{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T17:13:14Z","timestamp":1778778794611,"version":"3.51.4"},"reference-count":68,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,8,1]],"date-time":"2026-08-01T00:00:00Z","timestamp":1785542400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T00:00:00Z","timestamp":1777334400000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Information and Software Technology"],"published-print":{"date-parts":[[2026,8]]},"DOI":"10.1016\/j.infsof.2026.108168","type":"journal-article","created":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T17:06:07Z","timestamp":1777568767000},"page":"108168","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["Consent under control with ProPrivacy: Business process compliance verification for GDPR-consent requirements"],"prefix":"10.1016","volume":"196","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4611-0371","authenticated-orcid":false,"given":"Marco","family":"Robol","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9736-2774","authenticated-orcid":false,"given":"Mattia","family":"Salnitri","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8346-2467","authenticated-orcid":false,"given":"Elda","family":"Paja","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4152-9683","authenticated-orcid":false,"given":"Paolo","family":"Giorgini","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"78","reference":[{"key":"10.1016\/j.infsof.2026.108168_b1","volume":"L119\/59","author":"Parliament","year":"2016","journal-title":"Off. J. Eur. Union"},{"issue":"3","key":"10.1016\/j.infsof.2026.108168_b2","doi-asserted-by":"crossref","first-page":"326","DOI":"10.1108\/IJLMA-08-2023-0170","article-title":"Understanding challenges of GDPR implementation in business enterprises: a systematic literature review","volume":"66","author":"Smirnova","year":"2024","journal-title":"Int. J. Law Manag."},{"key":"10.1016\/j.infsof.2026.108168_b3","unstructured":"Q. He, A. Ant\u00f3n, et al., A framework for modeling privacy requirements in role engineering, in: Proc. of REFSQ, Vol. 3, 2003, pp. 137\u2013146."},{"key":"10.1016\/j.infsof.2026.108168_b4","doi-asserted-by":"crossref","first-page":"241","DOI":"10.1007\/s00766-008-0067-3","article-title":"Addressing privacy requirements in system design: the PriS method","volume":"13.3","author":"Kalloniatis","year":"2008","journal-title":"Requir. Eng."},{"key":"10.1016\/j.infsof.2026.108168_b5","doi-asserted-by":"crossref","first-page":"281","DOI":"10.1007\/s00766-013-0190-7","article-title":"Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements","volume":"19","author":"Breaux","year":"2014","journal-title":"Requir. Eng."},{"key":"10.1016\/j.infsof.2026.108168_b6","series-title":"Requirements Engineering and Law","first-page":"45","article-title":"A meta-model for modelling law-compliant requirements","author":"Siena","year":"2009"},{"key":"10.1016\/j.infsof.2026.108168_b7","series-title":"Engineering Law-Compliant Requirements - The Nomos Framework","author":"Siena","year":"2010"},{"key":"10.1016\/j.infsof.2026.108168_b8","series-title":"Proceedings of 13th IEEE International Conference on Requirements Engineering","first-page":"167","article-title":"Modeling security requirements through ownership, permission and delegation","author":"Giorgini","year":"2005"},{"key":"10.1016\/j.infsof.2026.108168_b9","series-title":"Security Requirements Engineering: Designing Secure Socio-Technical Systems","author":"Dalpiaz","year":"2016"},{"key":"10.1016\/j.infsof.2026.108168_b10","doi-asserted-by":"crossref","unstructured":"P. Ashley, S. Hada, G. Karjoth, M. Schunter, E-P3P privacy policies and privacy authorization, in: Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, ACM, pp. 103\u2013109.","DOI":"10.1145\/644527.644538"},{"key":"10.1016\/j.infsof.2026.108168_b11","article-title":"Enterprise privacy authorization language (EPAL)","author":"Ashley","year":"2003","journal-title":"IBM Res."