|Corda Network Foundation||Document history|
1 Policy Statement
The General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) requires companies to protect the personal data and privacy for the collection and processing of personal information of individuals within the European Union (EU). The regulation aims to give citizens and residents back the control of their personal data, while imposing regulatory and legal requirements for data controllers and data processors (as defined below), including data hosting providers. Generally speaking, under GDPR individuals have the right to understand how companies use their data for sales and marketing purposes, and need to be made aware of their rights with regard to their personal data and to be informed when cyber data thefts occur in relation to their personal information. Corda Network Foundation is committed to embed data protection compliance deeply into its business processes, with the objective that technical and organizational security measures limit the amount and use of personal data to what is specifically required.
2 Key Definitions
- Personal Data: means any information relating to an identified or identifiable natural person (‘data subject’). In turn, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, address, an identification number (such as a passport or a social security number), location data, telephone number, an online identifier or log in details or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. First Name and Last Name can be personal data if linked to other data (or otherwise independently if they are not common names).
- Data Controller: “controller” means the natural or legal person, public authority, agency or other body (each, a “person”) which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Data Processor: any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
- Processing, in relation to information or data means obtaining, recording or holding the information
or data or carrying out any operation or set of operations on the information or data, including:
- organization, adaptation or alteration of the information or data,
- retrieval, consultation or use of the information or data,
- disclosure of the information or data by transmission, dissemination or otherwise making available or
- alignment, combination, blocking, erasure or destruction of the information or data.
3 Corda Network Foundation Services
The Doorman Service undertakes screening on Node Users and Node Operators wishing to join Corda Enterprise and issues certificates to Node Operators, signed by a Certificate Authority. The Registration Service collects information on the Node User and Node Operator. Any personal data collected as part of the certificate issuance process, such as contact name, phone number or email address will be stored on private, secure databases. Personal Data related to revoked certificates will be deleted after record retention rules expire as long as there is no legitimate business reason to store the data.
The Network Map Service provides information relating to each node on the network so that other nodes can identity other participants on the network. No personal data will be shared with other network participants as part of this service.
Notaries receive transactions submitted for processing and either return a signature over the transaction or a rejection error that states a double spend occurred. Corda has two types of notaries – validating notary and a non-validating notary. A validating notary needs to see all data in a state object to make a confirmation decision before it gets added to the next block. Non-validating notaries only see a subset of a transaction to determine ordering / uniqueness. At this time, the Corda Network Foundation only provides non-validating notaries; therefore no personal data is processed or stored.
The Corda Network Foundation operator (“operator”) will notify impacted parties of personal data breaches no later than 72 hours after having become aware of a breach. A supervisory authority will be notified if there is any risk to the rights and freedoms of natural persons. The operator will notify the Corda Network Foundation Board immediately.
5 The Right to Erasure
Under GDPR, the data subject shall have the right to obtain the erasure of personal data concerning him or her without undue delay. Personal data will be removed from systems if it is no longer necessary in relation to the purposes for which they were collected or otherwise processed and record retention rules expire.