Page 0019

4.4

Controllers and processors

Entities processing personal data under the GDPR fall

into one of two categories: data controllers or data

processors. A data controller is an entity that, alone or

with another data controller, has primary responsibility

over the processing of personal data, and who determines

the manner in which, and the purposes for which, the

personal data is processed. A data processor, on the

other hand, processes personal data on behalf of a data

controller, under mandatory contractual provisions set out

in the GDPR.

The legal terminology used in the GDPR, including

the notion of data controllers and data processors,

was designed with a clear division of responsibilities

in mind. However, in a blockchain ecosystem, where

decentralisation is key, the variety of stakeholders makes

the controller/processor differentiation particularly

complex. This is considered further in the following

section of this paper.

4.5

Privacy by design

In addition to the above principles, the GDPR includes

an overarching obligation on data controllers to move

towards data protection by design and by default

(so-called privacy by design).8 To achieve privacy by

design, data controllers under the GDPR must implement

appropriate technical and organisational measures which

ensure that, by default, data protection is integrated

into all personal data processing activities and business

practices, from the initial design stage onwards.

The GDPR's aim through privacy by design is to change

organisational attitudes to the protection of personal data,

by making it a pervasive issue that is considered

by organisations as a matter of course during their

business as usual practices. In that light, it should also

be noted that:

… when creating solutions based around

new technologies (such as blockchain) that pose

a potential high risk to individuals' rights

or freedoms, there is a specific obligation

to conduct a risk assessment known as a

Data Protection Impact Assessment (DPIA).

GDPR and the Blockchain I 17

Index

  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052