},{"key":"10.1016\/j.infsof.2026.108168_b12","series-title":"Extensible Access Control Markup Language (Xacml) Version 2.0","author":"Moses","year":"2005"},{"issue":"1","key":"10.1016\/j.infsof.2026.108168_b13","doi-asserted-by":"crossref","first-page":"128","DOI":"10.1145\/984334.984339","article-title":"The UCON ABC usage control model","volume":"7","author":"Park","year":"2004","journal-title":"ACM Trans. Inf. Syst. Secur. (TISSEC)"},{"key":"10.1016\/j.infsof.2026.108168_b14","doi-asserted-by":"crossref","unstructured":"C. Utz, M. Degeling, S. Fahl, F. Schaub, T. Holz, (Un) informed consent: Studying GDPR consent notices in the field, in: Proceedings of the 2019 Acm Sigsac Conference on Computer and Communications Security, 2019, pp. 973\u2013990.","DOI":"10.1145\/3319535.3354212"},{"key":"10.1016\/j.infsof.2026.108168_b15","doi-asserted-by":"crossref","DOI":"10.1016\/j.softx.2024.101821","article-title":"GDPR consent management and automated compliance verification tool","volume":"27","author":"Chhetri","year":"2024","journal-title":"SoftwareX"},{"key":"10.1016\/j.infsof.2026.108168_b16","doi-asserted-by":"crossref","unstructured":"M. Nouwens, I. Liccardi, M. Veale, D. Karger, L. Kagal, Dark patterns after the GDPR: Scraping consent pop-ups and demonstrating their influence, in: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, 2020, pp. 1\u201313.","DOI":"10.1145\/3313831.3376321"},{"issue":"4","key":"10.1016\/j.infsof.2026.108168_b17","doi-asserted-by":"crossref","first-page":"523","DOI":"10.1007\/s00766-024-00423-4","article-title":"Understanding the GDPR from a requirements engineering perspective\u2014a systematic mapping study on regulatory data protection requirements","volume":"29","author":"Negri-Ribalta","year":"2024","journal-title":"Requir. Eng."},{"key":"10.1016\/j.infsof.2026.108168_b18","series-title":"Three decades of formal methods in business process compliance: A systematic literature review","author":"L\u00f3pez","year":"2024"},{"key":"10.1016\/j.infsof.2026.108168_b19","series-title":"2013 IEEE 9th International Conference on Emerging Technologies","first-page":"1","article-title":"Formal approach for compliance rules checking in business process models","author":"Kherbouche","year":"2013"},{"key":"10.1016\/j.infsof.2026.108168_b20","series-title":"31st International Conference on Conceptual Modeling","first-page":"383","article-title":"Capturing variability of law with N\u00f3mos 2","volume":"Vol. 7532","author":"Siena","year":"2012"},{"key":"10.1016\/j.infsof.2026.108168_b21","first-page":"275","article-title":"Goals and Compliance in Nomos 3","author":"Ingolfo","year":"2014","journal-title":"Int. Conf. Concept. Model. (ER)"},{"key":"10.1016\/j.infsof.2026.108168_b22","series-title":"Fundamentals of Business Process Management","author":"Dumas","year":"2013"},{"key":"10.1016\/j.infsof.2026.108168_b23","article-title":"Logic of violations: A gentzen system for reasoning with contrary-to-duty obligations","volume":"4","author":"Governatori","year":"2006","journal-title":"Australas. J. Log."},{"issue":"1","key":"10.1016\/j.infsof.2026.108168_b24","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1016\/j.datak.2007.06.007","article-title":"Integration and verification of semantic constraints in adaptive process management systems","volume":"64","author":"Ly","year":"2008","journal-title":"Data Knowl. Eng."