Page 0030

2 - Joint data controller agreements

The responsibilities of data controllers in situations

where two or more data controllers jointly determine

the purposes and means of processing are outlined in

Article 26 of the GDPR. When data controllers act as

joint data controllers, they must transparently determine

how they will ensure GDPR-compliant treatment of data

subjects' personal data, and what each data controller's

relationship will be with data subjects.22 The joint

data controllers must then make the essence of their

arrangement available to data subjects.23

Members of a blockchain network would most likely

be joint data controllers, as most solutions will involve

members jointly determining the purposes and means of

processing data on the network to which they belong.

Creating a transparent and robust governance framework

will compel joint data controllers to determine their

respective responsibilities for compliance and their

relationships with the data subjects. Further, the

governance framework can either be made available

to data subjects or can require the creation of a

publicly-available, high-level summary of the joint data

controllers' arrangement. By requiring the network

members to publish at least a summary of their

arrangement, a governance framework can enable

compliance with the Article 26 requirements.

"joint data controllers must

make the essence of their arrangement

available to data subjects."

3 - Restrictions on transferring personal data

out of the EEA

Additionally, the governance framework would need

to facilitate GDPR compliant data transfers outside of

the EEA. As discussed in Section 4.7, the GDPR restricts

transfers of personal data out of the EEA. However,

any global blockchain solution will likely involve the

processing of data outside of the EEA (and outside of the

countries currently the subject of an Adequacy Decision

by the European Commission). To resolve this conflict, a

governance framework could incorporate the European

Commission's model international data transfer clauses.

Since the governance framework will be agreed to by all

members of a blockchain network, inclusion of these

clauses into the governance framework will make the

model clauses a multilateral agreement. The Article 29

Working Party previously endorsed the inclusion of data

protection clauses into multilateral agreements as a

means to comply with restrictions on international

data transfers.24

By incorporating the model international data transfer

clauses into the overarching governance framework,

network members necessarily agree to treat personal data

in a way deemed sufficient by the European Commission,

thereby enabling all network members to transfer

personal data to other network members regardless of

where the members are located.

28 I GDPR and the Blockchain


  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052