This Position Paper describes whether and how the General Data Protection Regulation (GDPR) applies to us, the Sovrin Foundation, in our role as an administrator and participant in the Sovrin Network. We also assess whether and how the GDPR applies to other participants in the Sovrin Network, including the Stewards, Transaction Authors, Transaction Endorsers, Agencies, Developers, Holders, Issuers, and Verifiers. The purpose of this Position Paper is to inform participants of their likely roles with respect to GDPR and is not intended to provide compliance advice for participants when they interact with data subjects. However, by connecting activities to the roles listed in the GDPR (e.g., data controller, data subject, data processor), we hope that this Position Paper can serve as a starting point for Sovrin Network participants in understanding their regulatory obligations. Although this Position Paper explicitly addresses only the GDPR, it is exemplary of our approach to data protection regulations across all jurisdictions.
The analysis of any specific use case or application of Distributed Ledger Technology (DLT) in the context of GDPR relies on facts and circumstances, which, in this case, includes the technical architecture of the Sovrin Network. Some of these technical details are still under design and development; therefore, the scope of this analysis is limited to how the Sovrin Network is designed as of the date of this Position Paper. Specifically, the analyses, conclusions, and recommendations in this Position Paper do not take into account potential changes to the Sovrin Network and/or any additional projects or ventures in which the Sovrin Foundation may be involved, including the development or potential launch of a token.
Note that references to “natural persons” and “data subjects” in this Position Paper assume that these are natural persons and data subjects in the European Union, for the purposes of our analysis.