Papers by Cristiana Santos
Privacy Technologies and Policy
Consent Management Providers (CMPs) provide consent popups that are embedded in ever more website... more Consent Management Providers (CMPs) provide consent popups that are embedded in ever more websites over time to enable streamlined compliance with the legal requirements for consent mandated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). They implement the standard for consent collection from the Transparency and Consent Framework (TCF) (current version v2.0) proposed by the European branch of the Interactive Advertising Bureau (IAB Europe). Although the IAB's TCF specifications characterize CMPs as data processors, CMPs factual activities often qualifies them as data controllers instead. Discerning their clear role is crucial since compliance obligations and CMPs liability depend on their accurate characterization. We perform empirical experiments with two major CMP providers in the EU: Quantcast and OneTrust and paired with a legal analysis. We conclude that CMPs process personal data, and we identify multiple scenarios wherein CMPs are controllers.
Annual Privacy Forum, 2020
The General Data Protection Regulation (GDPR), Data Protection Authorities (DPAs) and the Europea... more The General Data Protection Regulation (GDPR), Data Protection Authorities (DPAs) and the European Data Protection Board
(EDPB) discuss purposes for data processing and the legal bases upon
which data controllers can rely on: either “consent” or “legitimate interests”. We study the purposes defined in IAB Europe’s Transparency
and Consent Framework (TCF) and their usage by advertisers. We analyze the purposes with regard to the legal requirements for defining them
lawfully, and suggest that several of them might not be specific or explicit enough to be compliant. Arguably, a large portion thereof requires consent, even though the TCF allows advertisers to declare them under the legitimate interests basis. Finally, we measure the declaration of purposes by all advertisers registered in the TCF versions 1.1. and 2.0 and show that hundreds of them do not operate under a legal basis that could be considered compliant under the GDPR
CEUR http://ceur-ws.org/Vol-1105/paper4.pdf, 2013
This contribution introduces a new approach to online dispute resolution (ODR) and provides a por... more This contribution introduces a new approach to online dispute resolution (ODR) and provides a portrayal of the performativity that Ambient Intelligence systems seem to convey to ODR: substantial enrichness and levels of support to the decision-making process with the provision of meaningful context information. We will portray the main issues and concerns addressed to Ambient Intelligence and we conceptualize them in the prism of online mediation. We will detail an analytical approach towards deconstructing the AmI scenario envisioned in online mediation context. We will frame privacy and data protection in the prospect of the emerging challenges raised by the development of information and communication technologies and through the filter of the ODR Regulation.
Air and Space Law Journal, 2019
Two main trends are currently developing in the satellite imagery industry: the increasing
availa... more Two main trends are currently developing in the satellite imagery industry: the increasing
availability of very high spatial and temporal resolution satellite imagery, and the outsourcing
of processing-intensive image analysis. Alongside the foreseeable improvements of facial recognition technology and other image recognition software, such synergies carry the potential for
identification of individuals, and thus for privacy, data protection and ethical risks. The intent
of this article is to discuss the possibility of identification of individuals through high resolution
images under the broad definition provided by the general data protection regulation, and to
explain the risks therein. We further suggest risk-mitigation approaches for incoming space data
policies
Proceedings of the 2nd Workshop on Technologies for Regulatory Compliance (TERECOM 2018), Groningen, The Netherlands, December 12, 2018., 2019
. It is possible to model the meaning of articles of the GDPR
in logic formulæ and this enables a... more . It is possible to model the meaning of articles of the GDPR
in logic formulæ and this enables a semi-automatic reasoning over the
Regulation, e.g., to build an argument of compliance. However, any formal reasoning requires that the formulæ are validly expressing the legal
meaning(s) of the articles, including potential disagreements between legal experts over their interpretation. The problem is that IT experts may
anticipate some unofficial legal meaning, invalid under any interpretation, while verifying if this happens requires legal expertise. However, legal experts are unlikely familiar with the logic formalism and cannot give
informed feedback without understanding the legal interpretation(s) that
a formula embodies. On a previous work, we devised a methodology and
a human-readable intermediate representation to help non-experts reading formulæ in Reified I/O logic (RIO), a formalism expressing GDPR
provisions introduced to reason about data protection compliance. This
paper validates the methodology and shows that is possible to retrieve
feedback from legal experts about the validity the RIO representation
of the Regulation. Precisely, we collect and evaluate the feedback on the
RIO version of Art. 5.1a and Art. 7.1, and show how to elicit suggestions
to improve the formalization thereof. What emerges is an agile process
to support public trust in the formal framework and in its use.
