Responsible use of personal data
According to the CNIL (National Commission for Information) report on the Blockchain published in 20181. RESPONSIBILITY
Participants in the Blockchain who decide to submit data for validation by minors are considered to be data controllers.
When a group of bodies decides to implement a processing operation on a Blockchain for a common purpose, all participants may be considered to have joint responsibility; except for designating the participant who makes decisions for the group as data controller.2. SUBCONTRACTORS
In a Blockchain, the processor within the meaning of the DPMR or the General Data Protection Regulation effective in the European Union may be the developer of the "smart contract" or the minors who validate the recording of data in a Blockchain.
Minimize risks with a treatment based on the Blockchain
1. THE PRINCIPLE
Any transaction on the chain of blocks involves:
- sending to all minors in the Blockchain a request to validate a transaction;
- updating the Blockchain by adding the new block in the chain of blocks to all participants.
Some participants may be located outside the European Union (EU) or the European Economic Area (EEA).
It is to ensure a sufficient and appropriate level of data protection that the Watch Certificate™ uses the Blockchain to record the data imprint and not the personal data itself.
2. THE FORMAT
The data collected by the Watch Certificate™ is relevant, limited to what is necessary for the purposes for which it is processed.
The Watch Certificate™ considers that the data - whether personal or not - should be recorded in the Blockchain, in the form of a print obtained with a key hash function, making it possible to ensure a high level of confidentiality.
The principle is that the unencrypted data is stored elsewhere than on the Blockchain (e.g. on the controller's information system) and that only information proving the existence of the data is stored there (fingerprint obtained with a hash key function, etc.).
3. THE DURATION
Personal data are only kept indefinitely: the retention period is determined according to the purpose of the data processing. For the Watch Certificate™ this objective is to maintain a link between the object of value and its owner.
One of the characteristics of the Blockchain is that the data entered in it cannot be technically modified or deleted: once the block in which a transaction is entered has been accepted by the majority of participants, a transaction can no longer be modified in practice.
For this reason, the Watch Certificate™ uses the Blockchain to record the imprint of the data and not the personal data itself. In this way, it ensures full compliance with the DPMR.
Each participant has an identifier composed of a sequence of alphanumeric characters that appear random and which constitute the public key to the participant's account. This public key refers to a private key known only to the participant. The very architecture of the Blockchain means that the identifiers will always be visible, as they are essential to its proper functioning.
It is for this reason that the Watch Certificate™ acts as an intermediary to register on the Blockchain, thus protecting the personal data of the owners of valuables with a Watch Certificate™ .
Individuals' control over their personal information
The Watch Certificate™ should provide concise, easily accessible, and clearly worded information to the data subject before submitting personal data to minors for validation.
The same applies to the right of access and the right to portability.
It is technically impossible to comply with the data subject's request for deletion when data is entered in the Blockchain, which is why the Watch Certificate™ does not enter personal data.
The right to information, the right of access, and the right of portability do not a priori pose any particular difficulties related to Blockchain technology.
The different properties of the Blockchain (transparency, decentralization, forgery-proof, disintermediation) are largely based on two factors: the number of participants and minors, and a set of cryptographic functions on the other hand.
For this reason, the Watch Certificate™ relies on the Ethereum Blockchain, which is recognized and used by governments, banks and insurance companies among others, and has at least 10,000 nodes.
Furthermore, the choice to use a public Blockchain is strategic since the architecture of the service thus designed is "Privacy by design" and is therefore not subject to the risks related to confidentiality weighing on private Blockchains.
Where is the data?
The data are hosted at Google, here is their geographical location:
- Cloud run
: On 4 areas in Saint-Ghislain 7330, Belgium, Europe (europe-west1)
: multi-region in EU to ensure fast access to images
- Cloud SQL
: Saint-Ghislain 7330, Belgium, Europe (europe-west1-d)Learn more about Google's data center in Saint Ghislain, Belgium
Compliance at Google is described on this link:
Data protection at Google is described on this link: https://cloud.google.com/security
Data privacy at Google is described on this link:
Formalities completed with the CNIL
The company Tradee SAS (SIRET 800862112 00011) has completed its registration formalities with the CNIL under number 1782668.
Proof of this registration is available on the CNIL website: https: //www.cnil.fr/fr/les-formalites-prealables-accomplies-aupres-de-la-cnil-avant-le-25-mai-2018