Towards Evidence-Based Conceptual Modeling for International Data Protection Requirements

NEGRI RIBALTA, Claudia; Noel, Rene; SERGEEVA, Anastasia; LENZINI, Gabriele

doi:10.1109/REW66121.2025.00036

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Towards Evidence-Based Conceptual Modeling for International Data Protection Requirements

NEGRI RIBALTA, Claudia; Noel, Rene; SERGEEVA, Anastasia et al.

2025 • In Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025

Peer reviewed

Permalink
https://hdl.handle.net/10993/66428

DOI
10.1109/REW66121.2025.00036

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

ESPRE_Camera_Ready-2.pdf

Author postprint (134.93 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

data protection; privacy; requirements; Regulatory requirements; Transborder data flow; requirements engineering

Abstract :

[en] Data protection regulations worldwide impose various regulatory requirements on organizations, some overlapping and some differing. Identifying and tracking these requirements is vital for transborder data flows and compliance. Data Protection Impact Assessments (DPIAs) help translate regulations into software specifications and organizational policies, but they often use vague legal language, leading to misunderstandings.Conceptual modeling may support a shared understanding of the domain. Ontologies and modeling methods could help bridge the understanding gap among professionals with different backgrounds in data protection, particularly in transnational realities. Developing these tools requires theoretical knowledge and input from legal practitioners. By identifying common principles and requirements across regulations, practitioners can identify specifications requiring attention for transborder data flows. OBI-PIA aims to tackle this through interdisciplinary research, proposing a regulatory data protection ontology and conceptual modeling method to guide the DPIAs discussion process.This paper presents a work-in-progress (WiP) based on interviews with legal practitioners worldwide. Preliminary results suggest that most regulations promote the OECD privacy principles, and specific requirements such as consent and the conceptualization of personal data. Inspired by the international relations literature, we propose categorizing regulatory data protection requirements into two groups: first-level (common requirements) and second-level (national, different) requirements as first step to star discussing DPIAs in transborder personal data flows. OBI-PIA should help practitioners identify requirements from each level, and discuss in interdiscplinary groups about compliance.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > IRiSC - Socio-Technical Cybersecurity

Disciplines :

Computer science

Author, co-author :

NEGRI RIBALTA, Claudia ; University of Luxembourg > Faculty of Humanities, Education and Social Sciences (FHSE) > Department of Behavioural and Cognitive Sciences (DBCS) > Cognitive Science and Assessment

Noel, Rene; Universidad de Valparaíso, Escuela de Ingeniería Informática, Valparaíso, Chile

SERGEEVA, Anastasia ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC

LENZINI, Gabriele ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC

External co-authors :

yes

Language :

English

Title :

Towards Evidence-Based Conceptual Modeling for International Data Protection Requirements

Publication date :

2025

Event name :

2025 IEEE 33rd International Requirements Engineering Conference Workshops (REW)

Event place :

Valencia, Esp

Event date :

01-09-2025 => 05-09-2025

Audience :

International

Main work title :

Proceedings - 2025 IEEE 33rd International Requirements Engineering Conference Workshops, REW 2025

Publisher :

Institute of Electrical and Electronics Engineers Inc.

ISBN/EAN :

9798331538347

Peer reviewed :

Peer reviewed

Additional URL :

http://xplorestaging.ieee.org/ielx8/11190089/11189997/11190104.pdf?arnumber=11190104

European Projects :

HE - 101081455 - YIA - Young International Academics Postdoctoral Programme

Funders :

European Union

Funding text :

This project has received funding from the European Union's Horizon 2020 research and innovation programme under the Marie Sk\u0142odowska-Curie Actions grant agreement 101081455 and by grant ANID/FONDECYT/INICIACION/11251489.

Available on ORBilu :

since 20 November 2025

Statistics

Number of views

6 (2 by Unilu)

