## Scenario 3 - Data Subject agrees with the Data Controller consent term, but then decided to revoke his/her consent and requested to delete his data.

### Scenario Description

The Data Controller Fiocruz wants to use the Data Subjects personal data and health data to conduct research related to genectic factors in the COVID-19 plot.

To do so, the Data Controller must send the consent term to the Data Subject.

However, after accepting the consent term, the Data Subjects decides to revoke his consent and request the data deletion.

![Scenario3_Process](./img/Scenario3_Process.png "Title")

It is important to note that this scenario presents a particularity. According to the LGPD art. 16 there are some situations that the Data Controller can store the Data Subject's data even when the Data Subject requested the data deletion:


Art. 16

 - I - cumprimento de obrigação legal ou regulatória pelo controlador;
 - II - estudo por órgão de pesquisa, garantida, sempre que possível, a anonimização dos dados pessoais;
 - III - transferência a terceiro, desde que respeitados os requisitos de tratamento de dados dispostos nesta Lei; ou 
 - IV - uso exclusivo do controlador, vedado seu acesso por terceiro, e desde que anonimizados os dados.
 
 ---------

### Scene 1 - Set consent term.

The first step is the consent setup. The consent must have all information described in the LGPD Art. 9. The following method receives all the required information.


The Data Subject Paulo allows the Data Controller Fiocruz to access, store, and process his personal data and his health data with the purpose to perform research regarding genetic factors related to COVID-19 using statistical analysis for 180 days.


The Data Controller is allowed to share the Data Subject data only with the vaccination priorization purpose.


To do any request, please use the Data Controller communication channel by email lgpd@fiocruz.br.


PS: The Data Controllers must inform in any case if they are processing the personal data, if requested.


In [1]:
% Description: This function defines a consent term including all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form (Processing techniques)
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact

createConsentTerm(DC,DS,PData,HData,Purpose,
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact) :-

                assertz(dataSubject(DS)),
                assertz(dataController(DC)),
                assertz(personalData(DS,PData)),
                assertz(healthData(DS, HData)),
                assertz(purpose(DC,DS,Purpose)),
                assertz(specificPurpose(DC,DS,Purpose,SpecificPurpose)),
                assertz(form(DC,DS,Purpose,SpecificPurpose,Form)),
                assertz(timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength)),
                assertz(thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,
                                                    TimeLength,ThirdPartyPurpose)),
                assertz(channelToProvideInformation(DC,DS,Channel,DCContact)).



In [2]:
% This is a function call that defines a consent term with the informed params

?- createConsentTerm(fiocruz,paulo,976635869,oPlus,research,
                'genetic_factors_related_to_COVID-19',
                'statistic_analysis',
                180,
                'vaccination_priorization',
                'e-mail',
                'lgpd@fiocruz.br').

true.

In [3]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject(paulo),dataController(fiocruz)).



 ---------

### Scene 2 - Data Subject agrees with the consent term.

First, the Data Subject verifies if all the crutial elements are described in the consent term present by the Data Controller. If so, the program will set that the consent term is ok, i.e., it has all the required information.

In [4]:
% Description: This function receives all required params and verifies if they match with the initial consent. 
% In case of any missing information, the program will return an error, or false if the information does not 
% match with the initial consent.

checkConsentTerm(dataController(DC),
                dataSubject(DS),
                purpose(DC,Purpose),
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact) :-
    (
        form(DC,DS,Purpose,SpecificPurpose,Form),
        timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength),
        thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,TimeLength,ThirdPartyPurpose),
        channelToProvideInformation(DC,DS,Channel,DCContact),
        purpose(DC,DS,Purpose),
        specificPurpose(DC,DS,Purpose,SpecificPurpose),
        assertz(consentTermOk(dataController(DC),dataSubject(DS)))
    ).



In [5]:
% This is a function call returns true if the consent term is ok, or false if not.

?- checkConsentTerm(dataController(fiocruz),
                        dataSubject(paulo),
                        purpose(fiocruz,research),
                        'genetic_factors_related_to_COVID-19',
                        'statistic_analysis',
                        180,
                        'vaccination_priorization',
                        'e-mail',
                        'lgpd@fiocruz.br').

true.

So, if the consent term is ok, the Data Subject can inform that he/she agrees with the consent term.

Hence, the Data Controller can collect, store and process the Data Subject's data.

In [6]:
% Description: This function sets that the Data Subject agreed with the consent term.
% This function receives the params:
%    i. Consent ID
%   ii. Data Subject
%  iii. Data Controller
%   iv. Personal Data
%    v. Health Data

setThatdsAgreeWithConsentTerms(id(ID),dataSubject(DS),
                                dataController(DC),
                                personalData(DS,PData),
                                healthData(DS,HData)) :-
    consentTermOk(dataController(DC),dataSubject(DS)),
    assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC))),
    assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))),
    assertz(dcIsStoringDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))),
    assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))).



In [7]:
% This is a function call returns true in case of success.

?- setThatdsAgreeWithConsentTerms(id(10),dataSubject(paulo),dataController(fiocruz),personalData(paulo,976635869),healthData(paulo,oPlus)).

true.

Now, the Data Controller can collect, store and process the Data Subject's data.

 ---------

### Scene 3 - Defining the Data Subject's rights.

According to the LGPD, when the Data Subject is sharing data with a Data Controller, he/she has the following rights:
1. Data Acess
2. Data Copy
3. Data Correction
4. Data Anonymization
5. Data Portability
6. Data Deletion
7. Information regarding the data sharing with a third party
8. Request consent revocation.

In [8]:
% Description: This function sets all Data Subject right's foreseed in the LGPD.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

setDSRights(dataSubject(DS),dataController(DC)) :-
	assertz(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataAnonymization,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
	assertz(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))).



