### Scenario 2 - Data Subject agrees with the Data Controller consent term, but then revoke his/her consent.

#### Set consent term.

The Data Subject Paulo allows the Data Controller Fiocruz to access, store, and process his personal data and his health data with the purpose to perform research regarding genetic factors related to COVID-19 using statistical analysis for 180 days.
<p>The Data Controller is allowed to share the Data Subject data only with the vaccination priorization purpose.</p>
<p>To do any request, please use the Data Controller communication channel by email lgpd@fiocruz.br.</p>
<p>PS: The Data Controllers must inform in any case if they are processing the personal data, if requested. </p>


In [1]:
dataSubject(paulo).



In [2]:
dataController(fiocruz).



In [3]:
personalData(paulo,976635869).



In [4]:
healthData(paulo, oPlus).



In [5]:
purpose(fiocruz,paulo,research).



In [6]:
specificPurpose(fiocruz,paulo,research,'genetic_factors_related_to_COVID-19').



In [7]:
form(fiocruz,paulo,research,'genetic_factors_related_to_COVID-19','statistic_analysis').



In [8]:
timeLength(fiocruz,paulo,research,'genetic_factors_related_to_COVID-19',180).



In [9]:
thirdyPartySharingPurpose(fiocruz,paulo,research,'genetic_factors_related_to_COVID-19',180,'vaccination_priorization').



In [10]:
channelToProvideInformation(fiocruz,paulo,'e-mail','lgpd@fiocruz.br').



In [11]:
dsRight(processingConfirmation,dataSubject(paulo),dataController(fiocruz)).



Data Subject agrees with the Data Controller consent term.

First, the Data Subject verifies if all the crutial elements are described in the consent term present by the Data Controller

In [12]:
checkConsentTerm(dataController(DC),
				dataSubject(DS),
				purpose(DC,Purpose),
				SpecificPurpose,
				Form,
				TimeLength,
				ThirdPartyPurpose,
				Channel,
				DCContact) :-
	(
		form(DC,DS,Purpose,SpecificPurpose,Form),
		timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength),
		thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,TimeLength,ThirdPartyPurpose),
		channelToProvideInformation(DC,DS,Channel,DCContact),
		purpose(DC,DS,Purpose),
		specificPurpose(DC,DS,Purpose,SpecificPurpose),
		assertz(consentTermOk(dataController(DC),dataSubject(DS)))
	).



In [13]:
?- checkConsentTerm(dataController(fiocruz),dataSubject(paulo),purpose(fiocruz,research),
'genetic_factors_related_to_COVID-19','statistic_analysis',180,'vaccination_priorization','e-mail','lgpd@fiocruz.br').

true.

If ok, the Data Subject decides to agree with the presented terms.

In [14]:
setThatdsAgreeWithConsentTerms(id(ID),dataSubject(DS),
                                dataController(DC),
                                personalData(DS,PData),
                                healthData(DS,HData)) :-
	consentTermOk(dataController(DC),dataSubject(DS)),
	assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC))),
	assertz(dcCanCollectStoreAndProcessDSData(dataController(DC),dataSubject(DS))),
   	assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))),
   	assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))).




In [15]:
?- setThatdsAgreeWithConsentTerms(id(10),dataSubject(paulo),dataController(fiocruz),personalData(paulo,976635869),healthData(paulo,oPlus)).

true.

Now, the Data Controller can collect, store and process the Data Subject's data.

In [16]:
dcCanCollectStoreAndPRocessDSData(dataController(DC),dataSubject(DS)) :- 
    dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC)),
    assertz(dcCanCollectStoreAndProcessDSData(dataController(DC),dataSubject(DS)));
    not(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC))),
    assertz(dcCanCollectStoreAndProcessDSData(dataController(''),dataSubject(''))).



In [17]:
?- dcCanCollectStoreAndProcessDSData(dataController(fiocruz),dataSubject(paulo)).

true.

And the Data Subject is able to request his/her other rights.

In [18]:
setDSRights(dataSubject(DS),dataController(DC)) :-
	assertz(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataAnonimization,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
	assertz(dsRight(requestConsentRevokation,dataSubject(DS),dataController(DC))).



In [19]:
?- setDSRights(dataSubject(paulo),dataController(fiocruz)).

true.

#### However, the Data Subject decides to revoke his consent.

In [20]:
setDSRevokeConsent(id(ID),dataSubject(DS),dataController(DC),personalData(DS,PData),healthData(DS,HData)) :-
	retract(dsRight(requestConsentRevokation,dataSubject(DS),dataController(DC))),
   	retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))).



In [21]:
?- setDSRevokeConsent(id(10),dataSubject(paulo),dataController(fiocruz),personalData(paulo,976635869),healthData(paulo,oPlus)).

true.

#### Questions to ask

Are the fiocruz data controller using the data subject Paulo's data? 

In [22]:
?- dsRight(processingConfirmation,dataSubject(paulo),dataController(fiocruz)).

true.

What are the Data Subject rights right now?

In [23]:
?- dsRight(RIGHT,dataSubject(paulo),dataController(fiocruz)).

RIGHT = processingConfirmation ;
RIGHT = dataAccess ;
RIGHT = dataCopy ;
RIGHT = dataCorrection ;
RIGHT = dataAnonimization ;
RIGHT = dataPortability ;
RIGHT = dataDeletion ;
RIGHT = dataSharingInformation .

Can all items from art. 9 be informed?

In [24]:
?- specificPurpose(fiocruz,paulo,research,SPECIFICPURPOSE).

SPECIFICPURPOSE = genetic_factors_related_to_COVID-19 .

In [25]:
?- timeLength(fiocruz, paulo, research, 'genetic_factors_related_to_COVID-19',DAYS).

DAYS = 180 .

Who are processing the Data Subject's personal data and what are the respective data?

In [26]:
?- dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData)).

ID = 10, DC = fiocruz, PData = 976635869, HData = oPlus .

Who are collecting the Data Subject's personal data and what are the respective data?

In [27]:
?- dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData)).

false.