Threat P.GDPR.HuDPoS-i.6

URI: P.GDPR.HuDPoS-i.6

Package: GDPR

Description: Lack of legal basis for use of Data related to DataSubject by Process: since the data is related to a person DataSubject who is a citizen or resident in a state where the GDPR applies, a legal basis is required to process the data. Since DataSubject controls the device where the data is stored, this can only be by consent or to protect vital interests if incapacitated.

Threat Type: Primary Threat

Matching Pattern:

MP-HuDPoS-i

Finds Stakeholder operating a Process that is using Data relating to a Human data subject via a controlling Service, where the subject operates the Service but not the Process.

(empty)

CSG-GDPRAtSubject

(empty)

CSG-GDPR-Art6-1-a-p	Processing of *Data* by consent of the data subject *DataSubject, where they have control over the device SHost* providing the data, and so can enforce restrictions consistent with their own consent decisions. It is still necessary to have a consent interface, but policy enforcement is up to the data subject.
CSG-GDPR-Art6-1-d-p	Processing of *Data* under GDPR Art 6.1d (protection of vital interests). The Vital Interests control means process *Process* has analysed by the relevant experts and documented the case for it being considered necessary to protect the vital interests of the data subject or another natural person.

Threat P.GDPR.HuDPoS-i.6

MP-HuDPoS-i

Triggered by Threat (0)

Triggers Secondary Threats (0)

Triggered By Control Strategy (1)

Misbehaviour Sets (0)

Control Strategies (2)