As a result of the GDPR and the ePrivacy Directive, European users encounter cookie banners on al... more As a result of the GDPR and the ePrivacy Directive, European users encounter cookie banners on almost every website. Many of such banners are implemented by Consent Management Providers (CMPs), who respect the IAB Europe's Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. In this work, we systematically study IAB Europe's TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify legal violations in implementations of cookie banners based on the storage of consent and detect such violations by crawling 22 949 European websites. With two automatic and semi-automatic crawl campaigns, we detect violations, and we find that: 175 websites register positive consent even if the user has not made their choice; 236 websites nudge the users towards accepting consent by pre-selecting options; and 39 websites store a positive consent even if the user has explicitly opted out. Performing extensive tests on 560 websites, we find at least one violation in 54% of them. Finally, we provide a browser extension to facilitate manual detection of violations for regular users and Data Protection Authorities.
Annual Privacy Forum, 2019
With the GDPR in force in the EU since May 2018, companies and administrations need
to be vigilan... more With the GDPR in force in the EU since May 2018, companies and administrations need
to be vigilant about the personal data they process. The new regulation defines rights for data subjects
and obligations for data controllers but it is unclear how subjects and controllers interact concretely.
This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of
access of her own data? When does a data controller have enough information to authenticate a data
subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities
and authentication practices implemented in popular websites and third-party tracking services. We
observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects.
The most common flaw is the use of authentication based on a copy of the subject’s national identity
card transmitted over an insecure channel. We define how a data controller should react to a subject’s
request to determine the appropriate procedures to identify the subject and her data. We provide
compliance guidelines on data access response procedures.
Journal of Artificial Intelligence and Law, 2017
The concept of ‘relevance’ is crucial to legal information retrieval, but because of its intuitiv... more The concept of ‘relevance’ is crucial to legal information retrieval, but because of its intuitive understanding it goes undefined too easily and unexplored too often. We discuss a conceptual framework on relevance within legal information retrieval, based on a typology of relevance dimensions used within general information retrieval science, but tailored to the specific features of legal information. This framework can be used for the development and improvement of legal information retrieval systems.
Computer Law & Security Review Journal, 2016
This paper portrays a general overview of the existing European legal framework that applies to t... more This paper portrays a general overview of the existing European legal framework that applies to the publication and consumption of linked data resources in typical settings. The point of view of both data publishers and data consumers is considered, identifying their rights and obligations, with special attention to those derived from the copyright and data protection laws. The goal of this analysis is to identify the practices that help to make the publication and consumption of linked data resources legally compliant processes. An insight on broader regulations, best practices and common situations is given.
8 TH EUROPEAN CONFERENCE FOR AERONAUTICS AND SPACE SCIENCES (EUCASS)
Space debris presents an emerging “tragedy of the commons”, posing hazards to the access, use, ex... more Space debris presents an emerging “tragedy of the commons”, posing hazards to the access, use, exploitation and exploration of space. We recommend a model addressing this issue and qualify debris as abiotic space resources and argue that it can be recycled and converted into fuel for other space ventures such as producing metal for on-orbit 3D printing. This could produce a commercially viable solution for incentivizing debris removal. We acknowledge mandatory property insurance and absolute third party liability insurance, both in orbit, to fund such operations through insurance salvage clauses facilitating title claim and sustain return on investment.
In this paper we examine the possibilities offered by the EU legal framework to set and regulate... more In this paper we examine the possibilities offered by the EU legal framework to set and regulate a data and meta-data market. It is our contention that a policy and legally-driven market could benefit from analytical concepts —meta-rule of law, semantic web regulatory models, legal ontologies— to reduce privacy and data protection risks. We introduce a general and integrated framework, and provide examples of existing privacy ontologies and of the practical use of linked data.
