{"id":"https://openalex.org/W4415224539","doi":"https://doi.org/10.1016/j.infsof.2026.108168","title":"Consent Under Control with ProPrivacy: Business Process Compliance Verification for GDPR-Consent Requirements","display_name":"Consent Under Control with ProPrivacy: Business Process Compliance Verification for GDPR-Consent Requirements","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W4415224539","doi":"https://doi.org/10.1016/j.infsof.2026.108168"},"language":"en","primary_location":{"id":"doi:10.1016/j.infsof.2026.108168","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.infsof.2026.108168","pdf_url":null,"source":{"id":"https://openalex.org/S205010575","display_name":"Information and Software Technology","issn_l":"0950-5849","issn":["0950-5849","1873-6025"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Information and Software Technology","raw_type":"journal-article"},"type":"preprint","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1016/j.infsof.2026.108168","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5071927082","display_name":"Marco Robol","orcid":"https://orcid.org/0000-0003-4611-0371"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Marco Robol","raw_affiliation_strings":[],"raw_orcid":"https://orcid.org/0000-0003-4611-0371","affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5004905662","display_name":"Mattia Salnitri","orcid":"https://orcid.org/0000-0002-9736-2774"},"institutions":[{"id":"https://openalex.org/I11039511","display_name":"University of Bergamo","ror":"https://ror.org/02mbd5571","country_code":"IT","type":"education","lineage":["https://openalex.org/I11039511"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Mattia Salnitri","raw_affiliation_strings":[],"raw_orcid":"https://orcid.org/0000-0002-9736-2774","affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5074577975","display_name":"Elda Paja","orcid":"https://orcid.org/0000-0002-8346-2467"},"institutions":[{"id":"https://openalex.org/I83467386","display_name":"IT University of Copenhagen","ror":"https://ror.org/02309jg23","country_code":"DK","type":"education","lineage":["https://openalex.org/I83467386"]}],"countries":["DK"],"is_corresponding":false,"raw_author_name":"Elda Paja","raw_affiliation_strings":[],"raw_orcid":"https://orcid.org/0000-0002-8346-2467","affiliations":[]},{"author_position":"last","author":{"id":null,"display_name":"Paolo Giorgini","orcid":"https://orcid.org/0000-0003-4152-9683"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Paolo Giorgini","raw_affiliation_strings":[],"raw_orcid":"https://orcid.org/0000-0003-4152-9683","affiliations":[]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":{"value":3350,"currency":"USD","value_usd":3350},"apc_paid":{"value":3350,"currency":"USD","value_usd":3350},"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.41655556,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"196","issue":null,"first_page":"108168","last_page":"108168"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T13364","display_name":"Digitalization, Law, and Regulation","score":0.9771999716758728,"subfield":{"id":"https://openalex.org/subfields/3308","display_name":"Law"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T13364","display_name":"Digitalization, Law, and Regulation","score":0.9771999716758728,"subfield":{"id":"https://openalex.org/subfields/3308","display_name":"Law"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11045","display_name":"Privacy, Security, and Data Protection","score":0.9754999876022339,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/business-process","display_name":"Business process","score":0.578499972820282},{"id":"https://openalex.org/keywords/documentation","display_name":"Documentation","score":0.492900013923645},{"id":"https://openalex.org/keywords/enforcement","display_name":"Enforcement","score":0.47850000858306885},{"id":"https://openalex.org/keywords/business-process-modeling","display_name":"Business process modeling","score":0.47769999504089355},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.4487999975681305},{"id":"https://openalex.org/keywords/privacy-by-design","display_name":"Privacy by Design","score":0.44510000944137573},{"id":"https://openalex.org/keywords/business-rule","display_name":"Business rule","score":0.4138999879360199},{"id":"https://openalex.org/keywords/business-requirements","display_name":"Business requirements","score":0.41269999742507935},{"id":"https://openalex.org/keywords/process-modeling","display_name":"Process modeling","score":0.40880000591278076},{"id":"https://openalex.org/keywords/business-process-management","display_name":"Business process management","score":0.38690000772476196}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5896000266075134},{"id":"https://openalex.org/C85345410","wikidata":"https://www.wikidata.org/wiki/Q851587","display_name":"Business process","level":3,"score":0.578499972820282},{"id":"https://openalex.org/C195094911","wikidata":"https://www.wikidata.org/wiki/Q14167904","display_name":"Process