Control ConsentEnforcement

Represents a process (usually implemented by software running on a Host) that can read, update or create data, or exchange data with other processes.

Processing and/or storage of Data by consent of the data subject DataSubject, by including a means for them to express consent via their interface to the system, maintaining an access control policy for Data based on their consent decisions, and enforcing the policy using an enforcement point in the data access path at Service.

Processing of special category data Data to protect vital interests must have the consent of the data subject DataSubject if they are in a position to make a consent decision. One must check their competence to make such a decision, and provide a consent interface to support this if they can. The data Data must then be protected by a policy managed according to their consent decision(s) and linked to their data, with an enforcement point at Service, the process accessing their data. If the subject cannot provide a consent decision, it is legal to proceed, so there should be a way to bypass the enforcement point only in that case via a break the glass protocol. Finally, access to the data must be logged (including use of this override).