This paper looks at the use of recitals in the int
erpretation of EU
legislation, ... more This paper looks at the use of recitals in the int
erpretation of EU
legislation, and mechanisms for connecting them to
normative provisions. The
purposive approach to the interpretation of EU legi
slation taken by the European
Court of Justice makes frequent references to recit
als as helping to establish the
purpose of normative provisions. Our research uses
a cosine similarity based
approach to link articles with relevant provisions
to help legal professionals and
lay end-users interpret the law. Such support can
be used in legal knowledge-
based systems
AI Approaches to the Complexity of Legal Systems: AICOL International Workshops 2015-2017: AICOL-VI@ JURIX 2015, AICOL-VII@ EKAW 2016, AICOL-VIII@ JURIX 2016, AICOL-IX@ ICAIL 2017, and AICOL-X@ JURIX 2017, Revised Selected Papers, 2018
Instead of custom-building a new ontology from scratch, knowledge resources can be elicited, reus... more Instead of custom-building a new ontology from scratch, knowledge resources can be elicited, reused and engineered to develop legal ontologies with the goal of promoting the application of good practices and speeding up the ontology development process. This paper focuses on the specificities of nonontological resources in the legal domain, and provides some guidelines of how these can be reused and engineered to enable heterogeneous resources integration within a legal ontology. The paper presents some examples of these processes using a case-study in the consumer law domain.
In this paper we present an ontology design pattern to conceptualize
complaints, an important con... more In this paper we present an ontology design pattern to conceptualize
complaints, an important concept still uncovered by ODPs. The proposed
Complaint Ontology Pattern (COP) has been designed based on the analysis of
free text complaints from available complaint datasets (banking, air transport,
automobile), among other knowledge sources. We present a detailed use-case
from consumer disputes. We evaluate the pattern by annotating the complaints
from our use case and by discussing how COP aligns to existing ontologies.
Knowledge engineers can further model complaints for specific domains and
processes, satisfying different requirements via COP specializations
Proceedings of the 2nd Workshop on Technologies for Regulatory Compliance (TERECOM 2018), Groningen, The Netherlands, December 12, 2018., 2019
Dealing with events is a challenging task in Artificial Intelligence; just trying to define what ... more Dealing with events is a challenging task in Artificial Intelligence; just trying to define what is an event and deciding what information should be considered relevant to it is a difficult and domain dependent endeavour. Despite this task has been already tackled in the
legal domain, no consensual definition nor standard representation for
legal events has been established yet. In this paper, we analyze current
approaches to event representation and extraction in the legal domain,
and we review generic approaches as well. We expose our first impressions derived therefrom, and we offer a first round of event annotations of judgments of the European Court of Justice. Aspects such as the concept of relevance are discussed, along with choices for evaluation. Possible strategies for extraction of legal events are described. Finally, a roadmap for a formal, complete definition and delimitation of events in the legal domain is presented.
Computer Law & Security Review, Elsevier, 2017
Data is a modern form of wealth in the digital world, and massive amounts of data circulate in cl... more Data is a modern form of wealth in the digital world, and massive amounts of data circulate in cloud environments. While this enormously facilitates the sharing of information, both for personal and professional purposes, it also introduces some critical problems concerning the ownership of the information. Data is an intangible good that is stored in large data warehouses, where the hardware architectures and software programs running the cloud services coexist with the data of many users. This context calls for a twofold protection: on one side, the cloud is made up of hardware and software that constitute the business assets of the service provider (property of the cloud); on the other side, there is a definite need to ensure that users retain control over their data (property in the cloud). The law grants protection to both sides under several perspectives, but the result is a complex mix of interwoven regimes, further complicated by the intrinsically international nature of cloud computing that clashes with the typical diversity of national laws. As the business model based on cloud computing grows, public bodies, and in particular the European Union, are striving to find solutions to properly regulate the future economy, either by introducing new laws, or by finding the best ways to apply existing principles.
A multi
-lingual term bank of copyright
-related terms has been published
connecting WIPO de... more A multi
-lingual term bank of copyright
-related terms has been published
connecting WIPO definitions, I
ATE terms and definitions from Creative
Commons licenses. These terms have been hierarchically arranged, spanning
multiple languages and targeting different jurisdictions. The term bank has been
published as a TBX dump file and is publicly accessible as li
nked data. Models for
the RDF data structure are based on Lemon and W3C Recommendations. The term
bank has been used to annotate common licenses in the RDFLicense dataset.
