Policy. Conflicts may arise when merging Policies, as a result of policy inheritance, or when Rules are inconsistent.

The conflict property SHOULD take one of the following conflict strategy preference values (instances of the ConflictTerm class):

If the conflict property is not explicitly set, the default of invalid will be used.

The conflict strategy requirements include:

  1. If a Policy has the conflict property of perm then any conflicting Permission/Obligation Rule MUST override the Prohibition Rule.
  2. If a Policy has the conflict property of prohibit then any conflicting Prohibition Rule MUST override the Permission/Obligation Rule.
  3. If a Policy has the conflict property of invalid then any conflicting Rules MUST void the entire Policy.
  4. If a Policy has multiple conflict property values (for example, after a Policy merge or inheritance) and there are conflicting Rules then the entire Policy MUST be void.

Action Class

An Action class indicates an operation.

The ODRL Regulatory Compliance Profile model defines the following top-level Actions:

The Action class has the following properties:

Based on the analysis of Articles 6 and 46 of the GDPR, we propose the following subclasses of the Processing class:

Resource Class

A Resource class is a resource or a collection of resources that are the subject of a Rule. The Resource can be any form of identifiable resource, such as data/information, content/media, applications, services, or physical artefacts.

The Resource class has the following properties:

Based on the analysis of Articles 6 and 46 of the GDPR, we propose the following entities of type Resource :

hasPolicy property

An ODRL Policy class MAY also be referenced by the hasPolicy property. This supports ODRL Policy Rules being the object of external metadata expressions (that identifies a Resource). When hasPolicy has been asserted between a metadata expression and an ODRL Policy, the Resource being identified MUST be inferred to be the resource of all the Rules of that Policy. If there are multiple Rules in the Policy, then the inferred Resource will be the target Resource to every Rule in the Policy.

Party Class

A Party is an entity or a collection of entities that undertake roles in a Rule, such as a person, collection of people, organisation, or agent. The Party performs (or does not perform) Actions or has a function in an Obligation.

The Party class has the following properties:

Based on the analysis of Articles 6 and 46 of the GDPR, we propose the following entities of type Party:

LegalBasis Class

A class denoting the legal basis for processing.

The profile has the following subclasses of type LegalBasis that are associated with an action via the legalBasis property:

Location Class

A class denoting the location of the processing.

The profile has the following subclasses of type Location that are associated with an action via the location property:

Purpose Class

A class denoting the reason for the processing.

The profile has the following subclasses of type Purpose that are associated with an action via the purpose property:

Constraint Class

The Constraint class is used to specify expressions that can be used to refine the semantics of an Action or declare the conditions applicable to a Rule. When multiple Constraints apply to the same Rule or Action, then they are interpreted as conjunction and all MUST be satisfied.

PredicateConstraint subClass

A PredicateConstraint class is used for expressions which compare two operands by one relational operator, where the leftOperand is a predicate and the rightOperand is an object. If the comparison returns a match the PredicateConstraint is satisfied, otherwise it is not satisfied. The Constraint class formulates a comparison expression, such as, orcp:organisationType (the leftOperand) must be equal to (the operator) orcp:InternationalOrganisation (the rightOperand).

The Constraint class has the following properties:

  • A Constraint MUST have none or one uid property value (of type IRI [[!rfc3987]]) to identify the Constraint.
  • A Constraint MUST have one leftOperand property value of type LeftOperand.
  • A Constraint MUST have one operator property value of type Operator.
  • A Constraint MUST have one rightOperand property value of type RightOperator.

leftOperand property

Used to define the predicate of the constraint which must be satisfied.

operator property

Used to define the operator for the constraint which must be satisfied.

This profile adopts the following top-level Operators:

  • isA
  • isAnyOf

RightOperand Class

Used to define the object of the constraint that must be satisfied.

Rule Class

The Rule class is the parent of the Permission, Prohibition, Obligations and Dispensation classes. The Rule class represents the common characteristics of these five classes. A Rule class MUST be disjoint with all other Rule subclasses.

The Rule class has the following properties:

We need to determine where we are going to host this page as it effects the namespace "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",

Permission subClass

A Permission allows an action to be exercised if all constraints are satisfied and if all obligations are fulfilled.

