. Dlvsystem-s.r.l.-|-dlv,

, The Health Insurance Portability and Accountability Act (HIPAA), 2004.

, Addressing privacy requirements in system design: the PriS method, Requirements Engineering, vol.13, pp.241-255, 2008.

P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter, Enterprise privacy authorization language (epal), IBM Research, 2003.

P. Ashley, S. Hada, G. Karjoth, and M. Schunter, E-p3p privacy policies and privacy authorization, Workshop on Privacy in the Electronic Society, pp.103-109, 2002.
DOI : 10.1145/644527.644538

T. D. Breaux, H. Hibshi, and A. Rao, Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements

P. Bresciani, P. Giorgini, F. Giunchiglia, J. Mylopoulos, and A. Perini, Tropos: an AgentOriented Software Development Methodology, JAAMAS, vol.8, issue.3, pp.203-236, 2004.
DOI : 10.1023/b:agnt.0000018806.20944.ef
URL : http://eprints.biblio.unitn.it/84/1/15.pdf

C. Cadwalladr and E. Graham-harrison, Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach, The Guardian, vol.17, 2018.

L. Cranor, M. Langheinrich, M. Marchiori, M. Presler-marshall, and J. Reagle, The platform for privacy preferences 1.0 (p3p1. 0) specification. W3C recommendation, p.16, 2002.

L. F. Cranor, Platform for Privacy Preferences (P3P), Encyclopedia of Cryptography and Security, pp.940-941, 2011.

F. Dalpiaz, E. Paja, and P. Giorgini, Security requirements engineering: designing secure sociotechnical systems, 2016.

, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, vol.27, issue.59, 2016.

S. L. Garfinkel, De-Identification of Personal Information, 2015.

P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, Modeling security requirements through ownership, permission and delegation, Proceedings of 13th IEEE International Conference on Requirements Engineering, pp.167-176, 2005.
DOI : 10.1109/re.2005.43
URL : http://eprints.biblio.unitn.it/826/1/054.pdf

P. Giorgini, J. Mylopoulos, and R. Sebastiani, Goal-oriented requirements analysis and reasoning in the tropos methodology, Engineering Applications of AI, vol.18, issue.2, pp.159-171, 2005.

P. Guarda and N. Zannone, Towards the development of privacy-aware systems. Information and Software Technology 51, vol.2, pp.337-350, 2009.

S. Gürses, C. Troncoso, and C. Diaz, Engineering privacy by design, 2011.

Q. He and A. I. Antón, A framework for modeling privacy requirements in role engineering, Proc. of REFSQ, vol.3, pp.137-146, 2003.

J. H. Hoepman, IFIP International Information Security Conference, pp.446-459, 2014.

S. Ingolfo, A. Siena, and J. Mylopoulos, Goals and Compliance in Nomos 3. International Conference on Conceptual Modeling, pp.275-288, 2014.

N. Li, T. Li, and S. Venkatasubramanian, t-Closeness: Privacy Beyond k-Anonymity and lDiversity, IEEE 23rd International Conference on Data Engineering, pp.106-115, 2007.
DOI : 10.1109/icde.2007.367856
URL : http://www.cs.purdue.edu/homes/ninghui/papers/t_closeness_icde07.pdf

L. Liu, E. Yu, and J. Mylopoulos, Security and privacy requirements analysis within a social setting, 11th International Requirements Engineering Conf, pp.151-161, 2003.
DOI : 10.1109/icre.2003.1232746
URL : http://www.cs.toronto.edu/pub/eric/RE03.pdf

A. Machanavajjhala, D. Kifer, and J. Gehrke, l-Diversity: Privacy Beyond k-Anonymity, ACM Trans. Knowl. Discov. Data, vol.1, issue.52, 2007.
DOI : 10.1109/icde.2006.1
URL : http://www.cs.cornell.edu/people/dkifer/ldiversityTKDDdraft.pdf

T. Moses, Extensible access control markup language (xacml) version 2.0. Oasis Standard, 2005.

H. Mouratidis and P. Giorgini, Secure Tropos: A Security-Oriented Extension of the Tropos methodology, Int. J. Soft. Eng. Knowl. Eng, vol.17, issue.2, pp.285-309, 2007.

J. Park and R. Sandhu, The ucon abc usage control model, ACM Transactions on Information and System Security (TISSEC), vol.7, issue.1, pp.128-174, 2004.

M. Robol, M. Salnitri, and P. Giorgini, Toward GDPR-Compliant Socio-Technical Systems: modeling language and reasoning framework, 2017.
DOI : 10.1007/978-3-319-70241-4_16
URL : https://hal.archives-ouvertes.fr/hal-01765249

A. Siena, I. Jureta, S. Ingolfo, A. Susi, A. Perini et al., Capturing variability of law with nómos 2, ER, vol.7532, pp.383-396, 2012.

A. Siena, J. Mylopoulos, A. Perini, and A. Susi, Designing Law-Compliant Software Requirements, pp.472-486, 2009.
DOI : 10.1007/978-3-642-04840-1_35

A. Siena and A. Susi, Engineering Law-Compliant Requirements -The Nomos Framework, 2010.
DOI : 10.1007/978-3-642-04840-1_35

D. J. Solove, A Taxonomy of Privacy, 2005.

D. J. Solove, Introduction: Privacy self-management and the consent dilemma, Harv. L. Rev, vol.126, issue.7, p.1880, 2012.

S. Spiekermann and L. Cranor, Engineering Privacy, IEEE Transactions on Software Engineering, vol.35, issue.1, pp.67-82, 2009.

L. Sweeney, k-Anonymity: a Model for Protecting Privacy, Fuzziness and Knowledge-Based Systems, vol.10, issue.5, pp.557-570, 2002.

A. Van-lamsweerde, R. Darimont, and E. Letier, Managing conflicts in goal-driven requirements engineering, IEEE transactions on Software Engineering, vol.24, issue.11, pp.908-926, 1998.

E. Yu, Modelling strategic relationships for process reengineering, Social Modeling for Requirements Engineering, vol.11, 2011.