{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T00:49:18Z","timestamp":1771634958341,"version":"3.50.1"},"reference-count":26,"publisher":"MDPI AG","issue":"21","license":[{"start":{"date-parts":[[2021,10,28]],"date-time":"2021-10-28T00:00:00Z","timestamp":1635379200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>The growing availability of mobile devices has lead to an arising development of smart cities services that share a huge amount of (personal) information and data. Without accurate and verified management, they could become severe back-doors for security and privacy. In this paper, we propose a smart city infrastructure able to integrate a distributed privacy-preserving identity management solution based on attribute-based credentials (p-ABC), a user-centric Consent Manager, and a GDPR-based Access Control mechanism so as to guarantee the enforcement of the GDPR\u2019s provisions. Thus, the infrastructure supports the definition of specific purpose, collection of data, regulation of access to personal data, and users\u2019 consents, while ensuring selective and minimal disclosure of personal information as well as user\u2019s unlinkability across service and identity providers. The proposal has been implemented, integrated, and evaluated in a fully-fledged environment consisting of MiMurcia, the Smart City project for the city of Murcia, CaPe, an industrial consent management system, and GENERAL_D, an academic GDPR-based access control system, showing the feasibility.<\/jats:p>","DOI":"10.3390\/s21217154","type":"journal-article","created":{"date-parts":[[2021,10,28]],"date-time":"2021-10-28T23:52:35Z","timestamp":1635465155000},"page":"7154","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":19,"title":["Data Protection by Design in the Context of Smart Cities: A Consent and Access Control Proposal"],"prefix":"10.3390","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3073-6217","authenticated-orcid":false,"given":"Said","family":"Daoudagh","sequence":"first","affiliation":[{"name":"CNR-ISTI, 56124 Pisa, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4223-8036","authenticated-orcid":false,"given":"Eda","family":"Marchetti","sequence":"additional","affiliation":[{"name":"CNR-ISTI, 56124 Pisa, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2741-5543","authenticated-orcid":false,"given":"Vincenzo","family":"Savarino","sequence":"additional","affiliation":[{"name":"Engineering Ingegneria Informatica S.p.A., 90146 Palermo, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7538-4788","authenticated-orcid":false,"given":"Jorge Bernal","family":"Bernabe","sequence":"additional","affiliation":[{"name":"Department of Information and Communication Engineering, University of Murcia, 30100 Murcia, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4898-1341","authenticated-orcid":false,"given":"Jes\u00fas","family":"Garc\u00eda-Rodr\u00edguez","sequence":"additional","affiliation":[{"name":"Department of Information and Communication Engineering, University of Murcia, 30100 Murcia, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2851-5706","authenticated-orcid":false,"given":"Rafael Torres","family":"Moreno","sequence":"additional","affiliation":[{"name":"Department of Information and Communication Engineering, University of Murcia, 30100 Murcia, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8270-9942","authenticated-orcid":false,"given":"Juan Antonio","family":"Martinez","sequence":"additional","affiliation":[{"name":"Department of Information and Communication Engineering, University of Murcia, 30100 Murcia, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5525-1259","authenticated-orcid":false,"given":"Antonio F.","family":"Skarmeta","sequence":"additional","affiliation":[{"name":"Department of Information and Communication Engineering, University of Murcia, 30100 Murcia, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2021,10,28]]},"reference":[{"key":"#cr-split#-ref_1.1","unstructured":"European Union (2016). Regulation"},{"key":"#cr-split#-ref_1.2","unstructured":"(EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). Off. J. Eur. Union, L119, 1-88."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"489","DOI":"10.1109\/COMST.2017.2748998","article-title":"Privacy in the Smart City\u2014Applications, Technologies, Challenges, and Solutions","volume":"20","author":"Eckhoff","year":"2018","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Neisse, R., Baldini, G., Steri, G., Miyake, Y., Kiyomoto, S., and Biswas, A.R. (2015, January 14\u201316). An agent-based framework for informed consent in the internet of things. Proceedings of the 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), Milan, Italy.","DOI":"10.1109\/WF-IoT.2015.7389154"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"van Sinderen, M., and Maciaszek, L.A. (2019, January 26\u201328). Towards a Lawful Authorized Access: A Preliminary GDPR-based Authorized Access. Proceedings of the 14th International Conference on Software Technologies, ICSOFT 2019, Prague, Czech Republic.","DOI":"10.1007\/978-3-030-52991-8"},{"key":"ref_5","first-page":"332","article-title":"Accountability in the A Posteriori Access Control: A Requirement and a Mechanism","volume":"Volume 1266","author":"Dernaika","year":"2020","journal-title":"Proceedings of the Quality of Information and Communications Technology\u201413th International Conference, QUATIC 2020"},{"key":"ref_6","first-page":"3","article-title":"GDPR-Based User Stories in the Access Control Perspective","volume":"Volume 1010","author":"Piattini","year":"2019","journal-title":"Proceedings of the Quality of Information and Communications \u201412th International Conference, QUATIC 2019"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Carauta Ribeiro, R., and Dias Canedo, E. (2020, January 15\u201319). Using MCDA for Selecting Criteria of LGPD Compliant Personal Data Security. Proceedings of the dg.o \u201920: 21st Annual International Conference on Digital Government Research, Seoul, Korea.","DOI":"10.1145\/3396956.3398252"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Al-Turjman, F., Zahmatkesh, H., and Shahroze, R. (2019). An overview of security and privacy in smart cities\u2019 IoT communications. Trans. Emerg. Telecommun. Technol., e3677.","DOI":"10.1002\/ett.3677"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"102360","DOI":"10.1016\/j.scs.2020.102360","article-title":"Blockchain for smart cities: A review of architectures, integration trends and future research directions","volume":"61","author":"Bhushan","year":"2020","journal-title":"Sustain. Cities Soc."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Furnell, S., Mouratidis, H., and Pernul, G. (2018). Access Control Requirements for Physical Spaces Protected by Virtual Perimeters. Trust, Privacy and Security in Digital Business, Springer International Publishing.","DOI":"10.1007\/978-3-319-98385-1"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Haofeng, J., and Xiaorui, G. (July, January 29). Wi-Fi Secure Access Control System Based on Geo-fence. Proceedings of the 2019 IEEE Symposium on Computers and Communications (ISCC), Barcelona, Spain.","DOI":"10.1109\/ISCC47284.2019.8969707"},{"key":"ref_12","unstructured":"Fern\u00e1ndez-Gago, C., Martinelli, F., Pearson, S., and Agudo, I. (2013). Sensor Enhanced Access Control: Extending Traditional Access Control Models with Context-Awareness. Trust Management VII, Springer."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Davari, M., and Bertino, E. (2019, January 9\u201312). Access Control Model Extensions to Support Data Privacy Protection based on GDPR. Proceedings of the 2019 IEEE International Conference on Big Data (Big Data), Los Angeles, CA, USA.","DOI":"10.1109\/BigData47090.2019.9006455"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/MC.2016.337","article-title":"Privacy as a Service: Protecting the Individual in Healthcare Data Processing","volume":"49","author":"Su","year":"2016","journal-title":"Computer"},{"key":"ref_15","unstructured":"OASIS (2021, July 30). eXtensible Access Control Markup Language (XACML) Version 3.0. Available online: http:\/\/docs.oasis-open.org\/xacml\/3.0\/xacml-3.0-core-spec-os-en.html."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Hardt, D. (2012). The OAuth 2.0 Authorization Framework, RFC Editor. Available online: https:\/\/www.rfc-editor.org\/rfc\/rfc6749.txt.","DOI":"10.17487\/rfc6749"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Camenisch, J., M\u00f6dersheim, S., and Sommer, D. (2010). A formal model of identity mixer. International Workshop on Formal Methods for Industrial Critical Systems, Springer.","DOI":"10.1007\/978-3-642-15898-8_13"},{"key":"ref_18","unstructured":"Paquin, C., and Zaverucha, G. (2011). U-Prove Cryptographic Specification v1.1, Microsoft Corporation. Technical Report."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Moreno, R.T., Rodr\u00edguez, J.G., L\u00f3pez, C.T., Bernabe, J.B., and Skarmeta, A. (2020, January 3). OLYMPUS: A distributed privacy-preserving identity management system. Proceedings of the 2020 Global Internet of Things Summit (GIoTS), Dublin, Ireland.","DOI":"10.1109\/GIOTS49054.2020.9119663"},{"key":"ref_20","unstructured":"Daoudagh, S. (2021). The GDPR Compliance through Access Control Systems. [Ph.D. Dissertation, University of Pisa]."},{"key":"ref_21","unstructured":"Mori, P., Lenzini, G., and Furnell, S. (2021, January 11\u201313). How to Improve the GDPR Compliance through Consent Management and Access Control. Proceedings of the 7th International Conference on Information Systems Security and Privacy, ICISSP 2021, Online Streaming."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Iggena, T., Bin Ilyas, E., Fischer, M., T\u00f6njes, R., Elsaleh, T., Rezvani, R., Pourshahrokhi, N., Bischof, S., Fernbach, A., and Xavier Parreira, J. (2021). IoTCrawler: Challenges and Solutions for Searching the Internet of Things. Sensors, 21.","DOI":"10.3390\/s21051559"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"250","DOI":"10.1016\/j.jpdc.2018.12.010","article-title":"Performance evaluation of FIWARE: A cloud-based IoT platform for smart cities","volume":"132","author":"Araujo","year":"2019","journal-title":"J. Parallel Distrib. Comput."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Salhofer, P. (2018, January 3\u20136). Evaluating the FIWARE Platform. Proceedings of the 51st Hawaii International Conference on System Sciences, Hilton Waikoloa Village, HI, USA.","DOI":"10.24251\/HICSS.2018.726"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"345","DOI":"10.1080\/00207160.2014.915316","article-title":"DCapBAC: Embedding authorization logic into smart things through ECC optimizations","volume":"93","author":"Jara","year":"2016","journal-title":"Int. J. Comput. Math."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/21\/7154\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:21:57Z","timestamp":1760167317000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/21\/21\/7154"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,28]]},"references-count":26,"journal-issue":{"issue":"21","published-online":{"date-parts":[[2021,11]]}},"alternative-id":["s21217154"],"URL":"https:\/\/doi.org\/10.3390\/s21217154","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,10,28]]}}}