# Scenario 2 - Data Subject agrees with the Data Controller consent term, but then decided to revoke his/her consent.

## Table of Contents
1. [Scenario Description](#Scenario-Description)
2. [Scene 1: Set Consent Term](#Scene-1:-Set-consent-term.)
3. [Scene 2: Data Subject Agrees with the Consent Term](#Scene-2:-Data-Subject-agrees-with-the-consent-term.)
4. [Scene 3: Defining the Data Subject's Rights](#Scene-3:-Defining-the-Data-Subject's-rights.)
5. [Scene 4: Data Subject's Consent Revocation](#Scene-4:-Data-Subject's-consent-revocation.)
6. [Questions to Ask](#Questions-to-ask)

### Scenario Description

The Data Controller Fiocruz wants to use the Data Subjects' personal data and health data to research genetic factors in the COVID-19 plot from Wednesday, May 26, 2021 1:07:55 PM to Friday, November 26, 2021 1:07:55 PM.

To do so, the Data Controller must send the consent term to the Data Subject. The consent term must present all the information defined in the LGPD art. 9.

However, after accepting the consent term, Saturday, June 26, 2021 1:07:55 PM the Data Subjects decides to revoke his consent and request the data deletion.

The following figure depicts this macro scenario process.

![Scenario2_Process](./img/Scenario2_Process.png "Process 2")

It is important to note that this scenario presents a particularity. According to the LGPD art. 16 there are some situations that the Data Controller can store the Data Subject's data even when the Data Subject requested the data deletion:


Art. 16

 - I - cumprimento de obrigação legal ou regulatória pelo controlador;
 - II - estudo por órgão de pesquisa, garantida, sempre que possível, a anonimização dos dados pessoais;
 - III - transferência a terceiro, desde que respeitados os requisitos de tratamento de dados dispostos nesta Lei; ou 
 - IV - uso exclusivo do controlador, vedado seu acesso por terceiro, e desde que anonimizados os dados.
 
PS: The timestamp is used to provide the time spectrum. The following tool was used to convert human time to timestamp and the other way around. https://www.epochconverter.com/

 
 ---------

### Scene 1: Set consent term.

The first step is the consent setup. The consent must have all information described in the LGPD Art. 9. The following method receives all the required information.


The Data Subject Paulo allows the Data Controller Fiocruz to access, store, and process his personal data and health data to perform research regarding genetic factors related to COVID-19 using statistical analysis for 180 days.


The Data Controller is allowed to share the Data Subject data only with the vaccination prioritization purpose.


To make any request, please use the Data Controller communication channel by email lgpd@fiocruz.br.


PS: The Data Controllers must inform in any case if they are processing the personal data if requested.


In [1]:
% Description: This function defines a consent term including all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form (Processing techniques)
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact

createConsentTerm(DC,DS,PData,HData,Purpose,
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact) :-

                assertz(dataSubject(DS)),
                assertz(dataController(DC)),
                assertz(personalData(DS,PData)),
                assertz(healthData(DS, HData)),
                assertz(purpose(DC,DS,Purpose)),
                assertz(specificPurpose(DC,DS,Purpose,SpecificPurpose)),
                assertz(form(DC,DS,Purpose,SpecificPurpose,Form)),
                assertz(timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength)),
                assertz(thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,
                                                    TimeLength,ThirdPartyPurpose)),
                assertz(channelToProvideInformation(DC,DS,Channel,DCContact)).



In [2]:
% This is a function call that defines a consent term with the informed params

?- createConsentTerm(fiocruz,paulo,976635869,oPlus,research,
                'genetic_factors_related_to_COVID-19',
                'statistic_analysis',
                180,
                'vaccination_priorization',
                'e-mail',
                'lgpd@fiocruz.br').

true.

In [3]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject(paulo),dataController(fiocruz)).
?- assertz(log('Data Subject can store the Data Subject information',1622035260)).

true.

 ---------

### Scene 2: Data Subject agrees with the consent term.

First, the Data Subject verifies if all the crutial elements are described in the consent term present by the Data Controller. If so, the program will set that the consent term is ok, i.e., it has all the required information.

In [4]:
% Description: This function verifies if a consent term includes all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form (Processing techniques)
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact

checkConsentTerm(dataController(DC),
                dataSubject(DS),
                purpose(DC,Purpose),
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                Date) :-
    (
        form(DC,DS,Purpose,SpecificPurpose,Form),
        timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength),
        thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,TimeLength,ThirdPartyPurpose),
        channelToProvideInformation(DC,DS,Channel,DCContact),
        purpose(DC,DS,Purpose),
        specificPurpose(DC,DS,Purpose,SpecificPurpose),
        assertz(consentTermOk(dataController(DC),dataSubject(DS))),
        assertz(log('Data Subject verified the consent term and it was ok',Date))
    ).



In [5]:
% This is a function call returns true if the consent term is ok, or false if not.

