Jump to content

GDPR, transaction memo and a disgruntled ex-employee...


ThomasTheTGV

Recommended Posts

Not sure if this belongs here in regulation corner bit here a thought experiment about the General Data Protection Regulation (GDPR):

Imagine that an employer in the Netherlands uses the Ripple Ledger for sending/escrowing funds for his employees. His administrator uses the transaction memo fields to ID the transactions to the different employees by using their e-mail addresses ( john.doe@company.nl) and the company ID number (which is tied to the dutch BIG-register) for this person.

One of the employees leaves the company and decides he no longer wants to be affiliated with the company in any way... He (it's a he this time) invokes the right to be forgotten by the company. So the administrator processes the request and (after the legal compliant waiting period) deletes all data in the company administration... Except for the payments done on the Ripple Ledger he can't mutate those, although he is legally compliant to do so.

Now for my questions:

  • At the moment it is not possible for the company administrator to mutate or delete these entries, where should he report this issue?
  • The disgruntled ex-employee gets tired of waiting and asks Ripple to remove/mutate the transactions, can Ripple do this?
  • After a few months the disgruntled ex-employee gets tired of it all decides to take legal action... Should he sue the company? Or could he sue Ripple as well?

What do you guys think?

And for the bonus.... Replace Ripple ledger by the Bitcoin ledger

 

Edited by ThomasTheTGV
addes examples for the email and ID
Link to comment
Share on other sites

It’s no different than a law that decrees the tides not to come in.  

A non-starter because it is not possible.  Might as well say that all involved must also forget it happened.  Can’t be done.  

Link to comment
Share on other sites

17 minutes ago, Tinyaccount said:

It’s no different than a law that decrees the tides not to come in.  

A non-starter because it is not possible.  Might as well say that all involved must also forget it happened.  Can’t be done.  

Why not? The disgruntled ex-employee doesn't mind the transactions.... He does mind the e-mail address (which has his name in it) and the company ID if these could removed everything would be fine. He has the right by law (GDPR) to be forgotten, fines can be very high if the company doesn't comply!

I understand that the company/administrator should have never used this information in the transaction.... But for the sake of the argument they did.

Link to comment
Share on other sites

18 minutes ago, XRP-JAG said:

GDPR is personal information only.

You don't have to delete all their work when somebody leaves! ;)

E-mail address can be tied to a person john.doe@company.nl and so does an ID (like the dutch BIG-register) in some cases.

Edited by ThomasTheTGV
Link to comment
Share on other sites

28 minutes ago, CryptoJym said:

If the company deletes all data of the employee's record at their HQ, they wouldn't have anything on hand that could be used to link the employee to those entries on the ledger correct? 

I'm playing devils advocate here: E-mail address can be tied to a person john.doe@company.nl and so does an ID (like the dutch BIG-register) in some cases.

Edited by ThomasTheTGV
Link to comment
Share on other sites

26 minutes ago, Graine said:

Unless he can prove that whatever hashed id is connected to his personality, I don't see why any legal repercussions could arise. 

Also, highly unlikely that a company would use RCL and pay tx fees instead of a simple database. 

Valid point but I needed an example where a company f-ed up. 

Link to comment
Share on other sites

41 minutes ago, ThomasTheTGV said:

Why not? The disgruntled ex-employee doesn't mind the transactions.... He does mind the e-mail address (which has his name in it) and the company ID if these could removed everything would be fine. He has the right by law (GDPR) to be forgotten, fines can be very high if the company doesn't comply!

I understand that the company/administrator should have never used this information in the transaction.... But for the sake of the argument they did.

Storing personal information unhashed on the internet is very unwise. If they did indeed input personal information on a blockchain - then perhaps they deserve to pay the price. 

As per your other question - the only way to remove those is to purge the ledgers that contain those transactions. You technically could force Ripple to comply. But will have to hunt any other entities with full history on your own. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...