Threat P.GDPR.Hu-aDPoS-i.8

URI: P.GDPR.Hu-aDPoS-i.8

Package: GDPR

Description: Extra measures are needed for Process to use Data related to DataSubject who may be a child: the legal basis for this data processing under the GDPR is consent, but the subject DataSubject may be a child, so additional measures are necessary for their consent to be valid. If DataSubject cannot be a child, then change them from type Human to type Adult to eliminate this threat.

Threat Type: Primary Threat

Matching Pattern:

MP-Hu-aDPoS-i

Finds Stakeholder operating a Process that is using Data relating to a Human data subject who may be a child via a controlling Service, where the subject operates the Service but not the Process.

(empty)

CSG-GDPR-Art6-1-a-p

(empty)

CSG-GDPR-Art8-2

Processing of personal data by consent is legal if the subject DataSubject is old enough (16+ or a lower limit in some states). The user interface for role DataSubject should include measures to ensure this. Competence Check represents a check whether DataSubject is old enough to provide consent, Guardian Consent signifies that reasonable efforts must be made to get authorisation from their legal guardian where this proves not to be the case.

Threat P.GDPR.Hu-aDPoS-i.8

MP-Hu-aDPoS-i

Triggered by Threat (0)

Triggers Secondary Threats (0)

Triggered By Control Strategy (1)

Misbehaviour Sets (0)

Control Strategies (1)