Accessing relevant legal information found in text excerpts from heterogeneous sources is essenti... more Accessing relevant legal information found in text excerpts from heterogeneous sources is essential to the decision making process in consumer disputes. The Ontology of Relevant Legal Information in Consumer Disputes (ric) is the domain-independent ontology modeling this relevant legal information comprising rights, their requisites, exceptions, constraints, enforcement procedures, legal sources. Its use is exemplified with one extension thereof, the Air Transport Passenger Incidents Ontology (ric-atpi), representing both the possible incidents triggered by a complaint in the air transport passenger domain and the related legal information that might be applicable. The Ontology models the key provisions found in hard law, and those in soft law, comprising heterogeneous sources in a structured manner. An ontology-based system provides the knowledge embedded in the legal sources and their relation to the specific scenario.
Revista Democracia Digital E Governo Eletronico, 2014
This contribution presents a new approach to online dispute resolution. In this article we aim to... more This contribution presents a new approach to online dispute resolution. In this article we aim to assess whether the synergy and the performativity of Ambient Intelligent Systems (AmI), by inserting sensors in mobile devices that are familiar to us, can enhance the communication and the decision-making process in online dispute resolution. With these new contributions, we provide a perspective of the main legal implications of using this ubiquitous technology in ODR. We will portray the main criticisms and concerns addressed to Ambient Intelligence and we conceptualize them in the prism of online mediation. We will examine the relevance, applicability and adequacy of privacy and data protection legislation in the prospect of the emerging challenges of AmI.
Data protection, currently under the limelight at the European
level, is undergoing a long and co... more Data protection, currently under the limelight at the European
level, is undergoing a long and complex reform that is finally
approaching its completion. Consequently, there is an urgent need to
customize semantic standards towards the prospective legal framework.
The aim of this paper is to provide a bottom-up ontology describing the
constituents of data protection domain and its relationships. Our contribution
envisions a methodology to highlight the (new) duties of data
controllers and foster the transition of IT-based systems, services/tools
and businesses to comply with the new General Data Protection Regulation.
This structure may serve as the foundation in the design of present
and future information systems abiding to data protection legal requirements.
Uploads
Papers by Cristiana Santos
(EDPB) discuss purposes for data processing and the legal bases upon
which data controllers can rely on: either “consent” or “legitimate interests”. We study the purposes defined in IAB Europe’s Transparency
and Consent Framework (TCF) and their usage by advertisers. We analyze the purposes with regard to the legal requirements for defining them
lawfully, and suggest that several of them might not be specific or explicit enough to be compliant. Arguably, a large portion thereof requires consent, even though the TCF allows advertisers to declare them under the legitimate interests basis. Finally, we measure the declaration of purposes by all advertisers registered in the TCF versions 1.1. and 2.0 and show that hundreds of them do not operate under a legal basis that could be considered compliant under the GDPR
availability of very high spatial and temporal resolution satellite imagery, and the outsourcing
of processing-intensive image analysis. Alongside the foreseeable improvements of facial recognition technology and other image recognition software, such synergies carry the potential for
identification of individuals, and thus for privacy, data protection and ethical risks. The intent
of this article is to discuss the possibility of identification of individuals through high resolution
images under the broad definition provided by the general data protection regulation, and to
explain the risks therein. We further suggest risk-mitigation approaches for incoming space data
policies
in logic formulæ and this enables a semi-automatic reasoning over the
Regulation, e.g., to build an argument of compliance. However, any formal reasoning requires that the formulæ are validly expressing the legal
meaning(s) of the articles, including potential disagreements between legal experts over their interpretation. The problem is that IT experts may
anticipate some unofficial legal meaning, invalid under any interpretation, while verifying if this happens requires legal expertise. However, legal experts are unlikely familiar with the logic formalism and cannot give
informed feedback without understanding the legal interpretation(s) that
a formula embodies. On a previous work, we devised a methodology and
a human-readable intermediate representation to help non-experts reading formulæ in Reified I/O logic (RIO), a formalism expressing GDPR
provisions introduced to reason about data protection compliance. This
paper validates the methodology and shows that is possible to retrieve
feedback from legal experts about the validity the RIO representation
of the Regulation. Precisely, we collect and evaluate the feedback on the
RIO version of Art. 5.1a and Art. 7.1, and show how to elicit suggestions
to improve the formalization thereof. What emerges is an agile process
to support public trust in the formal framework and in its use.
to be vigilant about the personal data they process. The new regulation defines rights for data subjects
and obligations for data controllers but it is unclear how subjects and controllers interact concretely.
