GDPR和区块链 (GDPR and blockchain)

简介 (Introduction)

Blockchain is undoubtedly the technology for data storage and traceability. While it is still not widely accepted, most people outside the Blockchain ecosystem have started to understand this.

毫无疑问，区块链是数据存储和可追溯性的技术。虽然它还没有被广泛接受，但区块链生态系统之外的大多数人已经开始理解这一点。

Blockchain technology acts like a decentralised database shared simultaneously with all its users, without depending on a central authority for access. Any data uploaded and stored on a blockchain (e.g. Arweave) cannot be modified, tampered with or "revoked" without it being visible to all. A real breakthrough technology!

区块链技术就像一个去中心化的数据库，同时与所有用户共享，而不依赖于中心化访问权限。任何上传和存储在区块链（例如 Arweave）上的数据都不能在不被所有人看到的情况下被修改、篡改或“撤销”。真正的突破性技术！

However, when one uses the term "data" within the context of data storage, what quickly comes to mind, particularly among Europeans, is the General Data Protection Regulation (GDPR). And the resulting question is: does GDPR apply to blockchain technology?

然而，当人们在数据存储的上下文中使用“数据”一词时，尤其是在欧洲人中，很快就会想到通用数据保护条例 (GDPR)。由此产生的问题是：GDPR 是否适用于区块链技术？

The answer given by the French Commission Nationale de l'Informatique et des Libertés (CNIL – French Data Protection Agency) in 2018 on this subject is clear: "when a blockchain contains personal data, GDPR is applicable".

法国 Commission Nationale de l'Informatique et des Libertés（CNIL – 法国数据保护局） 在 2018 年就此问题给出的答案很明确：“当区块链包含个人数据，GDPR 适用”。

What exactly is meant by personal data in the sense of GDPR? CNIL specifies that it is, "any information concerning an identified or identifiable natural person". The blockchain is therefore not, in itself, a data processor with a purpose in its own right, but a technology that can be used in support of different data processing. And this is where GDPR applies.

GDPR 意义上的个人数据到底是什么意思？ CNIL 指定它是“关于已识别或可识别自然人的任何信息”。因此，区块链本身并不是一个具有自身目的的数据处理器，而是一种可用于支持不同数据处理的技术。这就是 GDPR 适用的地方。

But is the very philosophy and operating principles of a blockchain compatible with GDPR? The answer is not so obvious and deserves to be considered for a moment.

但是区块链的理念和操作原则是否与 GDPR 兼容？答案不是那么明显，值得考虑一下。

Innovation and the protection of fundamental rights of individuals are not, in our opinion, contradictory objectives. Indeed, GDPR does not aim to regulate technologies as such, but rather the way actors use these technologies in a context involving personal data.

在我们看来，创新和保护个人基本权利并不矛盾。事实上，GDPR 的目的不是监管技术本身，而是监管行为者在涉及个人数据的环境中使用这些技术的方式。

So a blockchain storing data can satisfy many of the rules set out in GDPR.

因此，存储数据的区块链可以满足 GDPR 中规定的许多规则。

Even though cryptographic processes predate the publication of the data protection rules, major technological developments in protecting privacy are taking place now. Through advanced encryption, web3 developers can implement GDPR compliant solutions. Web3 is still in its nascent phase and will come to understand the spirit and the details of data protection rules over time.

尽管加密过程早于数据保护规则的发布，但保护隐私的重大技术发展现在正在发生。通过高级加密，web3 开发人员可以实施符合 GDPR 的解决方案。 Web3 仍处于初级阶段，随着时间的推移将逐渐了解数据保护规则的精神和细节。

The architecture and technological characteristics of each blockchain are unique. The consequences for the way personal data is stored and processed in light of GDPR may vary from one blockchain to another. It is, therefore, necessary to carry out a case-by-case analysis.

每个区块链的架构和技术特征都是独一无二的。根据 GDPR 存储和处理个人数据的方式的后果可能因区块链而异。因此，有必要具体情况具体分析。

The applications built on the Arweave blockchain show great promise in terms of data protection by their design and the control offered to users. We will further develop how an application such as Akord and the Arweave blockchain can address GDPR compatibility issues.

建立在 Arweave 区块链上的应用，通过其设计和为用户提供的控制在数据保护方面显示出巨大的希望。我们将进一步探索 Akord 和 Arweave 区块链等应用如何解决 GDPR 兼容性问题。

一些有用的概念 (Some useful concepts)

The objectives of GDPR are to protect, on the territory of the European Union, people whose personal data is processed, and to reinforce the responsibility of those processing this data.

