A
Four reasons why the GDPR
makes a contractual governance
framework necessary
1 - Data processing agreements
As mentioned in Section 4.4, the decentralised nature of
blockchain makes the controller/processor analysis in a
blockchain network relatively complex. While it is obvious
that network members who actively upload personal data
to a network are data controllers, there is much debate
about whether members who merely operate nodes
processing data on behalf of other participants in the
network should be considered data processors or data
controllers.17 One argument is that these members are
data processors because they do not determine the means
of processing, they only passively provide computational
power needed to process the data.18 Conversely, it is
argued that these members are data controllers because
they actively choose to download and run the software
used to process the personal data, thereby contributing
to the decision of how the data is processed.19 We do not
pass judgment on which of these arguments is better,
we merely note:
• the decentralised nature of blockchain makes
distinguishing between who is a data controller and
who is a data processor difficult; and
• it is important to determine whether a member is
a data controller or a data processor, as the GDPR
imposes different responsibilities on each of them.
Both the French data protection regulator (CNIL),
and the European Union Blockchain Observatory and
Forum, recommend identifying data controllers as soon
as possible when creating a blockchain network.20
Blockchain network members can heed this advice
by creating and agreeing to a contractually binding
governance framework at the time of creation of a
blockchain network. This governance framework would
clearly delineate the roles of all network members,
including members that join after the blockchain network
is established. Such a governance framework should
clearly identify which members will be uploading data
onto the network, and which members only passively
participate in the network. In this way, the governance
framework can provide more clarity about which network
members are data controllers, and which are
data processors.
If the network includes data processors, then this
contractually binding governance framework must also
include the provisions contained in Article 28 of the
GDPR, which require data processors and data controllers
to document the subject-matter and duration of the
processing, the nature and purpose of the processing,
the type of personal data and categories of data
subjects implicated by the data processor's processing.21
Additionally, the Article 28 provisions require data
processors to agree that, among other things, they will
only process personal data on documented instructions
from a data controller and will preserve the confidentiality
of the data.
GDPR and the Blockchain I 27