This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of
access of her own data? When does a data controller have enough information to authenticate a data
subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities
and authentication practices implemented in popular websites and third-party tracking services. We
observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects.
The most common flaw is the use of authentication based on a copy of the subject’s national identity
card transmitted over an insecure channel. We define how a data controller should react to a subject’s
request to determine the appropriate procedures to identify the subject and her data. We provide
compliance guidelines on data access response procedures.
erpretation of EU
legislation, and mechanisms for connecting them to
normative provisions. The
purposive approach to the interpretation of EU legi
slation taken by the European
Court of Justice makes frequent references to recit
als as helping to establish the
purpose of normative provisions. Our research uses
a cosine similarity based
approach to link articles with relevant provisions
to help legal professionals and
lay end-users interpret the law. Such support can
be used in legal knowledge-
based systems
complaints, an important concept still uncovered by ODPs. The proposed
Complaint Ontology Pattern (COP) has been designed based on the analysis of
free text complaints from available complaint datasets (banking, air transport,
automobile), among other knowledge sources. We present a detailed use-case
from consumer disputes. We evaluate the pattern by annotating the complaints
from our use case and by discussing how COP aligns to existing ontologies.
Knowledge engineers can further model complaints for specific domains and
processes, satisfying different requirements via COP specializations
legal domain, no consensual definition nor standard representation for
legal events has been established yet. In this paper, we analyze current
approaches to event representation and extraction in the legal domain,
and we review generic approaches as well. We expose our first impressions derived therefrom, and we offer a first round of event annotations of judgments of the European Court of Justice. Aspects such as the concept of relevance are discussed, along with choices for evaluation. Possible strategies for extraction of legal events are described. Finally, a roadmap for a formal, complete definition and delimitation of events in the legal domain is presented.
-lingual term bank of copyright
-related terms has been published
connecting WIPO definitions, I
ATE terms and definitions from Creative
Commons licenses. These terms have been hierarchically arranged, spanning
multiple languages and targeting different jurisdictions. The term bank has been
published as a TBX dump file and is publicly accessible as li
nked data. Models for
the RDF data structure are based on Lemon and W3C Recommendations. The term
bank has been used to annotate common licenses in the RDFLicense dataset.
level, is undergoing a long and complex reform that is finally
approaching its completion. Consequently, there is an urgent need to
customize semantic standards towards the prospective legal framework.
The aim of this paper is to provide a bottom-up ontology describing the
constituents of data protection domain and its relationships. Our contribution
envisions a methodology to highlight the (new) duties of data
controllers and foster the transition of IT-based systems, services/tools
and businesses to comply with the new General Data Protection Regulation.
This structure may serve as the foundation in the design of present
and future information systems abiding to data protection legal requirements.
