Page 0036

For example, suppose the statement: "Ms X has entered

internationally sanctioned Country Y on a business visa"

is recorded in your database. If this statement about

Ms X is incorrect and Ms X and her business are, in fact,

prohibited under international sanctions from conducting

business in Country Y, Ms X might reasonably submit a

request to you that the incorrect statement be corrected.

It is by no means certain that a regulator or a court would

regard it as a sufficient rectification if you were simply to

update your database to say: "Ms X did not enter Country

Y on a business visa. This statement is actually incorrect;

Ms X has not done business in a country subject to

international sanctions." Indeed, Ms X may well not

be satisfied with this and demand that all evidence of

the initial statement to be deleted and replaced with a

correct statement.

By contrast, however, there may be cases where it is not

appropriate to erase personal data, even if incorrect, in

order to replace it with correct information. One example

is data that serves an evidential purpose, such as a

signed contract. It may not be appropriate to modify a

signed contract to, for example, correct a mistake in the

job title of an individual named in the contract. It may

be preferable to attach a clarificatory statement to the

contract, so that the contract can still serve as evidence of

the exact, unaltered terms of the agreement the parties to

the contract reached.

It is unclear whether a regulator or a court would ever

regard a supplementary statement as sufficient to

comply with the Article 16 GDPR right to rectification

of inaccurate personal data. Unfortunately this is an

area where there is no reliable guidance from regulators,

making it a further issue on which we would urge the

relevant regulatory bodies to provide clear guidance on.

3 - Potential solution: Rectification by deletion

To the extent it is not possible to comply with the

obligation to rectify incorrect personal data by a

supplementary statement, it would be necessary to

look to the methods outlined above to enable deletion

of incorrect personal data (for example, deletion by

encryption) followed by addition of the correct personal

data to the blockchain. Because a data subject might

request that incorrect personal data about them of any

age be rectified, pruning of the blockchain may not offer

an effective solution.

Pending guidance from a data protection regulator that in

certain circumstances a supplementary statement might

be sufficient, it is prudent to ensure any GDPR-governed

blockchain solution facilitates the effective deletion of

incorrect personal data and permits correct personal data

to be substituted in its place.

34 I GDPR and the Blockchain


  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052