GDPR 的目标是在欧盟境内保护其个人数据被处理的人，并加强处理这些数据的人的责任。

Any private or public company, regardless of the technology they use, that processes personal data of European citizens must comply with certain obligations, which are based on 5 major principles.

任何处理欧洲公民个人数据的私营或上市公司，无论使用何种技术，都必须遵守基于 5 项主要原则的特定义务。

• Inform data subjects so that they can give their consent to the collection and processing of their personal data.
  通知数据主体，以便他们同意收集和处理他们的个人数据。

• Use data in a transparent and relevant way with regard to its collection and processing;
  在收集和处理方面以透明和相关的方式使用数据；

• Give data subjects access to their data so that they can consult, modify, and delete it at any time.
  授予数据主体访问其数据的权限，以便他们可以随时查阅、修改和删除数据。

• Control and limit the sharing and circulation of data.
  控制和限制数据的共享和流通。

• Secure personal data both electronically and physically.
  以电子方式和物理方式保护个人数据。

Understanding whether we are processing personal data is therefore key to understanding whether GDPR applies to activities carried out on a blockchain.

因此，了解我们是否在处理个人数据，是了解 GDPR 是否适用于在区块链上开展的活动的关键。

After the previous section, you will understand more easily that the intention of the legislator is to give back the control of personal data to its owner and to limit, or at least to frame the use and the processing by the professionals who can have access to it.

在上一节之后，您将更容易理解立法者的意图是将个人数据的控制权交还给其所有者，并限制或至少限制可以访问的专业人员的使用和处理。

什么是个人数据？什么是区块链上的个人数据？(What is personal data? What is personal data on a blockchain?)

According to CNIL, personal data is "any information concerning an identified or identifiable natural person". Generally, an individual can be identified by a name, an address, a number, but this can also include other identifiers such as an IP address, a cookie identifier or similar identifying metadata collected by a website or an application.

根据 CNIL，个人数据是“关于已识别或可识别自然人的任何信息”。通常，个人可以通过姓名、地址、号码来识别，但这也可以包括其他标识符，例如 IP 地址、cookie 标识符或网站或应用收集的类似识别的元数据。

Even if a person cannot be strictly identifed from the information processed, that person may still be deemed identifiable. Therefore, only information that is truly anonymous (i.e. “such a manner that the data subject is not or no longer identifiable”) or not "about" the person is not covered by GDPR.

即使无法从处理的信息中严格识别某个人，该人仍可被视为可识别。因此，只有真正匿名的信息（即“数据主体无法或不再可识别的方式”）或不“关于”该人的信息，不在 GDPR 的涵盖范围内。

On a blockchain, the personal data processed can be quite basic. For example, a pseudonym, a bank account number, the public address of a wallet, a signature; or much more complex, such as the transfer of financial or insurance assets, the "hash" of patients' medical data.

在区块链上，处理的个人数据可能非常基础。例如，化名、银行帐号、钱包的公共地址、签名；或者更复杂，例如金融或保险资产的转移，患者医疗数据的“哈希”。

Once processing of personal data is established on a blockchain, GDPR analysis applies: identification of the data controller, enforcement of rights, implementation of appropriate safeguards, security obligations, etc.

一旦在区块链上建立了个人数据处理，GDPR 分析就适用：数据控制者的识别、权利的执行、适当保障措施的实施、安全义务等。

谁是区块链中的主要参与者？ (Who are the main actors involved in a blockchain?)

Data protection originated in the management of centralised data within specific entities. For blockchain technology, the decentralised governance of data and the multiplicity of actors involved in the processing of data make it considerably more difficult to define the role of each actor.

数据保护起源于特定实体内部集中数据的管理。对于区块链技术，数据的去中心化治理和数据处理中涉及的参与者之多样性，使得定义每个参与者的角色变得相当困难。

Three types of actors can be identified:

可以确定三种类型的参与者：

• The "accessors", who have the right to read and hold a copy of the chain;
  有权阅读和持有链副本的“访问者”；

• The "participants" who have the right to make entries, ie, to carry out a transaction for which they request validation;
  有权进行输入的“参与者”，即执行他们请求验证的交易；

• The "miners" who validate a transaction and create blocks by applying the rules of the blockchain to have them "accepted" by the community.
  验证交易并通过应用区块链规则创建区块以使社区“接受”它们的“矿工”。

哪个参与者充当区块链中的数据控制器？(Which actor acts as the data controller in a blockchain?)

