Applicability of GDPR to securities tokenization
Securities tokenization involves converting the ownership rights of a financial asset, such as stocks, bonds, or real estate, into a digital token on a blockchain or DLT platform. This process can involve the collection, processing, and storage of personal data, making GDPR considerations relevant.
Â
Personal data in tokenization processes
During the tokenization of securities, various types of personal data may be collected and processed. This data is typically associated with the investors or participants in the tokenization process. Here are examples of the personal data that might be collected:
Identification Information: This includes full names, addresses, national identification numbers, passport numbers, and other government-issued identification details that can be used to verify the identity of an individual.
Contact information: Email addresses, phone numbers, and residential addresses are collected to maintain communication with the investors.
Financial information: Bank account details, payment card information, and other financial data necessary for processing investments and distributing returns.
Investment details: Information about the amount invested, the type of securities purchased, and the ownership stake represented by the tokens.
Transaction history: Records of transactions, including dates, amounts, and the nature of the transactions, which may be necessary for accounting, reporting, and regulatory compliance.
Tax information: Tax identification numbers and related information that may be required for tax reporting and compliance with tax laws.
Employment information: For certain types of investments, information about the investor's employment status, employer, and occupation may be collected as part of Know Your Customer (KYC) or Anti-Money Laundering (AML) compliance.
KYC documentation: Copies of documents used for KYC purposes, such as utility bills for proof of address or scanned copies of identification documents.
Digital Wallet Information: Details of the investors' digital wallets, including public keys or addresses, which are necessary for the allocation and transfer of digital tokens representing the securities.
IP Addresses and Technical Data: When investors interact with tokenization platforms online, their IP addresses, device information, and other technical data may be collected for security and fraud prevention purposes.
It's important to note that the collection and processing of personal data in the context of securities tokenization must comply with data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union. This means that data must be processed lawfully, transparently, and for specified purposes, and individuals have rights regarding their personal data, including the right to access, rectify, or erase their data under certain conditions.
Â
Data protection impact assessments (DPIAs)
For tokenization projects that are likely to result in a high risk to the rights and freedoms of natural persons, conducting a Data Protection Impact Assessment (DPIA) may be required under the GDPR (Article 35). This involves assessing the impact of the proposed data processing operations on the protection of personal data and implementing measures to mitigate those risks.
Â
Cross-border data transfers
Securities tokenization often involves cross-border data transfers, especially in a global investment landscape. The GDPR imposes restrictions on transferring personal data outside the EU/EEA to ensure the level of data protection is not undermined. Compliance with these rules, through mechanisms like adequacy decisions, Binding Corporate Rules (BCRs), or Standard Contractual Clauses (SCCs), is crucial for international tokenization projects.
Â
Rights of data subjects
The GDPR grants several rights to individuals, known as data subjects, regarding their personal data. These rights include access to data, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing, and rights related to automated decision-making and profiling (Articles 15-22). Token issuers and platforms must ensure mechanisms are in place to honour these rights.
Â
Personal data stored on a DLT
Ensuring compliance with the General Data Protection Regulation (GDPR) when personal data is collected during a tokenization process and then stored on Distributed Ledger Technology (DLT) involves several key considerations and steps. The GDPR is designed to protect the privacy and personal data of EU citizens and applies to any organization, regardless of its location, that processes the personal data of individuals within the EU. Here's how compliance can be ensured in the context of using DLT and tokenization:
1. Understand the Nature of Data and Tokenization
Tokenization is a process that replaces sensitive personal data with non-sensitive equivalents, known as tokens. These tokens can be used in the system without exposing the original data, enhancing security. However, if personal data is collected during this process, it must be handled in accordance with GDPR requirements.
2. Identify the Roles: Data Controller and Processor
Under GDPR, it's crucial to identify who the data controller and data processor are in the context of DLT. The data controller determines the purposes and means of processing personal data, while the data processor processes personal data on behalf of the controller. In a DLT environment, this can be complex due to its decentralized nature, but it's essential for ensuring compliance.
3. Ensure Lawful Basis for Processing
For any personal data processing activity, including collection and storage on DLT, there must be a lawful basis under GDPR, such as consent from the data subject, a contractual necessity, or a legitimate interest. It's important to document this basis clearly.
4. Implement Data Protection by Design and by Default
GDPR requires that data protection principles be integrated into the processing activities from the outset (by design) and that by default, only personal data necessary for each specific purpose is processed. This includes applying tokenization and DLT in a way that minimizes the amount of personal data processed.