},{"issue":"3","key":"10.1016\/j.infsof.2026.108168_b25","doi-asserted-by":"crossref","first-page":"499","DOI":"10.1145\/1149114.1149117","article-title":"The DLV system for knowledge representation and reasoning","volume":"7","author":"Leone","year":"2006","journal-title":"ACM Trans. Comput. Log. (TOCL)"},{"key":"10.1016\/j.infsof.2026.108168_b26","series-title":"ProPrivacy","author":"Robol","year":"2026"},{"key":"10.1016\/j.infsof.2026.108168_b27","article-title":"Directive 95\/46\/ec of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data","volume":"L119\/59","author":"Parliament","year":"2016","journal-title":"Off. J. Eur. Union"},{"key":"10.1016\/j.infsof.2026.108168_b28","series-title":"The health insurance portability and accountability act of 1996","author":"the 104th United States Congress","year":"1936"},{"issue":"1","key":"10.1016\/j.infsof.2026.108168_b29","first-page":"6","article-title":"Design science in information systems research","volume":"28","author":"Hevner","year":"2008","journal-title":"MIS Q."},{"issue":"7","key":"10.1016\/j.infsof.2026.108168_b30","first-page":"1880","article-title":"Introduction: Privacy self-management and the consent dilemma","volume":"126","author":"Solove","year":"2012","journal-title":"Harv. L. Rev."},{"key":"10.1016\/j.infsof.2026.108168_b31","series-title":"ER","first-page":"504","article-title":"Specifying and reasoning over socio-technical security requirements with STS-tool","author":"Paja","year":"2013"},{"key":"10.1016\/j.infsof.2026.108168_b32","series-title":"CAiSE Forum","first-page":"205","article-title":"STS-tool 3.0: Maintaining security in socio-technical systems","author":"Salnitri","year":"2015"},{"issue":"3","key":"10.1016\/j.infsof.2026.108168_b33","doi-asserted-by":"crossref","first-page":"737","DOI":"10.1007\/s10270-015-0499-4","article-title":"Designing secure business processes with secBPMN","volume":"16","author":"Salnitri","year":"2017","journal-title":"Softw. Syst. Model."},{"key":"10.1016\/j.infsof.2026.108168_b34","series-title":"Secure Business Process Engineering: a Socio-Technical Approach","author":"Salnitri","year":"2016"},{"issue":"1","key":"10.1016\/j.infsof.2026.108168_b35","doi-asserted-by":"crossref","first-page":"119","DOI":"10.1007\/s00766-018-0304-3","article-title":"Automatic test cases generation from business process models","volume":"24","author":"Yazdani Seqerloo","year":"2019","journal-title":"Requir. Eng."},{"key":"10.1016\/j.infsof.2026.108168_b36","doi-asserted-by":"crossref","DOI":"10.1016\/j.is.2023.102184","article-title":"An approach for analyzing business process execution complexity based on textual data and event log","volume":"114","author":"Revina","year":"2023","journal-title":"Inf. Syst."},{"issue":"6","key":"10.1016\/j.infsof.2026.108168_b37","doi-asserted-by":"crossref","first-page":"483","DOI":"10.1109\/32.142871","article-title":"Representing and using nonfunctional requirements: A process-oriented approach","volume":"18","author":"Mylopoulos","year":"1992","journal-title":"IEEE Trans. Softw. Eng."},{"issue":"10","key":"10.1016\/j.infsof.2026.108168_b38","doi-asserted-by":"crossref","first-page":"978","DOI":"10.1109\/32.879820","article-title":"Handling obstacles in goal-oriented requirements engineering","volume":"26","author":"Van Lamsweerde","year":"2000","journal-title":"IEEE Trans. Softw. Eng."},{"key":"10.1016\/j.infsof.2026.108168_b39","unstructured":"L. Liu, E. Yu, J. Mylopoulos, Analyzing security requirements as relationships among strategic actors, in: Submitted to the Symposium on Requirements Engineering for Information Security, SREIS\u201902), Raleigh, North Carolina, 2002."},{"key":"10.1016\/j.infsof.2026.108168_b40","series-title":"Proceedings. 11th IEEE International Requirements Engineering Conference","first-page":"151","article-title":"Security and privacy requirements analysis within a social setting","author":"Liu","year":"2003"},{"key":"10.1016\/j.infsof.2026.108168_b41","unstructured":"H. Mouratidis, P. Giorgini, G. Manson, Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems, in: International Conference on Advanced Information Systems Engineering, CAiSE, Vol. LNCS 2681, 2003, pp. 63\u201378."