According to CNIL, a controller is, "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

根据 CNIL，控制者是“单独或与他人共同确定个人数据处理目的和方式的自然人或法人、公共当局、机构或其他机构”。

CNIL has clarified that participants, who have the right to write on the blockchain and who decide to send data for validation by miners, can be considered as data controllers. Indeed, the participants in the blockchain must define the purposes (objectives pursued by the processing) and the means (data format, use of blockchain technology, etc) of the processing.

CNIL 已澄清，有权在区块链上写入并决定发送数据来供矿工验证的参与者可以被视为数据控制者。实际上，区块链的参与者必须定义处理的目的（处理所追求的目标）和处理的方式（数据格式、区块链技术的使用等）。

More specifically, CNIL considers that the participant may be qualified as a data controller,

更具体地说，CNIL 认为参与者可能有资格成为数据控制者，

• "when said participant is a natural person and the processing is related to a professional or commercial activity (ie, when the activity is not strictly personal);
  “当所述参与者是自然人并且处理与专业或商业活动有关时（即，当活动不是严格意义上的个人活动时）；

• when the said participant is a legal person that registers personal data in the blockchain".
  当所述参与者是在区块链中注册个人数据的法人时”。

On the other hand, miners are not considered as data controllers, since they only validate the transactions submitted by participants and are not involved in the purpose of these transactions.

另一方面，矿工不被视为数据控制者，因为他们只验证参与者提交的交易，并不参与这些交易的目的。

The Arweave blockchain and the applications that work on the Arweave blockchain are very promising in terms of data protection by their design and the control offered to users. The Akord protocol and application is a good example.

Arweave 区块链和在 Arweave 区块链上运行的应用，在其设计和提供给用户的控制方面的数据保护方面非常有前途。 Akord 协议和应用就是一个很好的例子。

Arweave、Akord 和 GDPR 合规性 (Arweave, Akord, and GDPR compliance)

Arweave

Arweave is a new blockchain protocol creating for the first time truly permanent serverless data storage. This technology is still largely reserved for a more tech savvy user that’s comfortable with the various technical processes required to use it.

Arweave 是一种新的区块链协议，首次创建真正永久的无服务器数据存储。这项技术在很大程度上仍然保留给更精通技术的用户，他们熟悉使用所需的各种技术流程。

From a GDPR standpoint, Arweave provides in its technical documentation, a transaction format (ANS-106) the possibility for people to let miners know not to store certain data on grounds of privacy, regulation, copyright, etc. …

从 GDPR 的角度来看，Arweave 在其技术文档中提供了一种交易格式 (ANS-106)，让人们可以让矿工知道不要以隐私、监管、版权等为由存储某些数据……

Privacy and private data processing are very much at the heart of Arweave’s business. As its CEO, Sam Williams, stated in an interview in 2022:

隐私和私人数据处理是 Arweave 业务的核心。正如其首席执行官Sam Williams在 2022 年的一次采访中所说：

It's the node's responsibility, both morally and legally, to abide by the laws of their land, and the network allows them to do that.

节点在道义上和法律上都有责任遵守所在国的法律，网络允许他们这样做。

~ Sam Williams，在 2022 年亚洲 Arweave 上发言
~Sam Williams, speaking at Arweave in Asia 2022

Akord

Akord is a protocol developed by Zero Knowledge Collective. The protocol offers a digital storage space on the Arweave blockchain and a means for its users to publish their digital files to the Permaweb.

Akord 是由 Zero Knowledge Collective 开发的协议。该协议在 Arweave 区块链上提供了一个数字存储空间，并为其用户提供了一种将其数字文件发布到 Permaweb 的方式。

One of the main objectives of the Akord application is to democratise the use of the Arweave blockchain, giving back control of the data fully owned by its users. The app offers digital vaults with a simple UX making Arweave accessible to a broad range of users.

Akord 应用的主要目标之一是使 Arweave 区块链的使用民主化，交还其用户完全拥有的数据控制权。该应用程供具有简单用户体验的数字保管库，使 Arweave 可供广泛的用户访问。

This digital vault service can be qualified as automated processing of personal data, insofar as its management is based on computerised operations and the content of this storage space is, by nature, dependent on the case, linked to an identifiable physical person (the user).