Number of downloads

6 (0 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

Bibliography

R. Gellert and S. Gutwirth, "The legal construction of privacy and data protection," Computer Law & Security Review, vol. 29, no. 5, pp. 522-530, 2013.
T. Breaux and T. Norton, "Legal accountability as software quality: A u.s. data processing perspective," in International Requirements Engineering Conference (RE). IEEE, 2022.
T. D. Breaux and A. I. Antón, "A systematic method for acquiring regulatory requirements: A frame-based approach," RHAS-6, Delhi, India, 2007.
T. Breaux and A. Antón, "Analyzing regulatory rules for privacy and security requirements," IEEE transactions on software engineering, vol. 34, no. 1, pp. 5-20, 2008.
I. Hadar, T. Hasson, O. Ayalon, E. Toch, M. Birnhack, S. Sherman, and A. Balissa, "Privacy by designers: Software developers' privacy mindset," Empirical Software Engineering, vol. 23, no. 1, pp. 259-289, 2018.
C. Negri-Ribalta, R. Noel, O. Pastor, and C. Salinesi, "An empirical study on socio-technical modeling for interdisciplinary privacy requirements," in CooppIS. Springer, 2023.
F. Casalini, J. Lopez-Gonzalez, and T. Nemoto, "Mapping commonalities in regulatory approaches to cross-border data transfers," OECD Trade Policy Papers, no. 248, 05 2021.
O. for Economic Co-Operation and Development, "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data," Tech. Rep., 1980.
O. Babalola, "Transborder flow of personal data (tdf) in africa: Stocktaking the ills and gains of a divergently regulated business mechanism," Computer Law & Security Review, vol. 52, p. 105940, 2024. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0267364924000074
O. for Economic Co-operation and Development, "Report on the implementation of the oecd privacy guideline," 2023.
Cross-border data flows: Taking stock of key policies and initiative," 2022.
D. J. Solove, "A taxonomy of privacy," University of Pennsylvania law review, 2006.
G. G. Fuster, The emergence of personal data protection as a fundamental right of the EU. Springer Science & Business, 2014, vol. 16.
P. Jurcys, M. C. Compagnucci, and M. Fenwick, "The future of international data transfers: Managing legal risk with a 'user-held'data model," Computer Law & Security Review, vol. 46, p. 105691, 2022.
L. A. Bygrave, "The 'strasbourg effect'on data protection in light of the 'brussels effect': Logic, mechanics and prospects," Computer law & security review, vol. 40, p. 105460, 2021.
A. Mattoo and J. P. Meltzer, "International data flows and privacy: The conflict and its resolution," Journal of International Economic Law, vol. 21, no. 4, pp. 769-789, 12 2018. [Online]. Available: https://doi.org/10.1093/jiel/jgy044
O. for Economic Co-operation and Development, "Oecd declaration on transborder data flows," 1985.
Oecd guidelines on the protection of privacy and transborder flows of personal data," 2002.
E. J. Novotny, "Transborder data flow regulation: Technical issue of legal concern," Computer/LJ, vol. 3, p. 105, 1981.
G. B. Herwanto, F. J. Ekaputra, G. Quirchmayr, and A. M. Tjoa, "Towards a holistic privacy requirements engineering process: Insights from a systematic literature review," IEEE Access, 2024.
C. Negri-Ribalta, M. Lombard-Platet, and C. Salinesi, "Understanding the gdpr from a requirements engineering perspective-a systematic mapping study on regulatory data protection requirements," Requirements Engineering, pp. 1-27, 2024.
M. Gharib, P. Giorgini, and J. Mylopoulos, "Ontologies for privacy requirements engineering: A systematic literature review," arXiv preprint arXiv:1611.10097, 2016.
G. Guizzardi and N. Guarino, "Explanation, semantics, and ontology," Data & Knowledge Engineering, p. 102325, 2024.
M. Glinz and S. A. Fricker, "On shared understanding in software engineering: An essay," Computer Science-Research and Development, vol. 30, pp. 363-376, 2015.
C. Kalloniatis, E. Kavakli, and S. Gritzalis, "Addressing privacy requirements in system design: The pris method," Requirements Engineering, vol. 13, no. 3, pp. 241-255, 2008.
B. Esteves and V. Rodríguez-Doncel, "Analysis of ontologies and policy languages to represent information flows in gdpr," Semantic Web, vol. 15, no. 3, pp. 709-743, 2024.
M. Robol, M. Salnitri, and P. Giorgini, "Toward gdpr-compliant socio-technical systems: Modeling language and reasoning framework," in IFIP Working Conference on The Practice of Enterprise Modeling. Springer, 2017, pp. 236-250.
