Creating constraints for given consent
We used the competency-questions for consent (see Table 1.) from GConsent as the starting point for creating constraints that test the validity of consent.
| ID | Question | Concepts | Properties | Comment |
|---|---|---|---|---|
| Questions about consent | ||||
| C1 | Who is the consent about? | DataSubject | isConsentForDataSubject | Specifies the Data Subject. |
| C2 | What type of Personal Data are associated with the Consent? | PersonalData | forPersonalData | Relates to the set of Personal Data. |
| C3 | What type of Purposes are associated with the Consent? | Purpose | forPurpose | Specifies the set of Purposes. |
| C4 | What type of Processing are associated with the Consent? | Processing | forProcessing | Specifies the set of Processing (actions or activities). |
| C5 | What is the Status of Consent? | Status | hasStatus | Specifies the status of consent. |
| C6 | Is the current status valid for processing? | StatusValidForProcessing, StatusInvalidForProcessing | hasStatus | Specifies whether the current status is valid for use in processing. |
| C7 | Who is the consent given to? | prov:Person, DataController | isProvidedTo | Specifies the entity that was provided consent. |
| Questions about how the consent was created/given/acquired/changed/invalidated | ||||
| P1 | Who created/gave/acquired/invalidated the consent? | DataSubject, Delegation | isProvidedBy | Specifies the Data Subject or Delegation that gave consent. |
| P2 | If consent was created/gave/acquired/invalidated through Delegation, who acted as the Delegate? | prov:Person, Delegation | prov:agent | Specifies the entity that provided consent in a delegation. |
| P3 | If consent was created/gave/acquired/invalidated through Delegation, what was the role played by Delegate? | prov:Role | prov:hadRole | Specifies the role played by the entity that gave consent in a delegation. |
| P4 | If consent was created/gave/acquired/invalidated through Delegation, how was the delegation executed? | prov:Activity | prov:hadActivity | Specifies the activity that provided consent in a delegation. |
| Questions about the context of how consent was created/gave/acquired/invalidated | ||||
| T1 | What is the location of associated with consent? | prov:Location | atLocation | Specifies the location where consent was created/generated/given/collected. |
| T2 | What is the medium associated with consent? | Medium | inMedium | Specifies the medium through which consent was created/generated/given/collected. |
| T3 | What is the timestamp associated with the consent? | time:Instant | atTime | Specifies the instant in time when consent was created/generated/given/collected. |
| T4 | What is the expiry of the consent? | time:TemporalEntity | hasExpiry | Specifies the expiry of consent as an instant or duration or time period. |
| T5 | How was the consent acquired/changed/created/invalidated? | prov:Activity | prov:generated, prov:invalidated | Specifies the activity that was responsible for the consent instance. |
| T6 | What artefacts were shown when consent was acquired/changed/created/invalidated? | prov:Entity | prov:used | Specifies artefacts or entities associated with the consent. |
| Questions related to Third Party associated with the consent | ||||
| D1 | Is the purpose or processing associated with a third party? | Association, ThirdParty | hasAssociation, prov:agent | Specifies any third parties associated with the purposes or processing for the consent. |
| D2 | What is the role played by the third party in the purpose or processing? | Role | prov:hadRole | Specifies roles played by the third parties associated with the purposes or processing for the consent. |
We then constructed the constraints and assumptions listed in Table 2.