这种数字保管库服务可以被称为个人数据的自动处理，只要它的管理是基于计算机化的操作，并且这种存储空间的内容在本质上取决于具体情况，与可识别的自然人（用户）相关联.

In the following sections, we will discuss how Akord meets the various GDPR requirements.

在以下部分中，我们将讨论 Akord 如何满足 GDPR 的各种要求。

Akord 应用如何更接近 GDPR 的完全合规性？(How Akord app moves closer to full GDPR compliance? )

After a brief overview on GDPR as applied to blockchain technology, the following will focus on the Akord protocol. This will provide example on how Akord manages to minimize the risks when processing personal data based on the Arweave blockchain and thus meet the GPDR requirements.

在简要概述 GDPR 应用于区块链技术后，下文将重点介绍 Akord 协议。这将举例说明 Akord 如何在基于 Arweave 区块链处理个人数据时设法将风险降至最低，从而满足 GPDR 要求。

关于接收人 (Regarding recipients)

Unlike the data stored in public vaults, the documents imported into the encrypted vaults, can only be consulted by the user concerned and the persons he or she has specially authorised and invited into the vault (who are themselves subject to an authentication mechanism).

与存储在公共保管库中的数据不同，导入到加密保管库中的文件只能由相关用户和他或她特别授权并邀请进入保管库的人（其本身受身份验证机制约束）查阅。

In practice, the data is encrypted with a key, controlled only by the user, and protected by cryptographic mechanisms making it incomprehensible to unauthorised third parties. The transfer of data on the blockchain is protected by advanced cryptography.

实际上，数据是用密钥加密的，仅由用户控制，并受加密机制保护，使未经授权的第三方无法理解。区块链上的数据传输受到高级密码学的保护。

处理后的数据 (Processed data)

In its capacity as provider of the digital vault service, Akord is required to process data enabling users to be identified with certainty and the associated data necessary for the operation of its service.

作为数字保管库服务的提供商，Akord 需要处理能够确定用户身份的数据以及运营其服务所需的相关数据。

As soon as Akord defines the means and purposes for the implementation of these two processing operations (cryptographic commitment, encrypted key in particular), it assumes the role of data controller and is therefore subject to the obligations of GDPR.

一旦 Akord 定义了执行这两个处理操作的方式和目的（加密承诺，特别是加密密钥），它就会承担数据控制者的角色，因此需要遵守 GDPR 的义务。

Access to the encrypted digital vaults is strictly limited to the user, and it is therefore technically impossible for Akord to determine in advance the nature of the documents that a user will decide to store in his or her private space. Furthermore, Akord is not technically capable of accessing the contents of a vault, nor its possible backups.

对加密数字保管库的访问严格限于用户，因此从技术上讲，Akord 无法提前确定用户将决定存储在其私人空间中的文件的性质。此外，Akord 在技术上无法访问保管库的内容，也无法访问其可能的备份。

Data stored by users in their encrypted vaults are in principle excluded from the scope of GDPR (and they are not processed by Akord). The same applies to the automatic retrieval of digital documents, because these documents are not used by Akord but only entered into a digital vault.

用户存储在其加密保管库中的数据原则上不在 GDPR 的范围内（并且 Akord 不处理这些数据）。这同样适用于数字文档的自动检索，因为这些文档不被 Akord 使用，而只是输入到数字保管库中。

保留期限 (Retention period)

GDPR imposes, in principle, a maximum retention period for personal data which varies according to the purpose of the data processing.

GDPR 原则上规定了个人数据的最长保留期限，该期限根据数据处理的目的而有所不同。

Akord commonly processes the following two categories of data via its application.

Akord 通常通过其应用处理以下两类数据。

• 参与者的标识符 (Participants' identifiers)
  Each participant has an identifier composed of a sequence of alphanumeric characters that appear to be random and that constitute the public key of the participant's account. This public key relates to a private key that only the participant knows.
  每个参与者都有一个由一系列字母数字字符组成的标识符，这些字符看起来是随机的，并且构成了参与者帐户的公钥。该公钥与只有参与者知道的私钥相关。

  The very architecture of a blockchain requires that the identifiers be visible at all times, as they are essential to its proper functioning.
  区块链的架构要求标识符始终可见，因为它们对其正常运行至关重要。

