4 - Fair processing notices
Lastly, the creation of a governance framework will
enable network members to comply with Articles 13
and 14 of the GDPR, which oblige data controllers to
provide data subjects with fair processing information
(i.e. privacy notices). The obligation to provide fair
processing information is triggered either when personal
data is collected directly from the data subject, or indeed
when personal data is obtained from someone other
than the data subject.25 In either case, the data controller
must provide data subjects with certain categories of
information, including the contact information of the
data controller, the purposes for which the data are being
processed, the recipients of the personal data, and the
data controller's intent to transfer personal data to certain
third countries.26 Additionally, the data controllers must
remind the data subjects of their rights under the GDPR,
including their rights to request access to and rectification
or erasure of personal data.27
A clear governance framework would enable network
members to operate the network in coordination while
clarifying each member's role in the network. This
framework provides the means for members to easily
identify which of them must provide fair processing
information and uphold other data subjects' rights.
The framework solution allows members to create
a cumulative document containing the information
required by Articles 13 and 14 for each data controller.
Lastly, the framework can obligate network members
to make this information available to the public, either
by requiring the members to create and maintain an
easily accessible website disclosing the fair processing
information, or by requiring the members to individually
(or collectively) provide fair processing information to any
data subjects whose data the members collect and obtain.
B
Buiding the governance framework:
key requirements
A complete catalogue of everything that should be
addressed in a contractual governance framework for a
blockchain network is beyond the scope of this paper. For
example, a governance framework should also deal with
various issues not related to data protection, such as rules
around joining or exiting the network, audit requirements
and practices, ownership of intellectual property and
rights in blockchain data, permitted and prohibited
conduct, remediation requirements when governance
violations are identified, dispute resolution, and governing
law and jurisdiction (to name but a few). From a
data protection and privacy perspective, the governance
framework should:
• be contractually binding on all participants in the
blockchain network;
• implement the GDPR-required provisions for data
processing, joint controllers, the model clauses for
transferring personal data outside the EEA, and the
making available of fair processing notices;
• establish a process for data subjects to exercise their
rights under the GDPR, including a procedure to notify
other data controllers to delete personal data when
a request is received by one network member (see
below); and
• provide mechanisms to achieve data minimisation,
privacy by design, risk mitigation and permit the
removal of personal data that is no longer required
(see below).
GDPR and the Blockchain I 29
GDPR and the Blockchain I 29