The Permission class is a subclass of, and inherits all the properties from, the Rule class.

Example: Article 6, Paragraph 1, of the GDPR.

"Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party....

For now we ignore the exception specified in Article 6, paragraph 1, point f. We will deal with this in examples 3 & 4.

{
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:gdpr-article6",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",
    "permission": [{
        "uid": "http://example.com/policy:gdpr-article6-para1",
        "action": "Processing",
        "data": "PersonalData",
        "predicateConstraint": {
	    "leftOperand": "legalBasis",
            "operator": "isAnyOf",
            "rightOperand": { 
                "@list": [ 
                    { "@id": "Consent" },
                    { "@id": "Contract" }, 
                    { "@id": "LegalObligation" }, 
                    { "@id": "VitalInterest" }, 
                    { "@id": "PublicInterest" }, 
                    { "@id": "ExerciseOfOfficialAuthority" }, 
                    { "@id": "LegitimateInterest" } 
                ]    	  
            }
        }
    }]
}

<http://example.com/policy:gdpr-article6> a orcp:Set ;
    orcp:permission <http://example.com/policy:gdpr-article-para1> ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> .

<http://example.com/policy:gdpr-article-para1> odrl:action orcp:Processing ;
    orcp:data orcp:PersonalData ;
    odrl:predicateConstraint 
	[ odrl:leftOperand orcp:legalBasis ;
          odrl:operator odrl:isAnyOf ;
          odrl:rightOperand ( orcp:Consent 
                              orcp:Contract 
                              orcp:LegalObligation 
                              orcp:VitalInterest 
                              orcp:PublicInterest
                              orcp:ExerciseOfOfficialAuthority 
                              orcp:LegitimateInterest ) 
        ] .

Prohibition subClass

A Prohibition disallows an action to be exercised if all constraints are satisfied.

The Prohibition class is a subclass of, and inherits all the properties from, the Rule class.

Example: Article 6, Paragraph 1, of the GDPR.

"Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

{
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:gdpr-article6",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",
    "permission": [{
        "uid": "http://example.com/policy:gdpr-article6-para1",
        "action": "Processing",
        "data": "PersonalData",
        "predicateConstraint": {
	    "leftOperand": "legalBasis",
            "operator": "isAnyOf",
            "rightOperand": { 
                "@list": [ 
                    { "@id": "Consent" },
                    { "@id": "Contract" }, 
                    { "@id": "LegalObligation" }, 
                    { "@id": "VitalInterest" }, 
                    { "@id": "PublicInterest" }, 
                    { "@id": "ExerciseOfOfficialAuthority" }, 
                    { "@id": "LegitimateInterest" } 
                ]    	  
            }
        },
        "prohibition": [{
            "legalBasis": "LegitimateInterest",
            "predicateConstraint": [{
		"leftOperand": "action",
		"operator": "isA",
		"rightOperand": "ProcessingEffectingFundamentalRightsAndFreedomsOfTheDataSubject" 
            }]
        }]

    }]
}

<http://example.com/policy:gdpr-article6> a orcp:Set ;
    orcp:permission <http://example.com/policy:gdpr-article-para1> ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> .

<http://example.com/policy:gdpr-article-para1> odrl:action orcp:Processing ;
    orcp:data orcp:PersonalData ;
    odrl:predicateConstraint 
	[ odrl:leftOperand orcp:legalBasis ;
          odrl:operator odrl:isAnyOf ;
          odrl:rightOperand ( orcp:Consent 
                              orcp:Contract 
                              orcp:LegalObligation 
                              orcp:VitalInterest 
                              orcp:PublicInterest
                              orcp:ExerciseOfOfficialAuthority 
                              orcp:LegitimateInterest ) 
	] ;
    orcp:prohibition 
        [ orcp:legalBasis orcp:LegitimateInterest ;
	  odrl:predicateConstraint 
	      [ odrl:leftOperand odrl:action ;
                odrl:operator odrl:isA ;
                odrl:rightOperand orcp:ProcessingEffectingFundamentalRightsAndFreedomsOfTheDataSubject 
              ] 
        ]. 