| Competency Question | GDPR Ref. | Comment | Type | Assumption/Constraints | Failing Test Cases |
|---|---|---|---|---|---|
| Who is the Data Subject associated with consent? | A4-11 | Data Subject | Constraint | Every consent must be associated with only one Data Subject | Consent is not associated with any Data Subject |
| Consent is associated with more than one Data Subject | |||||
| What are the Personal Data associated with consent? | R32,A4-11 | Personal Data | Constraint | Every consent must have one or more categories or types of personal data associated with it | Consent has no personal data associated with it |
| Assumption | If there are multiple categories of personal data, consent is granted for all (union) of them | ||||
| What are the Purposes associated with consent? | R32,R42 | Purpose | Constraint | Every consent must have one or more purposes associated with it | Consent has no purposes associated with it |
| Assumption | If a consent is given for multiple purposes, consent is considered given for all (union) of them | ||||
| What are the Data Processing associated with consent? | R32,A4-11 | Processing | Constraint | Every consent must have one or more processing associated with it | Consent has no processing associated with it |
| Assumption | If a consent is given for multiple processing, consent is considered given for all (union) of them | ||||
| What is the current Status of consent? | A7-3 | status | Constraint | Every consent must have one and only one state/status | Consent does not have state/status |
| Consent has multiple states/statuses | |||||
| Assumption | Valid status of consent are when it is given (explicitly or implicitly) by the data subject, or by delegation | ||||
| Assumption | Invalid status of consent are when it its status is unknown, refused, not offerred, withdrawn, invalidated, terminated, or expired. | ||||
| Assumption | The status of consent indicates whether it can be used as a legal basis for processing | ||||
| Who are the Data Controllers associated with consent? | Agent/Controller | Constraint | Every consent must be associated with one or more Controllers | Consent is not associated with any Controllers | |
| Who provided consent? | A7-2 | Agent | Constraint | Consent is given by exactly one Person | Consent has no information on who provided it |
| Consent was provided by more than one person | |||||
| such as in case of delegation | Assumption | Consent provided by a Person that is not the Data Subject is consent by Delegation | |||
| Was consent provided by Delegation? | A8-c | Person/DataSubject/Delegate (covers parent->child) | Constraint | Consent provided by delegation must be clearly specified as such | Consent provided by delegation is not clearly specified as such (person providing consent is different from data subject) |
| Assumption | A delegation can involve another delegation for the provision of consent | ||||
| Constraint | Consent provided by delegation must have a single chain of delegation | Consent or delegation has multiple delegations associated (directly) with it | |||
| Consent or delegation has no delegates (person who provided consent) | |||||
| Consent or delegation has multiple delegates (person who provided consent) | |||||
| If consent was provided by Delegation, what was the role played by Delegate with respect to the Data Subject? | Delegate -- role --> Data Subject | Constraint | Delegate in a consent has to play one or more roles that are associated with the Data Subject | Delegate has no specified role | |
| Delegate has multiple roles | |||||
| If consent was provided by Delegation, how was the delegation executed? | Activity | Constraint | Every delegation must have information on how it was executed | Delegation has no information on how it was executed | |
| Delegation has multiple executions associated with it | |||||
| If consent was provided by Delegation, how was the delegate authenticated? | A8-2 | Activity | Constraint | A delegate must be authenticated to act on behalf of the data subject in a delegation | The delegation has no information on how the delegate was authenticated to act on behalf of the data subject |
| Who was the consent given to? | Agent | Constraint | Every consent must have information on who it was provided to | Consent has no information on who it was provided to | |
| Assumption | If consent is provided to an actor not the data controller associated with consent, the actor is considered as acting on behalf of the controller | ||||
| If consent was not given to the Data Controller, what is the relationship between the entity it was provided to and the Data Controller? | Constraint | An entity collecting consent on behalf of the Data Controller must have information on the relationship | There is no information on the relationship between the entity collecting consent and the Data Controller | ||
| How was the consent given/obtained? | Activity | Constraint | Every given consent must have information on how it was obtained | Consent has no information on how it was obtained | |
| Consent has multiple activities for how it was obtained | |||||
| What artefacts were involved in the giving/obtaining of consent? | Entity | Constraint | Every consent must have some artefacts associated with how it was given/obtained | Consent has no artefacts associated with how it was given/obtained | |
| What were the choices provided for consent? | Entity | Constraint | Every consent must have information on what choices were provided to the data subject | Consent has no information on what choices were provided to the data subject | |
| What was the statement or affirmative action indicating given consent? | Entity | Constraint | Every consent must have a statement or affirmative action indicating given consent | Consent does not have a statement or affirmative action indicating given consent | |
