4.6
Rights of individuals
The GDPR builds upon the principles discussed above in a
set of detailed rights for individuals. Within the context of
blockchain applications, the most pertinent of these are:
• the right to erasure (commonly referred to as the
right to be forgotten), which gives individuals a right
to request that certain (usually outdated) information
about them be deleted; and
• the right to rectification, which allows individuals to
have incorrect data referring to them corrected.
A
The right to erasure
Article 17 of the GDPR gives individuals a qualified right
to request that a data controller erase personal data
about them without undue delay. There is a defined list
of circumstances in which a controller will be obliged
to erase personal data about an individual who submits
an erasure request. Most commonly, the right to erasure
applies where the personal data are no longer necessary
in relation to the purposes for which they were collected
or otherwise processed. As a result, personal data that
are still required for the purposes for which they were
originally collected can, in most instances, be retained by
the data controller.
The obligation to erase personal data also includes a
number of exceptions, among them:
• where retention is required by EU or EU Member
State law (for example, statutory record keeping
obligations);9 and
• where retention is necessary for the establishment,
exercise or defence of legal claims.10
B
The right to rectification
Article 16 of the GDPR provides data subjects with an
unqualified right to "obtain from the controller without
undue delay the rectification of inaccurate personal data
concerning" them. It is important to note that the article
goes on to say: "[t]aking into account the purposes of
the processing, the data subject shall have the right to
have incomplete personal data completed, including by
means of providing a supplementary statement," which
may well be helpful in the context of blockchain solutions
struggling with the concept of rectification.
18 I GDPR and the Blockchain