Obligation subClass

An Obligation is requirement to perform an action. An Obligation is fulfilled if all constraints are satisfied and if its action has been exercised.

The Obligation class is a subclass of, and inherits all the properties from, the Rule class.

Example: transfers. Transfers are permitted if there are binding corporate rules in accordance with Article 47; ....

 {
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:gdpr-article46",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",

    "permission": [{
        "action": "Transfer",
	"data": "PersonalData",
        "predicateConstraint": [{
            "or": { 
                "@list": [{
                    "leftOperand": "organisationType",
                    "operator": "isA",
                    "rightOperand": { "@id": "InternationalOrganisation" }
                 },{
                    "leftOperand": "recipientLocation",
                    "operator": "isA",
                    "rightOperand": { "@id": "ThirdCountry" }
                }]
	    }
        }],
        "obligation": [{
            "predicateConstraint": [{
		"leftOperand": "appropriateSafeguards",
                "operator": "isAnyOf",
                "rightOperand": { 
                    "@list": [ 
                    	{ "@id": "LegallyBindingEnforceableInstrument" },
                        { "@id": "BindingCorporateRules"  },
                        { "@id": "StandardDataProtectionClauses" },
                        { "@id": "ApprovedCodeOfConduct"  },  
                        { "@id": "ApprovedCertificateMechanism"  }  
                ]}
            }]	    
        },{
	     "predicateConstraint": [{
             	"leftOperand": "dataSubjectProvisions",
             	"operator": "isA",
             	"rightOperand": { "@id": "EnforceableDataSubjectRights"}
             }]
        },{
	     "predicateConstraint": [{
             	"leftOperand": "dataSubjectProvisions",
             	"operator": "isA",
             	"rightOperand": { "@id": "LegalRemediesForDataSubjects"}
             }]
        }]
    }]
}

<http://example.com/policy:gdpr-article46> a orcp:Set ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> ;
    orcp:permission 
	[ odrl:action orcp:Transfer ;
	  orcp:data orcp:PersonalData ;
          odrl:predicateConstraint 
		[ odrl:or ( 
                        [ odrl:leftOperand orcp:organisationType ;
                          odrl:operator odrl:isA ;
                          odrl:rightOperand orcp:InternationalOrganisation 
                        ] 
                        [ odrl:leftOperand orcp:recipientLocation ;
                          odrl:operator odrl:isA ;
                          odrl:rightOperand orcp:ThirdCountry 
                        ] ) 
		] ;
          orcp:obligation 
		[ odrl:predicateConstraint 
			[ odrl:leftOperand orcp:dataSubjectProvisions ;
                          odrl:operator odrl:isA ;
                          odrl:rightOperand orcp:EnforceableDataSubjectRights
                        ] 
                ],
                [ odrl:predicateConstraint 
			[ odrl:leftOperand orcp:dataSubjectProvisions ;
                          odrl:operator odrl:isA ;
                          odrl:rightOperand orcp:LegalRemediesForDataSubjects 
                        ] 
		],
                [ odrl:predicateConstraint 
			[ odrl:leftOperand orcp:appropriateSafeguards ;
                          odrl:operator odrl:isAnyOf ;
                          odrl:rightOperand ( orcp:LegallyBindingEnforceableInstrument 
					      orcp:BindingCorporateRules 
                                              orcp:StandardDataProtectionClauses 
					      orcp:ApprovedCodeOfConduct  
                                              orcp:ApprovedCertificateMechanism ) 
                        ] 
		] 
	] .

Dispensation subClass

A Dispensation is an exemption from the obligation to perform an action.

The Dispensation class is a subclass of, and inherits all the properties from, the Rule class.