5. Secure Personal Data
Appropriate technical and organizational measures must be taken to ensure the security of personal data. This includes encryption, pseudonymization (which can include tokenization), and ensuring the confidentiality, integrity, availability, and resilience of processing systems and services.
6. Data Subject Rights
Ensure mechanisms are in place to facilitate the exercise of data subject rights under GDPR, such as the right to access, rectify, erase, and port personal data. This can be challenging with DLT due to its immutable nature, but solutions such as storing personal data off-chain or using smart contracts to manage access rights can be considered.
7. Data Protection Impact Assessment (DPIA)
Conduct a DPIA for processing activities involving DLT and tokenization, especially where new technologies are used. This assessment helps identify and mitigate risks to data subjects' rights and freedoms.
8. Compliance Documentation and Training
Maintain detailed records of processing activities and ensure that staff are trained on GDPR compliance, particularly regarding the unique aspects of DLT and tokenization.
9. Cross-Border Data Transfers
If personal data is transferred outside the EU, ensure that such transfers comply with GDPR requirements, using mechanisms like adequacy decisions, Binding Corporate Rules (BCRs), or Standard Contractual Clauses (SCCs)
Â
The right to erasure on DLT’s ?
Protection Regulation (GDPR) is a fundamental right that allows individuals to request the deletion of their personal data under certain conditions. This right is detailed in Article 17 of the GDPR. It aims to strengthen individuals' control over their personal data, particularly in the digital environment.
The right to erasure, also known as the "right to be forgotten," under the General Data Protection Regulation (GDPR) poses a significant challenge when applied to Distributed Ledger Technology (DLT) storage of tokenized securities. This challenge arises primarily from the inherent characteristics of DLT, such as immutability and decentralization, which conflict with the GDPR's provisions that allow individuals to request the deletion of their personal data under certain conditions.
DLT's immutability means that once data is recorded on a blockchain or similar technology, it cannot be altered or deleted. This feature is fundamental to the trust and security mechanisms of DLT but directly conflicts with the GDPR's right to erasure, which mandates that data subjects can request the deletion of their personal data when it is no longer necessary for the purpose it was collected for, among other conditions.
In the context of tokenized securities stored on DLT, personal data may be collected and processed during various stages, such as the issuance, transfer, and management of these securities. This data could include identification information, transaction details, and other personal data relevant to the parties involved in the securities transactions.
To reconcile the GDPR's right to erasure with DLT's immutability, several approaches could be considered:
Data Minimization and Pseudonymization: One approach is to minimize the amount of personal data stored on the DLT and use pseudonymization techniques. By replacing personal data with pseudonyms, the identifiable information is not directly stored on the DLT, reducing the impact of the right to erasure. However, this does not fully address the issue if the pseudonymized data can still be linked to an individual with additional information.
Off-Chain Storage: Another approach is to store personal data off-chain, where it can be managed more flexibly in compliance with GDPR requirements, including erasure. The DLT can store references or hashes of the off-chain data, ensuring the integrity and linkage of the data without directly exposing personal data on the DLT.
Encryption and Key Management: Encrypting personal data before storing it on the DLT and managing encryption keys in a way that allows for the effective "deletion" of data by destroying the keys
Smart Contracts for Data Management: Smart contracts could be designed to manage access to personal data stored off-chain or control the visibility and accessibility of pseudonymized data on-chain. While this does not erase the data from the DLT, it can restrict access to the data, effectively "hiding" it from unauthorized users.
Technical Innovations: may provide new solutions for aligning DLT with GDPR requirements. This could include advancements in cryptographic techniques, such as zero-knowledge proofs, that allow the verification of data without exposing the data itself, or legal frameworks that recognize the unique characteristics of DLT.
The CNIL (Commission Nationale de l'Informatique et des Libertés) acknowledges the challenges posed by DLT to the right to erasure and suggests that technological solutions should be evaluated to come closer to GDPR compliance. These solutions may include blocking access to data or using encryption techniques. The CNIL also emphasizes the importance of not storing personal data in cleartext on a blockchain and highlights that the principles relating to the security of data remain entirely applicable to blockchains[1]
The application of the GDPR's right to erasure to DLT storage of tokenized securities requires a careful balance between leveraging the benefits of DLT and ensuring compliance with data protection laws. It involves both technical solutions and legal interpretations that respect the principles of data protection without undermining the integrity and functionality of DLT systems.
[1]Â Â Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data, 29 October 2018, https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data
