-1

I'm stuck with one small part of my project. The main idea of the project is:

  • There are a customer, a bank and a shop as actors.
  • A customer wants to make an order but before he/she does it, the bank needs to check if the customer is on a blacklist.
  • If he/she is not, the bank puts the customer's and shop's details in a file and at the same time sends a credit note to the shop.

The next part makes me confused: Customer personal information should be protected following the General Data Protection Regulation (General Data Protection Regulation - GDPR).

How can I implement this part in my diagram?

Christophe
  • 68,716
  • 7
  • 72
  • 138
Viktorija Popova
  • 9

1 Answers1

1

First of all, the use-case diagram is about user-goals. Use-case diagrams do not describe an order of what happens. So "before", "after", "at the same time" do have no effect on the diagram. If you're interested in the sequence of events, you should consider an activity diagram (i.e. flow of actions) or a sequence diagram (scenario).

So what I understand from your narrative is that:

  • actor User, in relation with the actor Shop (but is it really an actor?) has a use-case Order something
  • actor Shop (but is it really an acor or does your system ensure this?), in relation with the actor Bank has a use-case Control payment (make sure that the customer is not a known terrorist and ensure also that the customer has the money needed, probably in relation with the customer's bank).

The information you provide si probably very incomplete, so I leave you as an exercise the precise design of the use-case.

THe GDPR requirements do not influence at all your use-case model: it does not change the gloals, and it does not change the involved parties.

What might be influenced is the activity diagram and the class diagram:

  • the GDPR requires among others a privacy by design. So you cannot provide to the bank details that they do not need to know (e.g. what the customer purchased).
  • the shop is not allowed to get the blacklist either! The control of the blacklist is done by banks, so that the shop owner will not be tempted to refuse a sale just because of some similar naming.

THe only thing that could eventually influence your process, is the consent. Giving the consent and managing privacy could be a separate use-case, since its's a right given by the law and that some users want to exert. For example that the customer consents that his/her data is provided to another party. But in your case, it doesn't seem a big deal: in the case of a payment by the bank, this seems an obligation and the blacklist is in general a legal obligation not related to the the consent. So it will not impact your design, but only the wording of your privacy statement. So it seems that for you, GDPR will be more a legal matter to check with a legal expert, than an engineering one.

Christophe
  • 68,716
  • 7
  • 72
  • 138
  • 1
    Christophe thank you so much! Yes,the description is pretty long,I've tried my best to short it so it wouldn't be too tiring. But your answer helped me a lot! – Viktorija Popova Jan 08 '21 at 19:43