In order to automate audit logging, personal data management, and data retention management as much as possible, the first and frequently only task to do as an application developer is to identify entities and elements (potentially) holding personal data using @PersonalData annotations.
So, let's annotate the data model to identify personal data. In essence, in all our entities we search for elements which carry personal data, such as person names, birth dates, etc., and tag them accordingly. All found entities are classified as either Data Subjects, Subject Details or Related Data Objects.
The entity-level annotation @PersonalData.EntitySemantics signifies relevant entities as Data Subject, Data Subject Details, or Other in data privacy terms, as depicted in the following graphic.
The following table provides some further details.
The entities of this set describe a data subject (an identified or identifiable natural person), for example, Customer or Vendor.
The entities of this set contain details of a data subject (an identified or identifiable natural person) but do not by themselves identify/describe a data subject, for example, Addresses.
Entities containing personal data or references to data subjects, but not representing data subjects or data subject details by themselves. For example, customer quote, customer order, or purchase order with involved business partners. These entities are relevant for audit logging. There are no restrictions on their structure. The properties should be annotated suitably with FieldSemantics.
Can be added to @PersonalData.EntitySemantics: 'DataSubject'. It's a user-chosen string specifying the role name to use. If omitted, the default is the entity name. Use case is similar to providing user-friendly labels for the UI, although in this case there's no i18n.
In our model, we can add the DataSubjectRole as follows:
Use this annotation to identify data subject's unique key, or a reference to it. References are commonly associations or foreign keys in subject details entities, or related ones, referring to a subject entity.
Each @PersonalData entity needs to identify a the DataSubjectID element.
For entities with DataSubject semantics, this is typically the primary key.
For entities with DataSubjectDetails or Other semantics, this is usually an association to the data subject.