  In this particular case, the CNIL accepts that it is not possible to reduce the retention period further and that their retention periods can be aligned with the life of the blockchain. As the blockchain is a “Permaweb”, we can therefore conclude that the identifiers of the users, i.e, the participants, can be validly kept for the entire duration of the Akord application.
  在这种特殊情况下，CNIL 承认不可能进一步缩短保留期，并且它们的保留期可以与区块链的生命周期保持一致。由于区块链是一个“永久网络”，因此我们可以得出结论，用户（即参与者）的标识符可以在 Akord 应用的整个持续时间内有效保留。

• 附加数据 (Additional data)
  In addition to the participants' identifiers, the additional data stored on the blockchain may contain personal data, potentially relating to persons other than the participants.
  除了参与者的标识符之外，存储在区块链上的附加数据可能包含个人数据，可能与参与者以外的人有关。

  In this case, the CNIL recommends that the personal data be recorded in the blockchain in the form of a cryptographic commitment. This technical option has obviously been implemented on the Akord application for encrypted vaults.
  在这种情况下，CNIL 建议将个人数据以加密承诺的形式记录在区块链中。这个技术选项显然已经在 Akord 的加密保管库应用上实现了。

通知个人 (Informing individuals)

In accordance with GDPR, the persons concerned by the processing of personal data must be informed, in particular, of the identity of the person responsible for the service, the purpose of the processing, the recipients of the data, any transfers of data to a country outside the European Union, as well as the existence of and procedures for exercising the rights of access, rectification and opposition.

根据 GDPR，处理个人数据的相关人员必须被告知，特别是服务负责人的身份、处理的目的、数据的接收者、任何数据传输到欧盟以外的国家，以及行使访问权、纠正权和异议权的存在和程序。

Akord complies with all these requirements. All this information can be consulted directly on its website, under the section Privacy policy.

Akord 符合所有这些要求。所有这些信息都可以在其网站上的 隐私政策 部分直接查阅。

Akord, in its capacity as a provider of access to digital storage spaces, has developed technical solutions enabling it to offer its services without collecting confidential information, with the exception of data relating to the identification and connection of its users.

Akord 作为数字存储空间访问的提供商，开发了技术解决方案，使其能够在不收集机密信息的情况下提供服务，但与用户识别和连接相关的数据除外。

Users of digital vaults are clearly informed of the type of space available to them (encrypted and public vaults) and their consequences of use. The choice of public vaults can considerably degrade the protection of individuals' data within the meaning of GDPR. Also in the interest of transparency, Akord requires the prior consent of the user as a necessary precondition for creating a public vault.

数字保管库的用户被清楚地告知他们可用的空间类型（加密和公共保管库）及其使用后果。在 GDPR 的意义上，选择公共保管库可能会大大降低对个人数据的保护。同样为了透明起见，Akord 需要用户的事先同意作为创建公共保管库的必要前提。

访问权和数据可移植权 (The right of access and right to data portability)

Upon simple request to the dedicated email address, any data subject may request access to the data concerning him/her.

在向专用电子邮件地址提出简单请求后，任何数据主体都可以请求访问与他/她有关的数据。

With regard to the right to data portability, Akord will release an app deployed directly on Arweave, Akord explorer, enabling users to independently access and retrieve all data from all digital vaults in a simple manner, regardless of whether the operating company that builds and maintains the application exists or not. This guarantees and facilitates, perpetually, the right of our users to change services if they so wish.

在数据可移植性方面，Akord 将发布一款直接部署在 Arweave 上的应用 Akord explorer，使用户能够以简单的方式，独立访问和检索所有数字保管库中的所有数据，无论构建和维护运营该应用的公司是否存在。这永久地保证并促进了我们的用户根据自己的意愿更改服务的权利。

删除权（“被遗忘权”）或反对权 - The right to erasure (“right to be forgotten”) or right to object

To date, as far as public blockchains are concerned, it is technically impossible to delete data in clear text, unless miners theoretically decide to remove data from Arweave by applying the ANS-106 option mentioned above.

迄今为止，就公共区块链而言，删除明文数据在技术上是不可能的，除非矿工理论上决定通过应用上述 ANS-106 选项从 Arweave 中删除数据。

In order to protect its users' personal data as much as possible, Akord leaves them the choice of how to store their data:

为了尽可能保护用户的个人数据，Akord 让他们选择如何存储他们的数据：

• The public vault comes into play in the case of data written in clear text or hashed on the Arweave blockchain. As mentioned above, specific information has been put in place to make users aware of the consequences of this choice and the vulnerability of the protection of the data that could be published there.
  如果数据以明文形式写入或在 Arweave 区块链上哈希，则公共保险库会发挥作用。如上所述，已提供特定信息，让用户了解此选择的后果以及可能在那里发布的数据保护之脆弱性。

• The private vault, which is much more protective since no personal data is written in clear text on the Arweave blockchain, and which also use a cryptographic process.
  私人保险库，由于 Arweave 区块链上没有以明文形式写入任何个人数据，因此保护性更强，并且还使用加密过程。

When a user wishes to delete one of the documents from their vault, this request is immediately taken into account with the "revocation" option offered by the application. As mentioned above, a document cannot be technically and effectively deleted from the Arweave blockchain unless expressly asked under ANS-106 option.