},{"key":"10.1016\/j.infsof.2026.108168_b42","series-title":"Proceedings of the Second International Conference on Requirements Engineering","first-page":"136","article-title":"Goal-based requirements analysis","author":"Anton","year":"1996"},{"key":"10.1016\/j.infsof.2026.108168_b43","series-title":"E-Commerce Security and Privacy","first-page":"67","article-title":"Strategies for developing policies and requirements for secure and private electronic commerces","author":"Ant\u00f3n","year":"2001"},{"issue":"11","key":"10.1016\/j.infsof.2026.108168_b44","doi-asserted-by":"crossref","first-page":"908","DOI":"10.1109\/32.730542","article-title":"Managing conflicts in goal-driven requirements engineering","volume":"24","author":"Van Lamsweerde","year":"1998","journal-title":"IEEE Trans. Softw. Eng."},{"issue":"2","key":"10.1016\/j.infsof.2026.108168_b45","first-page":"159","article-title":"Goal-oriented requirements analysis and reasoning in the tropos methodology","volume":"18","author":"Giorgini","year":"2005","journal-title":"Eng. Appl. AI"},{"key":"10.1016\/j.infsof.2026.108168_b46","article-title":"Modelling strategic relationships for process reengineering","author":"Yu","year":"2011","journal-title":"Soc. Model. Requir. Eng."},{"key":"10.1016\/j.infsof.2026.108168_b47","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1016\/j.datak.2015.07.007","article-title":"Modelling and reasoning about security requirements in socio-technical systems","author":"Paja","year":"2015","journal-title":"Data Knowl. Eng."},{"key":"10.1016\/j.infsof.2026.108168_b48","series-title":"24th International Requirements Engineering Conference Workshops","first-page":"155","article-title":"Maintaining Secure Business Processes in Light of Socio-Technical Systems\u2019 Evolution","author":"Salnitri","year":"2016"},{"key":"10.1016\/j.infsof.2026.108168_b49","doi-asserted-by":"crossref","unstructured":"N. Zeni, E. A.Seid, S. Ingolfo, J. Mylopoulos, Building Large Models of Law with N\u00f2mosT, in: International Conference on Conceptual Modeling, ER, 2017, pp. 1\u201317.","DOI":"10.1007\/978-3-319-46397-1_18"},{"issue":"1","key":"10.1016\/j.infsof.2026.108168_b50","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1109\/TSE.2008.88","article-title":"Engineering Privacy","volume":"35","author":"Spiekermann","year":"2009","journal-title":"IEEE Trans. Softw. Eng."},{"issue":"3","key":"10.1016\/j.infsof.2026.108168_b51","first-page":"25","article-title":"Engineering privacy by design","volume":"14","author":"G\u00fcrses","year":"2011","journal-title":"Comput. Priv. Data Prot."},{"key":"10.1016\/j.infsof.2026.108168_b52","series-title":"IFIP International Information Security Conference","first-page":"446","article-title":"Privacy design strategies","author":"Hoepman","year":"2014"},{"key":"10.1016\/j.infsof.2026.108168_b53","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1016\/j.infsof.2008.04.004","article-title":"Towards the development of privacy-aware systems","volume":"51.2","author":"Guarda","year":"2009","journal-title":"Inf. Softw. Technol."},{"key":"10.1016\/j.infsof.2026.108168_b54","series-title":"Privacy and data protection by design-from policy to engineering","author":"Danezis","year":"2015"},{"key":"10.1016\/j.infsof.2026.108168_b55","series-title":"2006 10th IEEE International Enterprise Distributed Object Computing Conference","first-page":"221","article-title":"Compliance checking between business processes and business contracts","author":"Governatori","year":"2006"},{"issue":"04","key":"10.1016\/j.infsof.2026.108168_b56","doi-asserted-by":"crossref","first-page":"659","DOI":"10.1142\/S0218843006001529","article-title":"A formal analysis of a business contract language","volume":"15","author":"Governatori","year":"2006","journal-title":"Int. J. Coop. Inf. Syst."},{"issue":"1","key":"10.1016\/j.infsof.2026.108168_b57","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1658373.1658376","article-title":"Declarative specification and verification of service choreographiess","volume":"4","author":"Montali","year":"2010","journal-title":"ACM Trans. Web (TWEB)"},{"issue":"1","key":"10.1016\/j.infsof.2026.108168_b58","article-title":"Reasoning on LTL on finite traces: Insensitivity to infiniteness","volume":"28","author":"De Giacomo","year":"2014","journal-title":"Proc. AAAI Conf. Artif. Intell."