Page 0029


Four reasons why the GDPR

makes a contractual governance

framework necessary

1 - Data processing agreements

As mentioned in Section 4.4, the decentralised nature of

blockchain makes the controller/processor analysis in a

blockchain network relatively complex. While it is obvious

that network members who actively upload personal data

to a network are data controllers, there is much debate

about whether members who merely operate nodes

processing data on behalf of other participants in the

network should be considered data processors or data

controllers.17 One argument is that these members are

data processors because they do not determine the means

of processing, they only passively provide computational

power needed to process the data.18 Conversely, it is

argued that these members are data controllers because

they actively choose to download and run the software

used to process the personal data, thereby contributing

to the decision of how the data is processed.19 We do not

pass judgment on which of these arguments is better,

we merely note:

• the decentralised nature of blockchain makes

distinguishing between who is a data controller and

who is a data processor difficult; and

• it is important to determine whether a member is

a data controller or a data processor, as the GDPR

imposes different responsibilities on each of them.

Both the French data protection regulator (CNIL),

and the European Union Blockchain Observatory and

Forum, recommend identifying data controllers as soon

as possible when creating a blockchain network.20

Blockchain network members can heed this advice

by creating and agreeing to a contractually binding

governance framework at the time of creation of a

blockchain network. This governance framework would

clearly delineate the roles of all network members,

including members that join after the blockchain network

is established. Such a governance framework should

clearly identify which members will be uploading data

onto the network, and which members only passively

participate in the network. In this way, the governance

framework can provide more clarity about which network

members are data controllers, and which are

data processors.

If the network includes data processors, then this

contractually binding governance framework must also

include the provisions contained in Article 28 of the

GDPR, which require data processors and data controllers

to document the subject-matter and duration of the

processing, the nature and purpose of the processing,

the type of personal data and categories of data

subjects implicated by the data processor's processing.21

Additionally, the Article 28 provisions require data

processors to agree that, among other things, they will

only process personal data on documented instructions

from a data controller and will preserve the confidentiality

of the data.

GDPR and the Blockchain I 27


  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052