The invention relates to end user controlled handling of personal data on e.g. the Internet. Web services are offered in a controlled manner from a service broker (250) provided with appropriate security mechanisms. The broker contains end user controlled policies related to personal data/services, while the actual data is arranged at different locations in the network. Web service information is published in an open registry (256) at the broker. When an application provider (220) finds a desired service in the registry, its service request is guided to the appropriate service broker. The broker returns the policy for the requested service, whereafter the service provider (240) can be contacted, preferably through an encapsulated SOAP message. A preferred embodiment performs common sign on authentication when a new application is contacted.