GConsent - A Consent Ontology based on the GDPR Harshvardhan J. Pandit, Christophe Debruyne, Declan O’Sullivan, and Dave Lewis ADAPT Centre, Trinity College Dublin, Dublin, Ireland {pandith|debruync|declan.osullivan|dave.lewis}@tcd.ie Abstract. Consent is an important legal basis for the processing of personal data under the General Data Protection Regulation (GDPR), which is the current European data protection law. GPDR provides con- straints and obligations on the validity of consent, and provides data sub- jects with the right to withdraw their consent at any time. Determining and demonstrating compliance to these obligations require information on how the consent was obtained, used, and changed over time. Existing work demonstrates feasibility of semantic web technologies in modelling information and determining compliance for GDPR. Although these ad- dress consent, they currently do not model all the information associated with it. In this paper, we address this by first presenting our analy- sis of information associated with consent under the GDPR. We then present GConsent, an OWL2-DL ontology for representation of consent and its associated information such as provenance. The paper presents the methodology used in the creation and validation of the ontology as well as an example use-case demonstrating its applicability. The ontology and this paper can be accessed online at https://w3id.org/GConsent. Keywords: consent · GDPR · regulatory compliance · OWL2-DL on- tology 1 Introduction The General Data Protection Regulation (GDPR) [19] is the current European data protection law, which affects any service or organisation that uses personal data, and uses large fines to deter non-compliance. Consent is one of the legal basis for processing of personal data under the GDPR (Rec.40, Art.6) 1 , and is considered valid only when it is freely given, specific, informed, and unam- biguous (Rec.32, Art.2-11); and in the case of minors should be given by their legal guardian (Art.8). GDPR also provides rights regarding changing and with- drawing consent at any time (Art.7-3). To demonstrate compliance with these conditions and obligations of the GDPR, Data Controllers, which are the organ- isations responsible for deciding how personal data is collected and processed 1 This is a form of legal notation to denote Recitals (Rec) or Articles (Art) in legal text. These are hyperlinked to where they occur in GDPR using GDPRtEXT [14]