Seppe Vansteelant: Does the model cover all the essential requirement of a consent?

[michaelgeamanu]

Een toestemming moet steeds een actieve handeling inhouden, goed geïnformeerd zijn, vrij gegeven en voldoende specifiek. Daarnaast moet de verwerkingsverantwoordelijke de toestemming steeds kunnen bewijzen en moet de toestemming even eenvoudig kunnen ingetrokken worden als hij verleend is. Ik zie niet al deze aspecten terugkomen in het applicatiemodel. Lijkt het jullie nuttig om deze hier nog in te verwerken?

[GeertThijs]

The aspects mentioned in above comment are present as data-elements in the model as follows:

• Giving Consent: modelled as an action intentionally executed by someone to have an effect (requested by the DataController, given by the DataSubject).
• Well informed: the PersonalDataHandling for which Consent is needed is well-documented by stating Purpose, Processing, DataSubject, DataController, PersonalData etc.
• Freely given: this is an implementation thing, eg the DataSubject should not be confronted with prechecked options.
• Specific: requested/given for a particular processing of the data (PersonalDataHandling) and only trhat one.
• Proof of Consent: by means of an instance of Consent provided by a Datasubject (an officially registered Person or Organisation).
• Consent withdrawal: "withdrawn" is a possible status of the Consent in the model, the rest is implementation.

So all data is there in the model to check the Consent requirements for a particular PersonalDataHandling. The check itself however (the procedure and its result) is not part of the datamodel, it has to be provided by the application.