Schramm, JuliaEichinger, TobiasRoßnagel, HeikoSchunck, Christian H.Sousa, Filipe2024-06-072024-06-072024978-3-88579-744-9https://dl.gi.de/handle/20.500.12116/44107Consent is a legal basis that legitimizes the processing of personal data under the General Data Protection Regulation (GDPR). Implementing consent management systems in a GDPR-compliant fashion has proven difficult. A major pain point of current implementations is that users only have insufficient means to prove that they withdrew consent. Controllers can, therefore, plausibly deny having received a notification of consent withdrawal and it is thus at their discretion to continue the processing of personal data against the user’s will. As a remedy, it has been proposed to log consent withdrawal events in blockchains to make them non-repudiable by controllers. This approach is typically at odds with the GDPR’s fundamental principle of Storage Limitation. The issue is that a consent withdrawal event has to permit identification of the user who submitted it, yet only until the controller has received it. However, if they are logged in a blockchain, identification is possible indefinitely, as blockchains are append-only databases that do not facilitate deletion. In the paper at hand, we alleviate this issue and present work in progress on a consent management system in which users (i) give consent by issuing a verifiable credential to a controller and (ii) withdraw consent by revoking it. These two functions are natively provided in Self-Sovereign Identity (SSI) ecosystems.enConsent Management SystemUser-centricSelf-Sovereign IdentityGDPRIdentity Management SystemStorage LimitationText/Conference Paper10.18420/OID2024_081617-5468