(EDPB) discuss purposes for data processing and the legal bases upon
which data controllers can rely on: either “consent” or “legitimate interests”. We study the purposes defined in IAB Europe’s Transparency
and Consent Framework (TCF) and their usage by advertisers. We analyze the purposes with regard to the legal requirements for defining them
lawfully, and suggest that several of them might not be specific or explicit enough to be compliant. Arguably, a large portion thereof requires consent, even though the TCF allows advertisers to declare them under the legitimate interests basis. Finally, we measure the declaration of purposes by all advertisers registered in the TCF versions 1.1. and 2.0 and show that hundreds of them do not operate under a legal basis that could be considered compliant under the GDPR
availability of very high spatial and temporal resolution satellite imagery, and the outsourcing
of processing-intensive image analysis. Alongside the foreseeable improvements of facial recognition technology and other image recognition software, such synergies carry the potential for
identification of individuals, and thus for privacy, data protection and ethical risks. The intent
of this article is to discuss the possibility of identification of individuals through high resolution
images under the broad definition provided by the general data protection regulation, and to
explain the risks therein. We further suggest risk-mitigation approaches for incoming space data
policies
in logic formulæ and this enables a semi-automatic reasoning over the
Regulation, e.g., to build an argument of compliance. However, any formal reasoning requires that the formulæ are validly expressing the legal
meaning(s) of the articles, including potential disagreements between legal experts over their interpretation. The problem is that IT experts may
anticipate some unofficial legal meaning, invalid under any interpretation, while verifying if this happens requires legal expertise. However, legal experts are unlikely familiar with the logic formalism and cannot give
informed feedback without understanding the legal interpretation(s) that
a formula embodies. On a previous work, we devised a methodology and
a human-readable intermediate representation to help non-experts reading formulæ in Reified I/O logic (RIO), a formalism expressing GDPR
provisions introduced to reason about data protection compliance. This
paper validates the methodology and shows that is possible to retrieve
feedback from legal experts about the validity the RIO representation
of the Regulation. Precisely, we collect and evaluate the feedback on the
RIO version of Art. 5.1a and Art. 7.1, and show how to elicit suggestions
to improve the formalization thereof. What emerges is an agile process
to support public trust in the formal framework and in its use.
to be vigilant about the personal data they process. The new regulation defines rights for data subjects
and obligations for data controllers but it is unclear how subjects and controllers interact concretely.
This paper tries to answer two critical questions: is it safe for a data subject to exercise the right of
access of her own data? When does a data controller have enough information to authenticate a data
subject? To answer these questions, we have analyzed recommendations of Data Protection Authorities
and authentication practices implemented in popular websites and third-party tracking services. We
observed that some data controllers use unsafe or doubtful procedures to authenticate data subjects.
The most common flaw is the use of authentication based on a copy of the subject’s national identity
card transmitted over an insecure channel. We define how a data controller should react to a subject’s
request to determine the appropriate procedures to identify the subject and her data. We provide
compliance guidelines on data access response procedures.
erpretation of EU
legislation, and mechanisms for connecting them to
normative provisions. The
purposive approach to the interpretation of EU legi
slation taken by the European
Court of Justice makes frequent references to recit
als as helping to establish the
purpose of normative provisions. Our research uses
a cosine similarity based
approach to link articles with relevant provisions
to help legal professionals and
lay end-users interpret the law. Such support can
be used in legal knowledge-
based systems
complaints, an important concept still uncovered by ODPs. The proposed
Complaint Ontology Pattern (COP) has been designed based on the analysis of
free text complaints from available complaint datasets (banking, air transport,
automobile), among other knowledge sources. We present a detailed use-case
from consumer disputes. We evaluate the pattern by annotating the complaints
from our use case and by discussing how COP aligns to existing ontologies.
Knowledge engineers can further model complaints for specific domains and
processes, satisfying different requirements via COP specializations
legal domain, no consensual definition nor standard representation for
legal events has been established yet. In this paper, we analyze current
approaches to event representation and extraction in the legal domain,
and we review generic approaches as well. We expose our first impressions derived therefrom, and we offer a first round of event annotations of judgments of the European Court of Justice. Aspects such as the concept of relevance are discussed, along with choices for evaluation. Possible strategies for extraction of legal events are described. Finally, a roadmap for a formal, complete definition and delimitation of events in the legal domain is presented.
-lingual term bank of copyright
-related terms has been published
connecting WIPO definitions, I
ATE terms and definitions from Creative
Commons licenses. These terms have been hierarchically arranged, spanning
multiple languages and targeting different jurisdictions. The term bank has been
published as a TBX dump file and is publicly accessible as li
nked data. Models for
the RDF data structure are based on Lemon and W3C Recommendations. The term
bank has been used to annotate common licenses in the RDFLicense dataset.
level, is undergoing a long and complex reform that is finally
approaching its completion. Consequently, there is an urgent need to
customize semantic standards towards the prospective legal framework.
The aim of this paper is to provide a bottom-up ontology describing the
constituents of data protection domain and its relationships. Our contribution
envisions a methodology to highlight the (new) duties of data
controllers and foster the transition of IT-based systems, services/tools
and businesses to comply with the new General Data Protection Regulation.
This structure may serve as the foundation in the design of present
and future information systems abiding to data protection legal requirements.