?- checkConsentTerm(dataController(fiocruz),
                        dataSubject(paulo),
                        purpose(fiocruz,research),
                        'genetic_factors_related_to_COVID-19',
                        'statistic_analysis',
                        180,
                        'vaccination_priorization',
                        'e-mail',
                        'lgpd@fiocruz.br',
                        1622035260).

true.

So, if the consent term is ok, the Data Subject can inform that he/she agrees with the consent term.

Hence, the Data Controller can collect, store and process the Data Subject's data.

In [6]:
% Description: This function sets that the Data Subject agreed with the consent term.
% This function receives the params:
%    i. Consent ID
%   ii. Data Subject
%  iii. Data Controller
%   iv. Personal Data
%    v. Health Data
%   vi. Start Date - Timestamp
%   vi. End Date - Timestamp

setThatdsAgreeWithConsentTerms(id(ID),dataSubject(DS),
                                dataController(DC),
                                personalData(DS,PData),
                                healthData(DS,HData),
                                startDate(StartTS),
                                endDate(EndTS)) :-
    consentTermOk(dataController(DC),dataSubject(DS)),
    
    assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC),startDate(TS),endDate(TS))),
    assertz(log('Data Subject agrees with consent term',StartTS)),

    assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can collect the Data Subject information',StartTS)),
    
    assertz(dcIsStoringDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can store the Data Subject information',StartTS)),
        
    assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can process the Data Subject information',StartTS)).



In [7]:
% This is a function call returns true in case of success.

?- setThatdsAgreeWithConsentTerms(id(10),
                                dataSubject(paulo),
                                dataController(fiocruz),
                                personalData(paulo,976635869),
                                healthData(paulo,oPlus),
                                startDate(1622035260),
                                endDate(1637932075)).

true.

Now, the Data Controller can collect, store and process the Data Subject's data.

In [8]:
?- dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                        personalData(paulo,976635869),healthData(paulo,oPlus),
                        startDate(1622035260),endDate(1637932075)),
                        
dcIsProcessingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637932075)),
                    
dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637932075)).

true.

---------

### Scene 3: Defining the Data Subject's rights.

According to the LGPD Art. 18, when the Data Subject is sharing data with a Data Controller, he/she has the following rights:
1. Data Acess
2. Data Copy
3. Data Correction
4. Data Anonymization
5. Data Portability
6. Data Deletion
7. Information regarding the data sharing with a third party
8. Request consent revocation.

In [9]:
% Description: This function sets all Data Subject right's foreseed in the LGPD.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

setDSRights(dataSubject(DS),dataController(DC),startDate(StartTS)) :-
    assertz(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataAnonymization,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
    assertz(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject can now have all foressen rights',StartTS)).



In [10]:
% This is a function call returns true if all Data Subject's right was associated to him/her.

?- setDSRights(dataSubject(paulo),dataController(fiocruz),startDate(1622035260)).

true.

 ---------

### Scene 4: Data Subject's consent revocation.

As mentioned in the scenario's description, the Data Subject decides to revoke his/her consent.

Once performed, the action of requesting the consent revocation cannot be executed again, and the Data Controller is forbidden to still collecting the Data Subject's data.

In [11]:
% Description: This function revoke the Data Controller's action of collecting the Data Subject's data.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Data Controller
%  iv. Personal Data
%   v. Health Data

setDSRevokeConsent(id(ID),
                    dataSubject(DS),
                    dataController(DC),
                    personalData(DS,PData),
                    healthData(DS,HData),
                    now(Date),
                    startDate(StartTS),
                    endDate(EndTS)) :-
                    
    not(dsRight(requestConsentRevocation,dataSubject(paulo),dataController(fiocruz))),
    assertz(log('Data Subject tried to revoke his/her consent, but fail',1624712875));
    
    retract(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject requested to the Data Controller to revoke his/her consent',Date)),
    
    retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot collect the Data Subject information',Date)),
    
    retract(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot process the Data Subject information',Date)).

    



In [12]:
% This is a function call returns true if all Data Subject's request was successfully performed.

?- setDSRevokeConsent(id(10),
                        dataSubject(paulo),
                        dataController(fiocruz),
                        personalData(paulo,976635869),
                        healthData(paulo,oPlus),
                        now(1624712875),
                        startDate(1622035260),
                        endDate(1637932075)).
    

true.

 ---------

### Questions to ask

Are the fiocruz data controller using the data subject Paulo's data? 

In [13]:
?- dcIsProcessingDSData(id(10),dataController(fiocruz),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData),startDate(1622035260),endDate(1637932075)).

false.

What are the Data Subject rights right now?

In [14]:
?- dsRight(RIGHT,dataSubject(paulo),dataController(fiocruz)).

RIGHT = processingConfirmation ;
RIGHT = dataAccess ;
RIGHT = dataCopy ;
RIGHT = dataCorrection ;
RIGHT = dataAnonymization ;
RIGHT = dataPortability ;
RIGHT = dataDeletion ;
RIGHT = dataSharingInformation .