当用户希望从他们的保管库中删除其中一份文档时，应用提供的“撤销”选项会立即考虑此请求。如上所述，除非在 ANS-106 选项下明确要求，否则无法从技术上有效地从 Arweave 区块链中删除文档。

However, the cryptographic processes chosen by Akord make it possible to cut off the accessibility of the evidence recorded on the blockchain, by making it difficult or impossible to recover. Indeed, the mathematical properties of certain cryptographic commitments chosen by Akord can guarantee that once the elements allowing its verification are removed, it will no longer be possible to prove or verify which information was committed. The commitment itself then no longer presents any risk in terms of confidentialitý. Another option for Akord would be that of removing the secret key from the hash function which will have a similar effect.

但是，Akord 选择的加密过程使得很难或不可能恢复，从而有可能切断区块链上记录的证据的可访问性。事实上，Akord 选择的某些加密承诺的数学属性可以保证，一旦允许其验证的元素被删除，将无法再证明或验证哪些信息已提交。承诺本身就不再存在任何保密风险。 Akord 的另一个选择是从哈希函数中删除密钥，这将产生类似的效果。

整修权 (The right to rectification)

As mentioned above, any data entered on a blockchain cannot technically be changed once the block is accepted by the majority of participants.

如上所述，一旦区块被大多数参与者接受，任何输入区块链的数据在技术上都无法更改。

However, if a user requested a change, the lack of possibility to modify the data entered in a block will most likely lead Akord to enter the updated data in a new block. This is because a subsequent transaction can always cancel the first transaction, even though the first transaction will still appear in the chain. The same solutions as in the case of a request to delete personal data could be applied to the erroneous data if it is to be deleted.

但是，如果用户请求更改，则无法修改块中输入的数据，这很可能导致 Akord 在新块中输入更新的数据。这是因为后续交易总是可以取消第一笔交易，即使第一笔交易仍会出现在链中。如果要删除错误数据，则可以将与请求删除个人数据的解决方案相同的解决方案应用于错误数据。

Unlike other blockchains, Arweave standard (Ans-106) provides the ability to users to request non-storage of certain data (for privacy, regulatory, copyright reasons, etc.). This strengthens data rights of our users whom can rely on Akord for technical support needed to follow this path (not provided at this stage unfortunately but working on it!).

与其他区块链不同，Arweave 标准 (Ans-106) 允许用户请求不存储某些数据（出于隐私、监管、版权原因等）。这加强了我们用户的数据权利，他们可以依靠 Akord 获得遵循此路径所需的技术支持（不幸的是，现阶段未提供，但正在努力！）。

Through this article, we hope to have proven Akord's commitment to permanently guarantee the security and protection of its users' data, in accordance with the CNIL recommendations, and to make every effort to ensure its compliance with GDPR in a changing technological context favouring decentralisation.

通过本文，我们希望证明 Akord 致力于根据 CNIL 的建议，永久保证其用户数据的安全和保护，并尽一切努力确保其在不断变化的有利于去中心化的技术环境中遵守 GDPR

脚注 (Footnote)

1.The transfer of data outside the EU are not voluntarily addressed in this article and will be the subject of a separate article.

参考文献 Sources

Blockchain: Solutions for a responsible use of the blockchain in the context of personal data – CNIL- September 2018

Premiers éléments d’analyse de la CNIL – September 2018

LexisNexis N° 4548 – Protéger les données personnelles dans des projets blockchain - smart contracts. RGPD - December 2, 2021 - written by Nicolas Goossaert-Krupka

Délibération n° 2013-270 dated September 13, 2013 CNIL recommandation about « aux services dits de coffre-fort numérique ou électronique destinés aux particuliers »

Blockchain and the General Data Protection Regulation Can distributed ledgers be squared with European data protection law? - EPRS | European Parliamentary Research Service – July 2019