Namespace: com.sap.vocabularies.PersonalData.v1
Terms for annotating Personal Data
Personal Data is any information relating to an identified or identifiable natural person ("data subject").
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal data can only be processed under certain legal grounds, e.g. explicit consent of the data subject or a contractual obligation.
This vocabulary defines terms specific to the European General Data Protection Regulation (GDPR).
Terms for contact and address information are defined in the Communication vocabulary.
- European Commission: Reform of EU data protection rules
- European Commission: Rules for business and organisations
- European Commission: Legal grounds for processing data.
| Term | Type | Description |
|---|---|---|
| EntitySemantics | EntitySemanticsType | Primary meaning of the entities in the annotated entity set |
| DataSubjectRole | String? | Role of the data subjects in this set (e.g. employee, customer) Values are application-specific. Can be a static value or a Path expression If the role varies per entity |
| DataSubjectRoleDescription | String? | Language-dependent description of the role of the data subjects in this set (e.g. employee, customer) Values are application-specific. Can be a static value or a Path expression If the role varies per entity |
| FieldSemantics | FieldSemanticsType | Primary meaning of the personal data contained in the annotated property Changes to values of annotated properties are tracked in the audit log. Use this annotation also on fields that are already marked as contact or address data. |
| IsPotentiallyPersonal | Tag | Property contains potentially personal data Personal data describes any information which is related to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by a reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Note: properties annotated with FieldSemantics need not be additionally annotated with this term. |
| IsPotentiallySensitive | Tag | Property contains potentially sensitive personal data Sensitive personal data is a category of personal data that needs special handling. The determination which personal data is sensitive may differ for different legal areas or industries. Examples of sensitive personal data: - Special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation. - Personal data subject to professional secrecy. - Personal data relating to criminal or administrative offences. - Personal data concerning insurances and bank or credit card accounts. |
Type: String
Primary meaning of the data contained in the annotated entity set
| Allowed Value | Description |
|---|---|
| DataSubject | Entities describing a data subject (an identified or identifiable natural person), e.g. customer, vendor, employee These entities are relevant for audit logging. There are no restrictions on their structure. The properties should be annotated suitably with FieldSemantics. |
| DataSubjectDetails | Entities containing details to a data subject (an identified or identifiable natural person) but not representing data subjects by themselves, e.g. street addresses, email addresses, phone numbers These entities are relevant for audit logging. There are no restrictions on their structure. The properties should be annotated suitably with FieldSemantics. |
| Other | Entities containing personal data or references to data subjects but not representing data subjects or data subject details by themselves, e.g. customer quote, customer order, purchase order with involved business partners These entities are relevant for audit logging. There are no restrictions on their structure. The properties should be annotated suitably with FieldSemantics. |
Type: String
Primary meaning of a data field
| Allowed Value | Description |
|---|---|
| DataSubjectID | The unique identifier for a data subject |
| DataSubjectIDType (Experimental) | The type of ID identifying the data subject and which is allocated when creating a consent record, e.g. an e-mail address or a phone number. |
| ConsentID (Experimental) | The unique identifier for a consent A consent is the action of the data subject confirming that the usage of his or her personal data shall be allowed for a given purpose. A consent functionality allows the storage of a consent record in relation to a specific purpose and shows if a data subject has granted, withdrawn, or denied consent. |
| PurposeID (Experimental) | The unique identifier for the purpose of a processing of personal data Any processing of personal data is based on specified, explicit, and legitimate purposes, and data are not further processed in a manner that is incompatible with those purposes. The purposes are defined by the data controller or joint data controllers. |
| ContractRelatedID | The unique identifier for transactional data that is related to a contract that requires processing of personal data Examples: - Sales Contract ID - Purchase Contract ID - Service Contract ID |
| LegalEntityID (Deprecated) | Deprecated in favor of DataControllerID |
| UserID (Experimental) | The unique identifier of a user A user is an individual who interacts with the services supplied by a system. |
| EndOfBusinessDate (Experimental) | Defines the end of active business and the start of residence time and retention period End of business is the point in time when the processing of a set of personal data is no longer required for the active business, for example, when a contract is fulfilled. After this has been reached and a customer-defined residence period has passed, the data is blocked and can only be accessed by users with special authorizations (for example, tax auditors). All fields of type Edm.Date or Edm.DateTimeOffset on which the end of business determination depends should be annotated. |
| DataControllerID (Experimental) | The unique identifier of a data controller The unique identifier of a legal entity which alone or jointly with others determines the purposes and means of the processing of personal data. The Data Controller is fully responsible (and accountable) that data protection and privacy principles (such as purpose limitation or data minimization), defined in the European General Data Protection Regulation (GDPR) or any other data protection legislation, are adhered to when processing personal data. The DataControllerID succeeds the LegalEntityID. |
| BlockingDate (Experimental) | Defines a date that marks when the provider of the data will block these Defines a date that marks when the provider of the data will block these. This is the point in time when the processing of a set of personal data is no longer required for the active business, for example, when a contract is fulfilled. After it has been reached, the data is blocked in the source and can only be displayed by users with special authorizations (for example, tax auditors); however, it is not allowed to create/change/copy/follow-up blocked data. Consumers of the data should consider if there is an additional purpose to process the data beyond the defined blocking date. |
| EndOfRetentionDate (Experimental) | Defines the date when the provider destroys the data Defines a date that marks when the provider of the data can destroy these. Consumers of the data should consider if there is an additional purpose (or a legal hold) to process the data beyond the defined destruction date. |