Control LegalCompetenceCheck

An individual user role within the socio-technical system that uses and/or manages assets.

Processing of personal data by consent is legal if the subject DataSubject is old enough (16+ or a lower limit in some states). The user interface for role DataSubject should include measures to ensure this. Competence Check represents a check whether DataSubject is old enough to provide consent, Guardian Consent signifies that reasonable efforts must be made to get authorisation from their legal guardian where this proves not to be the case.

Processing of special category data Data to protect vital interests must have the consent of the data subject DataSubject if they are in a position to make a consent decision. One must check their competence to make such a decision, and provide a consent interface to support this if they can. The data Data must then be protected by a policy managed according to their consent decision(s) and linked to their data, with an enforcement point at Service, the process accessing their data. If the subject cannot provide a consent decision, it is legal to proceed, so there should be a way to bypass the enforcement point only in that case via a break the glass protocol. Finally, access to the data must be logged (including use of this override).

Processing of special category data Data to protect vital interests must have the consent of the data subject DataSubject if they are in a position to make a consent decision. One must check their competence to make such a decision, and provide an interface that explains the purpose of processing. Enforcement can be handled by the DataSubject if they control the storage device, consent being inferred if they allow access. If they are not able to provide a consent decision, it is legal to take their device and access it outside their control.