4.7
International transfers of
personal data
Given the global nature of many blockchain solutions,
it is also important to consider restrictions on
international transfers of personal data under the GDPR.
The GDPR provides that personal data may only be
transferred outside the EEA where the transfer is:
• to a country that the European Commission
has determined provides an adequate level of
protection for individuals' personal data (known as
an adequacy decision);11
• to a third party subject to appropriate safeguards under
the GDPR, which is usually established by the transferor
and the transferee agreeing to a contract containing
the European Commission's model international data
transfer clauses;
• to a company that is subject to binding corporate rules
approved by a European data protection regulator; or
• in one of a defined list of specific situations set out in
the GDPR, such as where the data subject has explicitly
consented to the transfer or where the transfer is
necessary for the performance of a contract with the
data subject.
In practice, commercial parties seeking to transfer
personal data outside the EEA to a country that is not the
subject of an adequacy decision will usually enter into
an agreement that includes the European Commission's
model data protection clauses.
A GDPR governed blockchain solution which
transfers personal data to participants around the
world should therefore provide for the transferor
and transferee agreeing to the model data protection
clauses as part of the governance provisions.
GDPR and the Blockchain I 19