In [9]:
% This is a function call returns true if all Data Subject's right was associated to him/her.

?- setDSRights(dataSubject(paulo),dataController(fiocruz)).

true.

 ---------

### Scene 4 - Data Subject's consent revocation

As mentioned in the scenario's description, the Data Subject decides to revoke his/her consent.

Once performed, the action of requesting the consent revocation cannot be executed again, and the Data Controller is forbidden to still collecting the Data Subject's data.

In [10]:
% Description: This function revoke the Data Controller's action of collecting the Data Subject's data.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Data Controller
%  iv. Personal Data
%   v. Health Data

setDSRevokeConsent(id(ID),
                    dataSubject(DS),
                    dataController(DC),
                    personalData(DS,PData),
                    healthData(DS,HData)) :-
    retract(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))).



In [11]:
% This is a function call returns true if all Data Subject's request was successfully performed.

?- setDSRevokeConsent(id(10),
                        dataSubject(paulo),
                        dataController(fiocruz),
                        personalData(paulo,976635869),
                        healthData(paulo,oPlus)).

true.

 ---------

### Scene 5 - Data deletion requestion

Now, the Data Subject requested the data deletion. To do so, first, we need to know if the Data Controller's purpose is one of the purposes that allow the Data Controller still storing the Data Subject's data even when the Data Subject requests the data deletion.


The purposes that allow the Data Controller to still holding the Data Subject's data are described in LGPD Art. 16:
 - I - cumprimento de obrigação legal ou regulatória pelo controlador;
 - II - estudo por órgão de pesquisa, garantida, sempre que possível, a anonimização dos dados pessoais;
 - III - transferência a terceiro, desde que respeitados os requisitos de tratamento de dados dispostos nesta Lei; ou
 - IV - uso exclusivo do controlador, vedado seu acesso por terceiro, e desde que anonimizados os dados. 
 
As the Fiocfruz's purpose is "research", so this institution can hold the Data Subject's data.

In [12]:
% Description: This function verifies if the Data Controller purpose is elegible to hold the Data Subject's data.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

auxToSetIfDCCanHoldDSData(dataController(DC),dataSubject(DS)) :-
	purpose(DC,DS,legalObligation), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
	purpose(DC,DS,research), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
	purpose(DC,DS,transferToThirdParty), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
	purpose(DC,DS,exclusiveDCUse), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
	assertz(dcCanHoldData('','')).	



In [13]:
% This is a function call always returns true, even when the purpose was not one of the foreseed in the law.
% It happens because the prolog program has to have at least a declared empty fact to not return an error.

?- auxToSetIfDCCanHoldDSData(dataController(fiocruz),
                            dataSubject(paulo)).

 ;
 .

If the Data Controller can hold de Data Subject's data, then nothing happens but the Data Subject cannot request data deletion anymore.

In [14]:
% This call verifies if the Data Controller can hold the Data Subject's data and remove the right to request the data deletion

?- dcCanHoldData(dataController(fiocruz),dataSubject(paulo)),
retract(dsRight(dataDeletion,dataSubject(paulo),dataController(fiocruz))).

true.

Else, if the Data Controller cannot hold the Data Subject's data, the Data Controller cannot store the Data Subject's data, and the Data Subject has no more rights related to this Data Controller. However, as the Data Controller's  purpose is "reseach" the Data Subject will loose the right to request data deletion only.

In [15]:
% Description: This function remove the Data Subject's rights related to the Data Controller.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Data Controller
%  iv. Personal Data
%   v. Health Data

deleteDSData(id(ID),dataSubject(DS),dataController(DC),personalData(DS,PData),healthData(DS,HData)) :-
        not(dcCanHoldData(dataController(DC),dataSubject(DS))),
		retract(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
		retract(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
		retract(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
		retract(dsRight(dataAnonymization,dataSubject(DS),dataController(DC))),
		retract(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
		retract(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
		retract(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
		retract(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))).



In [16]:
% This function call verifies if the Data Controller can hold the data and if doesen't, so the Data Subject's data will be deleted.

?- deleteDSData(id(10),
                dataSubject(paulo),
                dataController(fiocruz),
                personalData(paulo,976635869),
                healthData(paulo,oPlus)).

false.

In this case, the result is false because the purpose is research.
<p> Try with another purpose different than research, legalObligation, transferToThirdParty, exclusiveDCUse.</p>
<p> IMPORTANT: Remember to change the purpose in the fuction <b><i>checkConsentTerm</i></b> to the new purpose.</p>

 ---------

### Questions to ask

Are the fiocruz data controller using the data subject Paulo's data? 

In [17]:
?- dsRight(processingConfirmation,dataSubject(paulo),dataController(fiocruz)).

true.

What are the Data Subject rights right now?

In [18]:
?- dsRight(RIGHT,dataSubject(paulo),dataController(fiocruz)).

RIGHT = processingConfirmation ;
RIGHT = dataAccess ;
RIGHT = dataCopy ;
RIGHT = dataCorrection ;
RIGHT = dataAnonymization ;
RIGHT = dataPortability ;
RIGHT = dataSharingInformation .

Can all items from art. 9 be informed?

In [19]:
?- specificPurpose(fiocruz,paulo,research,SPECIFICPURPOSE).

SPECIFICPURPOSE = genetic_factors_related_to_COVID-19 .

In [20]:
?- timeLength(fiocruz, paulo, research, 'genetic_factors_related_to_COVID-19',DAYS).

DAYS = 180 .

Who are processing the Data Subject's personal data and what are the respective data?

In [21]:
?- dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData)).

ID = 10, DC = fiocruz, PData = 976635869, HData = oPlus .

Who are collecting the Data Subject's personal data and what are the respective data?

In [22]:
?- dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData)).

false.