2 - Joint data controller agreements
The responsibilities of data controllers in situations
where two or more data controllers jointly determine
the purposes and means of processing are outlined in
Article 26 of the GDPR. When data controllers act as
joint data controllers, they must transparently determine
how they will ensure GDPR-compliant treatment of data
subjects' personal data, and what each data controller's
relationship will be with data subjects.22 The joint
data controllers must then make the essence of their
arrangement available to data subjects.23
Members of a blockchain network would most likely
be joint data controllers, as most solutions will involve
members jointly determining the purposes and means of
processing data on the network to which they belong.
Creating a transparent and robust governance framework
will compel joint data controllers to determine their
respective responsibilities for compliance and their
relationships with the data subjects. Further, the
governance framework can either be made available
to data subjects or can require the creation of a
publicly-available, high-level summary of the joint data
controllers' arrangement. By requiring the network
members to publish at least a summary of their
arrangement, a governance framework can enable
compliance with the Article 26 requirements.
"joint data controllers must
make the essence of their arrangement
available to data subjects."
3 - Restrictions on transferring personal data
out of the EEA
Additionally, the governance framework would need
to facilitate GDPR compliant data transfers outside of
the EEA. As discussed in Section 4.7, the GDPR restricts
transfers of personal data out of the EEA. However,
any global blockchain solution will likely involve the
processing of data outside of the EEA (and outside of the
countries currently the subject of an Adequacy Decision
by the European Commission). To resolve this conflict, a
governance framework could incorporate the European
Commission's model international data transfer clauses.
Since the governance framework will be agreed to by all
members of a blockchain network, inclusion of these
clauses into the governance framework will make the
model clauses a multilateral agreement. The Article 29
Working Party previously endorsed the inclusion of data
protection clauses into multilateral agreements as a
means to comply with restrictions on international
data transfers.24
By incorporating the model international data transfer
clauses into the overarching governance framework,
network members necessarily agree to treat personal data
in a way deemed sufficient by the European Commission,
thereby enabling all network members to transfer
personal data to other network members regardless of
where the members are located.
28 I GDPR and the Blockchain