Consent Management: User Control in the EUDI Wallet

Consent management in the EUDI Wallet ecosystem refers to the complete system that ensures users maintain full control over their personal data sharing. It encompasses the user interface for reviewing and approving data requests, the technical mechanisms for selective disclosure, the logging of consent decisions, and the ability to review past sharing history. This system implements the GDPR requirements for informed, specific, freely given, and unambiguous consent before any personal data is processed.

Every credential presentation in the EUDI Wallet follows a structured consent flow designed to give users full transparency and control:

• 1.Request reception: The wallet receives a presentation request from a relying party. This request specifies which credential attributes are needed and includes the relying party's verified identity (through their certificate on the EU Trusted List).
• 2.Request validation: The wallet verifies the relying party's identity and checks whether the requested attributes are proportionate to the stated purpose. Suspicious or excessive requests may be flagged.
• 3.Consent screen: The wallet displays a clear, user-friendly consent screen showing the verifier's name and logo, each requested attribute (e.g., name, date of birth, address), the stated purpose, and which attributes are mandatory versus optional.
• 4.User decision: The user can approve the full request, selectively deselect optional attributes, or deny the request entirely. The wallet cannot share data without this explicit approval step.
• 5.Consent logging: The wallet records the decision -- what was shared, with whom, when, and for what purpose -- in a tamper-evident consent log that the user can review at any time.

The EUDI Wallet consent management system directly implements several GDPR principles:

Informed consent (Article 7): The wallet must clearly communicate who is requesting data and why before the user decides. The relying party's verified identity is displayed, along with the specific purpose. Vague or misleading purpose statements are not permitted under the framework.

Purpose limitation (Article 5(1)(b)): Data shared through the wallet can only be used for the stated purpose. The consent log creates an auditable record that enables enforcement of purpose limitation. If a relying party uses the data for a different purpose, the user has evidence to file a complaint with their data protection authority.

Data minimization (Article 5(1)(c)): Through selective disclosure, users can share only the minimum data necessary. For example, when a bar needs to verify someone is over 18, the wallet can share just a yes/no age verification without revealing the exact date of birth, name, or address.

Freely given consent: The EUDI Wallet ensures consent is genuinely free by allowing users to reject requests without penalty from the wallet itself. The eIDAS 2.0 regulation also prohibits conditioning access to essential services on sharing unnecessary personal data.

A key feature of EUDI Wallet consent management is the consent history dashboard. This provides users with a complete overview of all their data sharing transactions, including the date and time of each sharing event, the identity of the relying party, the specific attributes that were shared, and the stated purpose. This transparency enables users to exercise their GDPR rights, such as requesting data deletion from specific parties or filing complaints about data misuse.

The consent dashboard also helps users detect unauthorized use of their credentials. If the log shows a sharing event the user does not recognize, it may indicate their device has been compromised, prompting them to revoke their credentials and secure their wallet.