Blockchain vs. GDPR

1. Blockchain vs. GDPR 5 June 2019, Ministry of Industry and Trade

2. Blockchain vs. GDPR „Blockchains are tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable a community of users to record transactions in a shared ledger within that community, such that under normal operation of the blockchain network no transaction can be changed once published.“ • Accuracy • Art. 5 (1) (d) GDPR: Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; • Storage limitation • Art. 5 (1) (e) GDPR: Personal data shall bekept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed[…]; Right to rectification Art. 16 GDPR: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. […] Right to erasure = right to be forgotten Art. 17 GDPR: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies […]; • Privacy by design & default • Art. 25 (2) GDPR: The controller shall implement appropriate technical and organisational measures […] In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3. Blockchain vs. GDPR: tensions Does GDPR apply to blockchain? • When a blockchain contains personal data, the GDPR is applicable. Main issues concerning GDPR • Personal data, pseudonymous and anonymous data • Data controllers and processors • Lawfulness of data processing • Obligation to inform and rights of the data subjects • DPIA • Security • Privacy by design & by default

4. Blockchain vs. GDPR: accountability Data controller • A person who makes entries (i.e. make a transaction for which a validation is requested) • A person who decides to submit the data for validation to miners Joint data controllers? Data processor • Smart contract developer • How about miners?

5. Blockchain vs. GDPR: data subjects‘ rights Right to erasure vs. blockchain principle of irreversibility • Use cryptographic techniques  make data quasi-inaccessible (e.g. removal of a private key from a hash) • Do not store data as plaintext Right to rectification vs. blockchain principle of irreversibility • A new block describing the change Automated decision making (incl. profiling) • Provide for the possibility of human intervention

6. Blockchain vs. GDPR: good friends? GDPR requirements • Data transparency • Data auditability • Access control • Security Blockchain • Decentralized data storage • Blockchain-based identity management 

7. Blockchain: question marks

8. People & Technology Jaroslav Tajbr Of Counsel, Prague T +420 221662 241 E jaroslav.tajbr@squirepb.com Hana Gawlasová Partner, Prague T +420 221 662 240 E hana.gawlasova@squirepb.com Petra Věžníková Associate, Prague T +420 221 662 242 E petra.veznikova@squirepb.com Jiří Chejn Junior Associate, Prague T +420 221 662 150 E jiri.chejn@squirepb.com