S. Agostinelli, F. M. Maggi, A. Marrella, and F. Sapio, "Achieving gdpr compliance of bpmn process models," in Information Systems Engineering in Responsible Information Systems: CAiSE Forum 2019, Rome, Italy, Proceedings 31. Springer, 2019.
D. Torre, M. Alferez, G. Soltana, M. Sabetzadeh, and L. Briand, "Modeling data protection and privacy: Application and experience with gdpr," Software and Systems Modeling, vol. 20, pp. 2071-2087, 2021.
S. Sheth, G. Kaiser, and W. Maalej, "Us and them: A study of privacy requirements across north america, asia, and europe," in Proceedings of the 36th International Conference on Software Engineering, ser. ICSE 2014. New York, NY, USA: Association for Computing Machinery, 2014, p. 859-870.
D. Damian and J. Chisan, "An empirical study of the complex relationships between requirements engineering processes and other processes that lead to payoffs in productivity, quality, and risk management," IEEE Trans. Software Eng., vol. 32, pp. 433-453, 07 2006.
R. J. Wieringa, Design science methodology for information systems and software engineering. Berlin, Heidelberg: Springer, 2014.
N. Visic, H.-G. Fill, R. A. Buchmann, and D. Karagiannis, "A domainspecific language for modeling method definition: From requirements to grammar," in 2015 IEEE 9th International Conference on Research Challenges in Information Science (RCIS). IEEE, 2015, pp. 286-297.
H.-G. Fill and D. Karagiannis, "On the conceptualisation of modelling methods using the adoxx meta modelling platform," Enterprise Modelling and Information Systems Architectures, vol. 8, no. 1, pp. 4-25, 2013.
K. Pohl and C. Rupp, Requirements Engineering Fundamentals: A Study Guide for the Certified Professional for Requirements Engineering Exam-Foundation Level-IREB Compliant, ser. Rocky Nook computing. Rocky Nook, 2015.
P. Chynoweth et al., "Legal research," Advanced research methods in the built environment, vol. 1, 2008.
S. T. Fife and J. D. Gossner, "Deductive qualitative analysis: Evaluating, expanding, and refining theory," International Journal of Qualitative Methods, vol. 23, p. 16094069241244856, 2024.
E. R. Babbie, The practice of social research. Cengage learning, 2020.
M. Hennink and B. N. Kaiser, "Sample sizes for saturation in qualitative research: A systematic review of empirical tests," Social science & medicine, vol. 292, p. 114523, 2022.
G. Guest, E. Namey, and M. Chen, "A simple method to assess and report thematic saturation in qualitative research," PloS one, vol. 15, no. 5, p. e0232076, 2020.
Z. Racheva, M. Daneva, K. Sikkel, A. Herrmann, and R. Wieringa, "Do we know enough about requirements prioritization in agile projects: Insights from a case study," in 2010 18th IEEE International Requirements Engineering Conference, 2010, pp. 147-156.
G. Guizzardi, "Ontological foundations for structural conceptual models," 2005.
C. Griffo, J. P. A. Almeida, and G. Guizzardi, "Conceptual modeling of legal relations," in Conceptual Modeling: 37th International Conference, ER 2018. Springer, 2018.
C. Houy, P. Fettke, and P. Loos, "Understanding understandability of conceptual models-what are we actually talking about" in Conceptual Modeling: 31st International Conference ER 2012, Florence, Italy, October 15-18, 2012. Proceedings 31. Springer, 2012.
R. Velasquez, C. Negri-Ribalta, R. Noel, and O. Pastor, "Exploring understandability in socio-technical models for data protection analysis: Results from a focus group," in International Conference on Conceptual Modeling. Springer, 2023, pp. 263-273.
B. Henderson-Sellers, J. Ralyté, P. J. A gerfalk, and M. Rossi, "Situational method engineering," 2014.
F. Dalpiaz, E. Paja, and P. Giorgini, Security requirements engineering: Designing secure socio-technical systems, Cambridge, Massachusetts, 2016.
A. D. P. W. PARTY, "Guidelines on data protection impact assessment (dpia) and determining whether processing is "likely to result in a high risk" for the purposes of regulation 2016/679," 2017. [Online]. Available: https://ec.europa.eu/newsroom/article29/items/611236
R. D. Putnam, "Diplomacy and domestic politics: The logic of two-level games," in International organization. Routledge, 2017, pp. 437-470.
L. Ortiz Mesías and P. Viollier, "Repensando el derecho al olvido y la necesidad de su consagracíon legal en chile," Revista Chilena de Derecho y Tecnología, vol. 10, no. 1, p. pp. 77-109, jun. 2021.