Example: Article 6 paragraph 2. ...... Point f of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

{
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:gdpr-article6",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",
    "permission": [{
        "uid": "http://example.com/policy:gdpr-article6-para1",
        "action": "Processing",
        "data": "PersonalData",
        "predicateConstraint": {
	    "leftOperand": "legalBasis",
            "operator": "isAnyOf",
            "rightOperand": { 
                "@list": [ 
                    { "@id": "Consent" },
                    { "@id": "Contract" }, 
                    { "@id": "LegalObligation" }, 
                    { "@id": "VitalInterest" }, 
                    { "@id": "PublicInterest" }, 
                    { "@id": "ExerciseOfOfficialAuthority" }, 
                    { "@id": "LegitimateInterest" } 
                ]    	  
            }
        },
        "prohibition": [{
            "legalBasis": "LegitimateInterest",
            "predicateConstraint": [{
		"leftOperand": "action",
		"operator": "isA",
		"rightOperand": "ProcessingEffectingFundamentalRightsAndFreedomsOfTheDataSubject" 
            }],
            "dispensation": [{
                "predicateConstraint": [{
                    "and": { 
                        "@list": [{
                            "leftOperand": "organisationType",
                            "operator": "isA",
                            "rightOperand": "PublicAuthority"
                         },{
                            "leftOperand": "purpose",
                            "operator": "isA",
                            "rightOperand": "PublicAuthorityTask"
                        }]
	            }
                }]
            }]
        }]

    }]
}

<http://example.com/policy:gdpr-article6> a orcp:Set ;
    orcp:permission <http://example.com/policy:gdpr-article-para1> ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> .

<http://example.com/policy:gdpr-article-para1> odrl:action orcp:processing ;
    orcp:data orcp:PersonalData ;
    odrl:predicateConstraint 
	[ odrl:leftOperand orcp:legalBasis ;
          odrl:operator odrl:isAnyOf ;
          odrl:rightOperand ( orcp:Consent 
                              orcp:Contract 
                              orcp:LegalObligation 
                              orcp:VitalInterest 
                              orcp:PublicInterest
                              orcp:ExerciseOfOfficialAuthority 
                              orcp:LegitimateInterest ) 
	] ;
    orcp:prohibition 
	[ orcp:legalBasis orcp:LegitimateInterest ;
	  odrl:predicateConstraint 
	       [ odrl:leftOperand odrl:action ;
              	 odrl:operator odrl:isA ;
              	 odrl:rightOperand orcp:ProcessingEffectingFundamentalRightsAndFreedomsOfTheDataSubject 
               ] ;
	  orcp:dispensation 
	      [ odrl:predicateConstraint 
		     [ odrl:or ( 
                         [ odrl:leftOperand orcp:organisationType ;
                           odrl:operator odrl:isA ;
                           odrl:rightOperand orcp:PublicAuthority 
                         ] 
                         [ odrl:leftOperand orcp:purpose ;
                           odrl:operator odrl:isA ;
                           odrl:rightOperand orcp:PublicAuthorityTask 
                         ] ) 
		     ] 
               ]
	] .		            

relation property

A relation property is used to link a Rule to a Resource. The relation property itself is abstract; sub-properties represent explicit semantics of the relationship between the Resource and the Rule.

The profile has the following sub-properties of relation:

  • data: indicates the Resource referred to in the rule.

function property

A function property is used to link a Rule to a Party, indicating the function undertaken by the Party in respect to the Rule that links to it. The function property itself is abstract; sub-properties represent explicit semantics of the functional role between the Party and the Rule.

The profile has the following sub-properties of function:

  • controller
  • processor
  • sender
  • recipient
  • responsibleParty

action property

A property that is used to relate an Action to a Rule.

constraint property

Specifies a constraint which must be satisfied in order for the rule to be valid.

permission/prohibition/obligation/dispensation property

A property that allows for the nesting of rules of type Permission, Prohibition, Obligation, or Dispensation.

legalBasis property

A property used to assert the legal basis for processing. This property is used to link a Rule to a LegalBasis.

purpose property

A property used to assert the purpose for the processing. This property is used to link a Rule to a Purpose.

processingLocation property

A property used to assert the location of the processing. This property is used to link a Rule to a Location.

recipientLocation property

A property used to assert the location where the recipient is located. This property is used to link a Rule to a Location.

organisationType property

A property used to assert the type of organisation. This property is used to link a Rule to a Party.

appropriateSafeguards property

A property used to assert the type of safeguards that are in place. This property is used to link a Rule to a Resource of type AppropriateSafeguards.

dataSubjectProvisions property

A property used to assert the data subject provisions that are in place. This property is used to link a Rule to a Resource of type DataSubjectProvisions.

