Model-based Privacy Analysis in Industrial Ecosystems Amir Shayan Ahmadian 1 , Daniel Str¨ uber 1 , Volker Riediger 1 , Jan J¨ urjens 1,2 1 Institute for Software Technology, University of Koblenz-Landau, Germany 2 Fraunhofer-Institute for Software and Systems Engineering ISST, Germany ahmadian@uni-koblenz.de, strueber@uni-koblenz.de riediger@uni-koblenz.de, http://jan.jurjens.de Abstract. Article 25 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing and the free movement of personal data, refers to data protection by design and by default. Pri- vacy and data protection by design implies that IT systems need to be adapted or focused to technically support privacy and data protection. To this end, we need to verify whether security and privacy are supported by a system, or any change in the design of the system is required. In this paper, we provide a model-based privacy analysis approach to analyze IT systems that provide IT services to service customers. An IT service may rely on different enterprises to process the data that is provided by service customers. Therefore, our approach is modular in the sense that it analyzes the system design of each enterprise individually. The approach is based on the four privacy fundamental elements, namely purpose, vis- ibility, granularity, and retention. We present an implementation of the approach based on the CARiSMA tool. To evaluate our approach, we apply it to an industrial case study. 1 Introduction A main problem for IT service providers is to avoid data breaches and provide data protection. According to a global survey [1], 88% of people are concerned about who can access their private data. In Germany, 72% of people expect the government to keep out of their personal data. Article 25 of Regulation (EU) 2016/679 refers to data protection by design and by default [3]. This requires that service providers verify if the required pri- vacy levels are fulfilled according to legal requirements and customers' privacy preferences. Furthermore, they must implement appropriate technical and orga- nizational measures in an effective manner, and integrate proper safeguards into the processing to support such requirements. There exist a range of privacy enhancing technologies (PETs) [6,23,16,15,14], which provide strong privacy guarantees in different domains. However, accord- ing to Spiekermann [29,28], privacy and data protection by design and by default are powerful terms, and include more than the process of uptaking a few PETs. Cavoukian [10], who first introduced the term privacy by design (PbD), defines