},{"issue":"2","key":"10.1016\/j.infsof.2026.108168_b59","doi-asserted-by":"crossref","first-page":"91","DOI":"10.1016\/j.compind.2011.12.003","article-title":"Managing large collections of business process models-current techniques and challenges","volume":"63","author":"Dijkman","year":"2012","journal-title":"Comput. Ind."},{"key":"10.1016\/j.infsof.2026.108168_b60","series-title":"European Semantic Web Conference","first-page":"481","article-title":"GDPRtEXT-GDPR as a linked data resource","author":"Pandit","year":"2018"},{"key":"10.1016\/j.infsof.2026.108168_b61","unstructured":"R. Iannella, S. Villata, ODRL information model 2.2 - W3C recommendation 15 February 2018. URL: https:\/\/www.w3.org\/TR\/2018\/REC-odrl-model-20180215\/."},{"key":"10.1016\/j.infsof.2026.108168_b62","series-title":"Usable and lawful: Can consent be both?","author":"Santos","year":"2024"},{"issue":"5","key":"10.1016\/j.infsof.2026.108168_b63","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1109\/MCC.2018.053711666","article-title":"User-centric privacy engineering for the internet of things","volume":"5","author":"Barhamgi","year":"2018","journal-title":"IEEE Cloud Comput."},{"issue":"1","key":"10.1016\/j.infsof.2026.108168_b64","doi-asserted-by":"crossref","first-page":"314","DOI":"10.56553\/popets-2024-0018","article-title":"Model-driven privacy","volume":"2024","author":"Krsti\u0107","year":"2024","journal-title":"Proc. Priv. Enhancing Technol."},{"key":"10.1016\/j.infsof.2026.108168_b65","series-title":"Proceedings of the ACM on Human-Computer Interaction","first-page":"1","article-title":"Dark patterns at scale: Findings from a crawl of 11k shopping websites","volume":"Vol. 3","author":"Mathur","year":"2019"},{"key":"10.1016\/j.infsof.2026.108168_b66","doi-asserted-by":"crossref","unstructured":"C.M. Gray, Y. Kou, B. Battles, J. Hoggatt, A.L. Toombs, The dark (patterns) side of UX design, in: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018, pp. 1\u201314.","DOI":"10.1145\/3173574.3174108"},{"key":"10.1016\/j.infsof.2026.108168_b67","unstructured":"European Data Protection Board, Guidelines 05\/2020 on consent under regulation 2016\/679 Version 1.1. URL: https:\/\/www.edpb.europa.eu\/sites\/default\/files\/files\/file1\/edpb_guidelines_202005_consent_en.pdf."},{"key":"10.1016\/j.infsof.2026.108168_b68","unstructured":"Commission Nationale de l\u2019Informatique et des Libert\u00e9s, Recommendations for mobile applications. URL: https:\/\/www.cnil.fr\/en\/mobile-applications-cnil-publishes-its-recommendations-better-privacy-protection."}],"container-title":["Information and Software Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0950584926001576?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0950584926001576?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T16:42:06Z","timestamp":1778776926000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0950584926001576"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,8]]},"references-count":68,"alternative-id":["S0950584926001576"],"URL":"https:\/\/doi.org\/10.1016\/j.infsof.2026.108168","relation":{},"ISSN":["0950-5849"],"issn-type":[{"value":"0950-5849","type":"print"}],"subject":[],"published":{"date-parts":[[2026,8]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Consent under control with ProPrivacy: Business process compliance verification for GDPR-consent requirements","name":"articletitle","label":"Article Title"},{"value":"Information and Software Technology","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.infsof.2026.108168","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 The Authors. Published by Elsevier B.V.","name":"copyright","label":"Copyright"}],"article-number":"108168"}}