Examples

In this chapter we demonstrate how Article 6 Lawfulness of processing and Article 46 Transfers subject to appropriate safeguards would be modelled using the proposed ODRL Regulatory Compliance Profile.

GDPR Lawfulness of Processing

According to Article 6, Paragraph 1, of the GDPR:

"Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks."

Article 6 Lawfulness of processing

Example: Article 6 Lawfulness of processing.

{
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:gdpr-article6",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",
    "permission": [{
        "uid": "http://example.com/policy:gdpr-article6-para1",
        "action": "Processing",
        "data": "PersonalData",
        "predicateConstraint": {
	    "leftOperand": "legalBasis",
            "operator": "isAnyOf",
            "rightOperand": { 
                "@list": [ 
                    { "@id": "Consent" },
                    { "@id": "Contract" }, 
                    { "@id": "LegalObligation" }, 
                    { "@id": "VitalInterest" }, 
                    { "@id": "PublicInterest" }, 
                    { "@id": "ExerciseOfOfficialAuthority" }, 
                    { "@id": "LegitimateInterest" } 
                ]    	  
            }
        },
        "prohibition": [{
            "legalBasis": "LegitimateInterest",
            "predicateConstraint": [{
		"leftOperand": "action",
		"operator": "isA",
		"rightOperand": "ProcessingEffectingFundamentalRightsAndFreedomsOfTheDataSubject" 
            }],
            "dispensation": [{
                "predicateConstraint": [{
                    "and": { 
                        "@list": [{
                            "leftOperand": "organisationType",
                            "operator": "isA",
                            "rightOperand": "PublicAuthority"
                         },{
                            "leftOperand": "purpose",
                            "operator": "isA",
                            "rightOperand": "PublicAuthorityTask"
                        }]
	            }
                }]
            }]
        }]

    }]
}

<http://example.com/policy:gdpr-article6> a orcp:Set ;
    orcp:permission <http://example.com/policy:gdpr-article-para1> ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> .

<http://example.com/policy:gdpr-article-para1> odrl:action orcp:Processing ;
    orcp:data orcp:PersonalData ;
    odrl:predicateConstraint 
	[ odrl:leftOperand orcp:legalBasis ;
          odrl:operator odrl:isAnyOf ;
          odrl:rightOperand ( orcp:Consent 
                              orcp:Contract 
                              orcp:LegalObligation 
                              orcp:VitalInterest 
                              orcp:PublicInterest
                              orcp:ExerciseOfOfficialAuthority 
                              orcp:LegitimateInterest ) 
	] ;
    orcp:prohibition 
	[ orcp:legalBasis orcp:LegitimateInterest ;
	  odrl:predicateConstraint 
		[ odrl:leftOperand odrl:action ;
                  odrl:operator odrl:isA ;
                  odrl:rightOperand orcp:ProcessingEffectingFundamentalRightsAndFreedomsOfTheDataSubject 
                ] ;
	  orcp:dispensation 
		[ odrl:predicateConstraint 
			[ odrl:or ( 
                              [ odrl:leftOperand orcp:organisationType ;
                                odrl:operator odrl:isA ;
                                odrl:rightOperand orcp:PublicAuthority 
                              ] 
                              [ odrl:leftOperand orcp:purpose ;
                                odrl:operator odrl:isA ;
                                odrl:rightOperand orcp:PublicAuthorityTask 
                              ] ) 
			] 
                ]		            
	] .

Business policy permission for Processing, inside the EU, with consent of the data subject

Example: Processing, inside the EU, with consent of the data subject.

{
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:bp-processing-withLegalBasis",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",
    "permission": [{
        "action": "Processing",
	"data": "PersonalData",
	"controller": "http://example.com/CompanyA",
	"purpose" : "PersonalRecommendations",
	"processingLocation" : "EU",
        "legalBasis": "Consent",
	"responsibleParty": "Controller"
    }]
}

<http://example.com/policy:policy:bp-processing-withLegalBasis> a orcp:Set ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> ;
    orcp:permission 
	[ odrl:action orcp:Processing ;
          orcp:data orcp:PersonalData ;
          orcp:controller <http://example.com/CompanyA> ;
          orcp:purpose orcp:PersonalRecommendations ;
          orcp:ProcessingLocation orcp:EU ;
	  orcp:legalBasis orcp:Consent ; 
	  odrl:responsibleParty orcp:Controller
        ] .

