Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 52021XX0615(01)

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Pilot Regime for Market Infrastructures based on Distributed Ledger Technology (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu) 2021/C 229/04

OJ C 229, 15.6.2021, p. 13–15 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

15.6.2021   

EN

Official Journal of the European Union

C 229/13

Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Pilot Regime for Market Infrastructures based on Distributed Ledger Technology

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2021/C 229/04)

On 24 September 2020 the European Commission adopted its Proposal for a Regulation of the European Parliament and of the Council on a pilot regime for market infrastructures based on Distributed Ledger Technology (COM(2020)594 final). The Proposal establishes harmonised requirements for certain market participants to apply for and be granted permission to operate digital ledger technology (DLT) market infrastructures.

The EDPS highlights that the protection of personal data does not constitute an obstacle to innovation and in particular, for the development of new technologies in the financial sector. At the same time, he recalls that measures adopted at EU level regarding innovative technologies involving the processing of personal data must comply with the general principles of necessity and proportionality. Moreover, given the lack of full view of the of these new technologies impact on our society, the EDPS considers that the precautionary principle approach should be followed.

The EDPS notes that depending on the DLT’s configuration, the meta or transactional data stored therein may be considered personal data, if it relates to an identified or identifiable natural person. Thus, the controllers must carefully analyse and document the DLT’s configuration in order to determine whether personal data is processed thereby and as a consequence, the operations are subject to the data protection obligations.

The EDPS highlights that the technology behind some digital ledgers, particularly those that are public and permissionless, rises crucial questions with regard to its compatibility with data protection requirements.

The EDPS is of the view that a discussion about the compatibility of DLT systems in general with the data protection framework should take place before the Proposal enters into force.

The EDPS notes that in case of DLT’s containing on-chain personal data, the processing operations relating thereto will likely meet the criteria for the classification of the processing operation as of high risk. Therefore, the controller shall prior to the processing of personal data, carry out a data protection impact assessment for the envisaged processing operations. Moreover, prior approval from the competent data protection authority may be required.

The EDPS recommends that the Proposal requests, as part of the application to operate a DLT Market Infrastructure related information, where applicable, the core information in relation to the processing operations envisaged. Moreover, he recommends that operators of DLT market infrastructures should publish the privacy notice in the same place of its operating information as required by the Proposal.

The EDPS highlights that IT and cyber arrangements foreseen in the Proposal for the operation of DLT Market Infrastructures must be also in line with the obligations set by Articles 22 and 32 of the GDPR (1).

Finally, in the context of reporting of operational issues by DLT Market Infrastructures’ operators, the EDPS recommends reminding in a recital that in cases of personal data breaches, these shall also be notified by the operator to the competent data protection authority, in accordance with Article 33 of the GDPR, and, if applicable, to the data subjects, in accordance with Article 34 of the GDPR.

3.   BACKGROUND

1.

 On 24 September 2020 the European Commission adopted its Proposal for a Regulation of the European Parliament and of the Council on a pilot regime for market infrastructures based on Distributed Ledger Technology (COM(2020)594 final) (the ‘Proposal’). The Proposal establishes harmonised requirements for specific market participants, namely investment firms, market operators or central securities depositories, to apply for and be granted permission to operate digital ledger technology market infrastructures (‘DLT Market Infrastructure’) in a supervised environment with the application of specific exemptions to compliance with financial regulations. In particular, the Proposal has four objectives: providing legal certainty for crypto-assets, ensuring financial stability, protecting consumers and investors and enabling innovation towards the use of blockchain, distributed ledger technology and crypto assets.

2.

 This Proposal is part of a package that includes a proposal for a regulation to build markets in cryptoassets (2) (the ‘MICA Regulation’), a proposal for digital operational resilience (3) (the ‘DORA Regulation’), and a proposal to clarify or amend certain related EU financial services rules (4). The EDPS expects to be consulted also on the other regulations of the package in line with Article 42(1) of Regulation (UE) 2018/1725.

3.

 On 26 February 2021 the European Commission requested the European Data Protection Supervisor (the ‘EDPS’) to issue an opinion on the Proposal, in accordance with Article 42(1) of Regulation (UE) 2018/1725. These comments are limited to the provisions of the Proposal that are relevant from a data protection perspective.

5.   CONCLUSIONS

In light of the above, the EDPS:

recalls that the protection of personal data does not constitute an obstacle to innovation and, in particular, for the development of new technologies, notably in the financial sector.

highlights that the technology behind some digital ledgers, particularly those that are public and permissionless, rises crucial conceptual questions with regard to data protection requirements; recommends therefore that the discussion about the possible way to ensure compatibility of DLT systems with the data protection framework should take place before the Proposal enters into force.

stresses that the crypto-assets traded in the DLT Market Infrastructures covered by the Proposal should be only those using a DLT configuration which complies with the data protection framework.

suggest to also include, as part of the information required to the operator in the context of its application to operate a DLT Market Infrastructure, where applicable, the list of the foreseen processing operations involving personal data, the allocation of roles and responsibilities of each operator pursuant to the GDPR within the DLT Market Infrastructure, as well as the main risks envisaged and mitigation strategies for what concerns data protection.

highlights that IT and cyber arrangements foreseen in the Proposal for the operation of DLT Market Infrastructures must be also in line with the obligations set by Articles 22 and 32 of the GDPR.

recommends reminding in a recital, in the context of reporting of operational issues by DLT Market Infrastructures’ operators, that in cases of personal data breaches, these shall also be notified by the operator to the competent data protection supervisory authority, in accordance with Article 33 of the GDPR, and, if applicable, to data subjects, in accordance with Article 34 of the GDPR.

Brussels, 23 April 2021.

Wojciech Rafał WIEWIÓROWSKI

(1)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(2)  Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937, COM/2020/593 final. Available at EUR-Lex - 52020PC0593 - EN - EUR-Lex (europa.eu)

(3)  Proposal for a Regulation of the European Parliament and of the Council on Digital Operational Resilience for the Financial sector and Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM/2020/595 final, available at EUR-Lex - 52020PC0595 - EN - EUR-Lex (europa.eu)

(4)  Proposal for a Directive of the European Parliament and of the Council amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341, COM/2020/596 final. Available at EUR-Lex - 52020PC0596 - EN - EUR-Lex (europa.eu)

Top