Control ConsentManagement

Represents a class of data items that can be stored on Hosts, or processed and exchanged by Processes. Note that this asset represents the presence of data in the system. Physical copies of the data are represented by inferred assets linked with Processes that serve or use them, hosts where they are stored.

Processing and/or storage of Data by consent of the data subject DataSubject, by including a means for them to express consent via their interface to the system, maintaining an access control policy for Data based on their consent decisions, and enforcing the policy using an enforcement point in the data access path at Service.

Processing of special category data Data to protect vital interests must have the consent of the data subject DataSubject if they are in a position to make a consent decision. One must check their competence to make such a decision, and provide a consent interface to support this if they can. The data Data must then be protected by a policy managed according to their consent decision(s) and linked to their data, with an enforcement point at Service, the process accessing their data. If the subject cannot provide a consent decision, it is legal to proceed, so there should be a way to bypass the enforcement point only in that case via a break the glass protocol. Finally, access to the data must be logged (including use of this override).