Example: Processing, inside the EU, with consent of the data subject, without a legal basis.

{
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:bp-processing-withoutLegalBasis",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",
    "permission": [{
        "action": "Processing",
	"data": "PersonalData",
	"controller": "http://example.com/CompanyA",
	"purpose" : "PersonalRecommendations",
	"processingLocation" : "EU",
	"responsibleParty": "Controller"
    }]
}

<http://example.com/policy:bp-processing-withoutLegalBasis> a orcp:Set ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> ;
    orcp:permission 
	[ odrl:action orcp:Processing ;
          orcp:data orcp:PersonalData ;
          orcp:controller <http://example.com/CompanyA> ;
          orcp:purpose orcp:PersonalRecommendations ;
          orcp:ProcessingLocation orcp:EU ;
	  odrl:responsibleParty orcp:Controller
        ] .

GDPR Lawfulness of Transfers

According to Article 46, of the GDPR:

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2.The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;

(b) binding corporate rules in accordance with Article 47;

(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

Article 46 Transfers subject to appropriate safeguards

Example: Article 46 Transfers subject to appropriate safeguards.

 {
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:gdpr-article46",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",

    "permission": [{
        "action": "Transfer",
	"data": "PersonalData",
        "predicateConstraint": [{
            "or": { 
                "@list": [{
                    "leftOperand": "organisationType",
                    "operator": "isA",
                    "rightOperand": { "@id": "InternationalOrganisation" }
                 },{
                    "leftOperand": "recipientLocation",
                    "operator": "isA",
                    "rightOperand": { "@id": "ThirdCountry" }
                }]
	    }
        }],
        "obligation": [{
            "predicateConstraint": [{
		"leftOperand": "appropriateSafeguards",
                "operator": "isAnyOf",
                "rightOperand": { 
                    "@list": [ 
                    	{ "@id": "LegallyBindingEnforceableInstrument" },
                        { "@id": "BindingCorporateRules"  },
                        { "@id": "StandardDataProtectionClauses" },
                        { "@id": "ApprovedCodeOfConduct"  },  
                        { "@id": "ApprovedCertificateMechanism"  }  
                ]}
            }]	    
        },{
	     "predicateConstraint": [{
             	"leftOperand": "dataSubjectProvisions",
             	"operator": "isA",
             	"rightOperand": { "@id": "EnforceableDataSubjectRights"}
             }]
        },{
	     "predicateConstraint": [{
             	"leftOperand": "dataSubjectProvisions",
             	"operator": "isA",
             	"rightOperand": { "@id": "LegalRemediesForDataSubjects"}
             }]
        }]
    }]
}

<http://example.com/policy:gdpr-article46> a orcp:Set ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> ;
    orcp:permission 
	[ odrl:action orcp:Transfer ;
	  orcp:data orcp:PersonalData ;
          odrl:predicateConstraint 
		[ odrl:or ( 
                        [ odrl:leftOperand orcp:organisationType ;
                          odrl:operator odrl:isA ;
                          odrl:rightOperand orcp:InternationalOrganisation 
                        ] 
                        [ odrl:leftOperand orcp:recipientLocation ;
                          odrl:operator odrl:isA ;
                          odrl:rightOperand orcp:ThirdCountry 
                        ] ) 
		] ;
          orcp:obligation 
		[ odrl:predicateConstraint 
			[ odrl:leftOperand orcp:dataSubjectProvisions ;
                          odrl:operator odrl:isA ;
                          odrl:rightOperand orcp:EnforceableDataSubjectRights
                        ] 
                ],
                [ odrl:predicateConstraint 
			[ odrl:leftOperand orcp:dataSubjectProvisions ;
                          odrl:operator odrl:isA ;
                          odrl:rightOperand orcp:LegalRemediesForDataSubjects 
                        ] 
		],
                [ odrl:predicateConstraint 
			[ odrl:leftOperand orcp:appropriateSafeguards ;
                          odrl:operator odrl:isAnyOf ;
                          odrl:rightOperand ( orcp:LegallyBindingEnforceableInstrument 
					      orcp:BindingCorporateRules 
                                              orcp:StandardDataProtectionClauses 
					      orcp:ApprovedCodeOfConduct  
                                              orcp:ApprovedCertificateMechanism ) 
                        ] 
		] 
	] .