| How was the right to withdraw consent communicated to the data subject? | Entity or Activity | Constraint | Every consent must have information on how the right to withdraw was communicated | Consent does not have information on how the right to withdraw was communicated | |
| At what location was the consent given? | Location | Assumption | Specifying location for obtained consent is optional | ||
| Constraint | Consent must not have more than one location it was provided at | Consent has multiple locations associated with it | |||
| What is the medium associated with consent? | R32,A7-2 | Medium | Assumption | Specifying medium for obtained consent is optional | |
| Constraint | Consent must not have more than one medium it was provided in | Consent has multiple mediums associated with it | |||
| What is the timestamp associated with the consent? | Timestamp | Constraint | Every consent must have a timestamp indicating when it was given/obtained | Consent has no timestamps for when it was given/obtained | |
| Consent has multiple timestamps for when it was given/obtained | |||||
| What is the expiry of the consent? | Timestamp or Duration or Event or Condition | Assumption | Consent may not have a tangible expiry | ||
| Assumption | Consent may have multiple forms of expiry depending on conditions or events | ||||
| Is the purpose or processing associated with a third party? | Third Party | Assumption | A purpose or processing may be associated with zero or more third parties | ||
| What is the role played by the third party in the purpose or processing? | Third Party --role--> Processing/Purpose | Constraint | Every purpose or processing associated with Third Party must have information on the role played by the Third Party | Purpose of Processing associated with Third Party has no information on the role played by the Third Party | |
| Does the processing of data involve storage of data? | storage | Assumption | Processing of data may involve storage of data | ||
| If personal data is being stored, what is the duration of storage for Personal Data? | storage duration | Assumption | Different personal data, processing, or purpose may have different storage of data | ||
| Constraint | If data is being stored, it must have information on how long it will be stored for | Storage of data has no information about how long it will be stored for | |||
| Assumption | Storage duration may not be a tangible instance in time, it can depend on conditions or event | ||||
| If personal data is being stored, what is the location of storage? | location | Constraint | Every storage of data must have information on its storage location | Storage of data has no information about storage location | |
| Are processing associated with consent of automated nature? | R71,A9-2c,A22-2c | boolean (yes/no) | Constraint | Processing of personal data which is of automated nature must be clearly indicated as such | Processing of personal data of automated nature are not indicated as such |
| Does the processing of data involve transfer to a Third Country or International Organisation? | R111,A49-1a | Assumption | Processing may involve transfer of data to a third country or international organisation | ||
| If processing of data involves transfer to a Third Country or International Organisation, what is the identity of the Third Country or International Organisation? | Constraint | Every processing of data involving transfer to a third country or international organisation must have the identity of the third country or international organisation specified | Processing of personal data involving transfer to third country or international organisation does not have the identity of the third country or international organisation specified | ||
| Do the personal data associated with consent belong to a special category? | R51,A8-2a | Special Category of Personal Data | Assumption | Personal data associated with consent may belong to a special category | |
| Constraint | Every personal data belonging to a special category must be clearly indicated as such | Personal data belonging to special category are not indicated as such | |||
| How is personal data associated or linked to the data subject? | Constraint | Every personal data must have information on one or more identifiers that link it to a particular data subject | There is no information on how personal data is linked to the data subject | ||
| Is the Data Subject of legal age to provide their own consent? | A8 | Minor | Assumption | A data subject may be a minor or a child | |
| Constraint | A data subject who is not of legal age to provide their own consent must be clearly indicated as such | A data subject who is not of legal age to provide their own consent is not clearly indicated as such | |||
| What are the specific laws that determine the legal age to provide consent? | A8-1 | (i) age (ii) relevant law | Constraint | There must be information on the relevant laws that determine the legal age of consent | There is no information on the relevant laws that determine the age of consent |
| Does the Data Subject have a specific relationship with the Data Controller? | R43 | Assumption | The data subject may have a relationship of relevance with the Data Controller |
We added additional qualitative constraints for validity of consent, as listed in Table 3.
| Criteria | GDPR |
|---|---|
| Consent should be by choice | |
| Consent should have statement of clear action | A4-11 |
| Consent should be freely given | A4-11 |
| Consent should be specific | A4-11 |
| Consent should be unambigious | A4-11 |
| Consent should be as easy to withdraw as it is to give | A7-3 |
| Information about withdrawal of consent should be provided before giving consent | A7-3 |
| Consent should not be by inactivity | R32 |
| Consent should not be by pre-ticked boxes | R32 |
| Consent should not be by silence | R32 |
| Consent should have a clear request | R32 |
| Consent should have a concise request | R32 |
| Consent should have a non-disruptive request | R32 |
| Consent should have separation of processing | R43 |