Can all items from art. 9 be informed?

In [15]:
?- specificPurpose(fiocruz,paulo,research,SPECIFICPURPOSE).

SPECIFICPURPOSE = genetic_factors_related_to_COVID-19 .

In [16]:
?- timeLength(fiocruz, paulo, research, 'genetic_factors_related_to_COVID-19',DAYS).

DAYS = 180 .

Who are collecting the Data Subject's personal data and what are the respective data?

In [17]:
?- dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData),startDate(1622035260),endDate(1637932075)).

false.

In [18]:
?- dcIsStoringDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData),startDate(1622035260),endDate(1637932075)).

ID = 10, DC = fiocruz, PData = 976635869, HData = oPlus .

Show all events.

In [19]:
?- log(Event,Date) {-1}.

Event = Data Subject can store the Data Subject information, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Date = 1622035260 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Date = 1624712875 ;
Event = From now, the Data Controller cannot collect the Data Subject information, Date = 1624712875 ;
Event = From now, the Data Controller cannot process the Data Subject information, Date = 1624712875 .

----

#### Cause-effect: 1 How to evidence when the Data Controller did not respect the consent revocation/

Lets picture that the Data Controller did not repect the Data Subject's request and still collecting the Data Subject's data. In such plot, fines must be applied.

In [20]:
% This command sets that the Data Controller is collecting the Data Subject's data.

dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                        personalData(paulo,976635869),healthData(paulo,oPlus),
                        startDate(1622035260),endDate(1637932075)).



In [21]:
% This command:
%   (i) verifies if the Data Controller is collecting the Data Subject's data;
%  (ii) verifies in the log if the Data Subject requested consent revocation;
% (iii) if all previous verifications are true, insert in the log that the Data Controller did not respect 
%       the Data Subject's will.

?- dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                        personalData(paulo,976635869),healthData(paulo,oPlus),
                        startDate(1622035260),endDate(1637932075)),
                        
    log('Data Subject requested to the Data Controller to revoke his/her consent',1624712875),
    
    assertz(log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied',1624712875)).

true.

In this sense, the program log should help the Data Subject to create evidence of his/her requests. The log will show that the consent was revoked and the Data Controller did not respect such requisition.

In [22]:
?- log(Event,Date) {-1}.

Event = Data Subject can store the Data Subject information, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Date = 1622035260 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Date = 1624712875 ;
Event = From now, the Data Controller cannot collect the Data Subject information, Date = 1624712875 ;
Event = From now, the Data Controller cannot process the Data Subject information, Date = 1624712875 ;
Event = Data Controller did not respect the consent revocation requested by the Data Subject, and still processing. Thus, fines shou

In [23]:
% reseting scenario
?- retract(dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                        personalData(paulo,976635869),healthData(paulo,oPlus),
                        startDate(1622035260),endDate(1637932075))),
                        
    retract((log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied',1624712875))).

true.

----
#### Cause-effect 2: How to evidence that the Data Controller leaked the Data Subject's data? 

To create concrete evidence that a Data Controller leaked a Data Subject's data, first, it is important to verify who has such data. If there is just one Data Controller legally storing such data; hence, the chances of such Data Controller had leaked personal data is higher.

In [24]:
% This command verifies who is storing Paulo's personal and health data.

?- dcIsStoringDSData(id(ID),dataController(DataController),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637932075)).

ID = 10, DataController = fiocruz .

Now, lets picture that the Data Controller Butantan has the Paulo's data.

In [25]:
dcIsStoringDSData(id(null),dataController(butantan),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637932075)).



In [26]:
% This command:
%   (i) verifies if the Data Controller is storing the Data Subject's data;
%  (ii) verifies if there is any evidence that the Data Subject allowed the Data Controller to process his/her data;
% (iii) if all previous verifications are true, insert in the log that the Data Controller is not allowed 
%       to collect the Data Subject's data.

?- dcIsStoringDSData(id(null),dataController(butantan),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637932075)),

    not(dsAgreeWithConsentTerms(dataSubject(butantan),dataController(paulo),startDate(1622035260),endDate(1637932075))),

    assertz(log('Data Subject did not agree with Butantan consent term, so the data was improperly collected, 
    fines should be applied',1624712875)).

true.

Therefore, the event log will show that there is not consent agreement between Paulo and Butantan. 

Hence, the data was improperly collected. 
Moreover, as Fiocruz is the only Data Controller storing Paulo's data, probably the data was leaked from Friocruz to Butantan.

In [27]:
?- log(Event,Date) {-1}.

Event = Data Subject can store the Data Subject information, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Date = 1622035260 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Date = 1624712875 ;
Event = From now, the Data Controller cannot collect the Data Subject information, Date = 1624712875 ;
Event = From now, the Data Controller cannot process the Data Subject information, Date = 1624712875 ;
Event = Data Subject did not agree with Butantan consent term, so the data was improperly collected, fines should be applied, Date =