Wiki

Wiki

6.3 Consent Service and PDI

Manage individual consent [5.2]. Consent is mandatory for the exchange of personal data. It is closely linked to the service [6.2]. Consent cannot be granted without a valid contract [4.0].

The Consent Service introduces the individual rights dimension of the governance infrastructure and is key in the Personal Data Exchange [5.2]. While the contract regulates the relationship between organizations, the consent regulates the legitimacy of the processing activities regarding the data owner. No access can be obtained if a valid consent doesn’t exist, and it must be verifiable and linked to a previously formalized contract.

User Identity vs. PDI User account
User Identity vs. PDI User account (Source: Prometheus-X)

This component operates with the Personal Data Intermediary (PDI), whose requirements can be consulted here. The PDI acts as the trusted intermediary that guarantees that the consent is informed, specific and technically verifiable, as well as revocable at any moment.

Personal Data Intermediary schema
Personal Data Intermediary schema (Source: Prometheus-X)

The Consent Service allows the registration of the consent in a structured manner, pair it with a specific contract and its ODRL policies and verify its validity before any exchange. In case it’s revoked, the system must automatically block any new access, even if the contract is still valid. This logic ensures that the control principle from the owner’s side is fully integrated into the technical infrastructure.

You can check here to know how to implement it, and the documentation can be found here, here and here.

In terms of integrated architecture, the governance full sequence maintains a chained and logic coherence:

  1. First, the resource is published in the Catalog Service.
  2. Then, the exchange is formalized

Lastly, when there is personal data involved, consent is obtained through the Consent Service before the PDC authorizes the operation.

 

References