Business policy permission request for international organisation.

Transfer outside the EU by an international organisation.

 {
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:bp-transfer-withSafeguards",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",

    "permission": [{
        "action": "Transfer",
	"data": "PersonalData",
	"responsibleParty": "Controller",
	"organisationType": "InternationalOrganisation",
	"sender": "http://example.com/CompanyA_Ireland",
	"recipient": "http://example.com/CompanyA_USA",
	"recipientLocation": "ThirdCountry",
	"purpose": "PersonalRecommendations",
        "legalBasis": "Consent",
        "dataSubjectProvisions": "EnforceableDataSubjectRights",
        "dataSubjectProvisions": "LegalRemediesForDataSubjects",
	"appropriateSafeguards": "BindingCorporateRules"  
    }]
}

<http://example.com/policy:bp-transfer-withSafeguards> a orcp:Set ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> ;
    orcp:permission 
	[ odrl:action orcp:Transfer ;
          orcp:data orcp:PersonalData ;
          orcp:responsibleParty orcp:Controller ;          
	  orcp:organisationType orcp:InternationalOrganisation ;
          orcp:sender <http://example.com/CompanyA_Ireland> ;
          orcp:recipient <http://example.com/CompanyA_USA> ;
	  orcp:recipientLocation orcp:ThirdCountry ;
          orcp:purpose orcp:PersonalRecommendations ;
          orcp:legalBasis orcp:Consent ;
          odrl:dataSubjectProvisions orcp:EnforceableDataSubjectRights ;
          odrl:dataSubjectProvisions orcp:LegalRemediesForDataSubjects ;
	  orcp:appropriateSafeguards orcp:BindingCorporateRules 
        ] .

Transfer outside the EU by an international organisation without appropriate safeguards.

 {
    "@context": "https://ai.wu.ac.at/policies/orcp/odrl_regulatory_profile.jsonid",
    "@type": "Set",
    "uid": "http://example.com/policy:bp-transfer-withoutSafeguards",
    "profile": "http://example.com/odrl:profile:regulatory-compliance",

    "permission": [{
        "action": "Transfer",
	"data": "PersonalData",
	"responsibleParty": "Controller",
	"organisationType": "InternationalOrganisation",
	"sender": "http://example.com/CompanyA_Ireland",
	"recipient": "http://example.com/CompanyA_USA",
	"recipientLocation": "ThirdCountry",
	"purpose": "PersonalRecommendations",
        "legalBasis": "Consent",
        "dataSubjectProvisions": "EnforceableDataSubjectRights",
        "dataSubjectProvisions": "LegalRemediesForDataSubjects"
    }]
}

<http://example.com/policy:bp-transfer-withoutSafeguards> a orcp:Set ;
    odrl:profile <http://example.com/odrl:profile:regulatory-compliance> ;
    orcp:permission 
	[ odrl:action orcp:Transfer ;
          orcp:data orcp:PersonalData ;
          orcp:responsibleParty orcp:Controller ;          
	  orcp:organisationType orcp:InternationalOrganisation ;
          orcp:sender <http://example.com/CompanyA_Ireland> ;
          orcp:recipient <http://example.com/CompanyA_USA> ;
	  orcp:recipientLocation orcp:ThirdCountry ;
          orcp:purpose orcp:PersonalRecommendations ;
          orcp:legalBasis orcp:Consent ;
          odrl:dataSubjectProvisions orcp:EnforceableDataSubjectRights ;
          odrl:dataSubjectProvisions orcp:LegalRemediesForDataSubjects 
        ] .