management","level":1,"score":0.5746999979019165},{"id":"https://openalex.org/C56666940","wikidata":"https://www.wikidata.org/wiki/Q788790","display_name":"Documentation","level":2,"score":0.492900013923645},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.47850000858306885},{"id":"https://openalex.org/C207505557","wikidata":"https://www.wikidata.org/wiki/Q4374012","display_name":"Business process modeling","level":4,"score":0.47769999504089355},{"id":"https://openalex.org/C56739046","wikidata":"https://www.wikidata.org/wiki/Q192060","display_name":"Knowledge management","level":1,"score":0.4496000111103058},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.4487999975681305},{"id":"https://openalex.org/C193934123","wikidata":"https://www.wikidata.org/wiki/Q7246028","display_name":"Privacy by Design","level":3,"score":0.44510000944137573},{"id":"https://openalex.org/C11066294","wikidata":"https://www.wikidata.org/wiki/Q1518244","display_name":"Business rule","level":4,"score":0.4138999879360199},{"id":"https://openalex.org/C123247970","wikidata":"https://www.wikidata.org/wiki/Q5001932","display_name":"Business requirements","level":4,"score":0.41269999742507935},{"id":"https://openalex.org/C76956256","wikidata":"https://www.wikidata.org/wiki/Q27610560","display_name":"Process modeling","level":3,"score":0.40880000591278076},{"id":"https://openalex.org/C80309976","wikidata":"https://www.wikidata.org/wiki/Q7007379","display_name":"Business process management","level":4,"score":0.38690000772476196},{"id":"https://openalex.org/C2780616401","wikidata":"https://www.wikidata.org/wiki/Q1133673","display_name":"Cornerstone","level":2,"score":0.38580000400543213},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.36970001459121704},{"id":"https://openalex.org/C123201435","wikidata":"https://www.wikidata.org/wiki/Q456632","display_name":"Information privacy","level":2,"score":0.36820000410079956},{"id":"https://openalex.org/C179299601","wikidata":"https://www.wikidata.org/wiki/Q1017605","display_name":"Business Process Model and Notation","level":5,"score":0.3587000072002411},{"id":"https://openalex.org/C3090818","wikidata":"https://www.wikidata.org/wiki/Q1172506","display_name":"General Data Protection Regulation","level":3,"score":0.35839998722076416},{"id":"https://openalex.org/C102938260","wikidata":"https://www.wikidata.org/wiki/Q1999831","display_name":"Privacy policy","level":3,"score":0.34689998626708984},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3359000086784363},{"id":"https://openalex.org/C45357846","wikidata":"https://www.wikidata.org/wiki/Q2001982","display_name":"Notation","level":2,"score":0.31690001487731934},{"id":"https://openalex.org/C160735492","wikidata":"https://www.wikidata.org/wiki/Q31207","display_name":"Health care","level":2,"score":0.3059000074863434},{"id":"https://openalex.org/C162754035","wikidata":"https://www.wikidata.org/wiki/Q17006331","display_name":"Artifact-centric business process model","level":5,"score":0.3057999908924103},{"id":"https://openalex.org/C4216890","wikidata":"https://www.wikidata.org/wiki/Q815823","display_name":"Business model","level":2,"score":0.29330000281333923},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2921999990940094},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.2919999957084656},{"id":"https://openalex.org/C69360830","wikidata":"https://www.wikidata.org/wiki/Q1172237","display_name":"Data Protection Act 1998","level":2,"score":0.2883000075817108},{"id":"https://openalex.org/C2781460075","wikidata":"https://www.wikidata.org/wiki/Q1399332","display_name":"Compliance (psychology)","level":2,"score":0.2833000123500824},{"id":"https://openalex.org/C539667460","wikidata":"https://www.wikidata.org/wiki/Q2414942","display_name":"Management science","level":1,"score":0.272599995136261},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.2721000015735626},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.2667999863624573},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.2653000056743622},{"id":"https://openalex.org/C4927394","wikidata":"https://www.wikidata.org/wiki/Q787631","display_name":"Business Process Execution Language","level":4,"score":0.25859999656677246},{"id":"https://openalex.org/C59488412","wikidata":"https://www.wikidata.org/wiki/Q187147","display_name":"Requirements analysis","level":3,"score":0.25519999861717224},{"id":"https://openalex.org/C33762810","wikidata":"https://www.wikidata.org/wiki/Q461671","display_name":"Data integrity","level":2,"score":0.2551000118255615}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1016/j.infsof.2026.108168","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.infsof.2026.108168","pdf_url":null,"source":{"id":"https://openalex.org/S205010575","display_name":"Information and Software Technology","issn_l":"0950-5849","issn":["0950-5849","1873-6025"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Information and Software Technology","raw_type":"journal-article"},{"id":"doi:10.2139/ssrn.5601121","is_oa":true,"landing_page_url":"https://doi.org/10.2139/ssrn.5601121","pdf_url":null,"source":{"id":"https://openalex.org/S4210172589","display_name":"SSRN Electronic Journal","issn_l":"1556-5068","issn":["1556-5068"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1318003438","host_organization_name":"RELX Group (Netherlands)","host_organization_lineage":["https://openalex.org/I1318003438"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"acceptedVersion","is_accepted":true,"is_published":false,"raw_source_name":null,"raw_type":"posted-content"}],"best_oa_location":{"id":"doi:10.1016/j.infsof.2026.108168","is_oa":true,"landing_page_url":"https://doi.org/10.1016/j.infsof.2026.108168","pdf_url":null,"source":{"id":"https://openalex.org/S205010575","display_name":"Information and Software Technology","issn_l":"0950-5849","issn":["0950-5849","1873-6025"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320990","host_organization_name":"Elsevier BV","host_organization_lineage":["https://openalex.org/P4310320990"],"host_organization_lineage_names":["Elsevier BV"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Information and Software Technology","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":27,"referenced_works":["https://openalex.org/W1813153883","https://openalex.org/W1875962355","https://openalex.org/W1976055110","https://openalex.org/W2008109841","https://openalex.org/W2017048320","https://openalex.org/W2022078754","https://openalex.org/W2025765878","https://openalex.org/W2068189899","https://openalex.org/W2073878348","https://openalex.org/W2117818414","https://openalex.org/W2131518018","https://openalex.org/W2139061144","https://openalex.org/W2163442079","https://openalex.org/W2171627300","https://openalex.org/W2293598903","https://openalex.org/W2301605390","https://openalex.org/W2529770516","https://openalex.org/W2795529671","https://openalex.org/W2884779312","https://openalex.org/W2891707456","https://openalex.org/W3000190958","https://openalex.org/W4288086187","https://openalex.org/W4319072749","https://openalex.org/W4387857712","https://openalex.org/W4390952246","https://openalex.org/W4400491717","https://openalex.org/W4400642844"],"related_works":[],"abstract_inverted_index":{"\\textbf{Context.}Since":[0],"its":[1],"enforcement":[2],"in":[3,17,29,121,145,255],"2018,":[4],"the":[5,18,44,57,104,123,164,174,216,227,231],"General":[6],"Data":[7],"Protection":[8],"Regulation":[9],"(GDPR)":[10],"has":[11,38],"continued":[12],"to":[13,68,74,118,162,189,206,237],"shape":[14],"how":[15],"organizations,":[16],"European":[19],"Economic":[20],"Area,":[21],"design":[22],"and":[23,53,61,71,89,98,106,142,180,208,212,218,269],"operate":[24],"their":[25,109,126],"data-driven":[26],"services.Consent":[27],"management,":[28],"particular,":[30],"remains":[31],"a":[32,112,136,155,264],"cornerstone":[33],"of":[34,46,59,108,125,220,233,247],"compliance,":[35],"but":[36,260],"it":[37],"also":[39,261],"become":[40],"increasingly":[41],"complex":[42],"with":[43,128,149,193,201,258],"rise":[45],"data-intensive":[47],"business":[48,141,248,271],"models,":[49],"digital":[50],"health":[51],"platforms,":[52],"AI-powered":[54],"services.":[55],"Despite":[56],"availability":[58],"technical":[60],"organizational":[62,87],"tools,":[63],"many":[64],"companies":[65],"still":[66,116],"struggle":[67],"adapt":[69],"legacy":[70],"large-scale":[72],"processes":[73,82,127,148,225,249],"meet":[75],"GDPR's":[76],"consent":[77,151,194,211],"requirements.":[78,195],"Knowledge":[79],"about":[80],"these":[81,131],"is":[83,91,115],"often":[84],"fragmented":[85],"across":[86],"silos,":[88],"documentation":[90],"incomplete,":[92],"making":[93],"re-engineering":[94,105],"activities":[95],"both":[96],"tedious":[97],"error-prone.\\textbf{Objectives.}Companies":[99],"relies":[100],"on":[101,173,223],"experts":[102,144],"for":[103,266],"validation":[107],"processes,":[110],"while":[111],"comprehensive":[113],"method":[114],"missing":[117],"support":[119,253],"them":[120],"verifying":[122],"compliance":[124,200,257],"consent.To":[129],"address":[130],"challenges,":[132],"this":[133],"paper":[134],"proposes":[135],"model-based":[137],"approach":[138,222],"that":[139,158,244],"supports":[140],"privacy":[143,240],"aligning":[146],"operational":[147],"GDPR":[150,203,259],"principles.\\textbf{Methods.}Rather":[152],"than":[153],"introducing":[154],"new":[156],"language":[157],"would":[159],"force":[160],"analysts":[161,188],"restart":[163],"modeling":[165,185],"phase":[166],"from":[167,226],"scratch,":[168],"our":[169,221],"framework,":[170],"ProPrivacy,":[171],"builds":[172],"widely":[175],"adopted":[176],"Business":[177],"Process":[178],"Model":[179],"Notation":[181],"2.0":[182],"(BPMN":[183],"2.0)":[184],"language,":[186],"allowing":[187],"enrich":[190],"existing":[191],"models":[192],"ProPrivacy":[196],"then":[197],"automatically":[198],"verifies":[199],"key":[202],"principles":[204],"related":[205],"specific":[207],"freely":[209],"given":[210],"data":[213,235],"minimization.\\textbf{Results.}We":[214],"demonstrate":[215],"scalability":[217],"applicability":[219],"realistic":[224],"healthcare":[228],"domain,":[229],"where":[230],"management":[232],"sensitive":[234],"continues":[236],"present":[238],"critical":[239],"challenges.\\textbf{Conclusions.}The":[241],"results":[242],"suggest":[243],"automated":[245],"verification":[246],"can":[250],"not":[251],"only":[252],"organizations":[254],"achieving":[256],"serve":[262],"as":[263],"foundation":[265],"certifying":[267],"accountable":[268],"transparent":[270],"processes.":[272]},"counts_by_year":[],"updated_date":"2026-06-20T22:02:38.213706","created_date":"2025-10-16T00:00:00"}