Security and privacy are essential for business processes (BPs). In particular, BPs dealing with personally-identifiable information require mechanisms to give data owners control over their data. Currently, business-process-management systems (BPMSs) lack security features important for BPs in SOA. We propose a language sufficiently broad to formulate security constraints. In addition, we considerably ease how data owners can control their security, privacy and trust preferences at process runtime. The BPMS extensions we have implemented transform security-enhanced BPMN schemas into executable secure processes in a versatile manner.