Lesson 3: Who Can Even Touch the Data?

GDPR outlines three key roles: the data subject (the person the data is about), the data controller (who decides why and how the data is processed), and the data processor (who acts on the controller’s behalf).

In traditional setups, these roles are easy to spot. But in decentralised networks, things get murky. There may be no central operator or company, but GDPR still demands that someone is accountable.

If you run a dApp frontend and you determine which data gets collected and how it’s handled, you’re likely a controller. If you’re a node operator who helps validate transactions and influence governance, you might be a joint controller, even if you don’t store the data permanently. If you process data on behalf of another entity (like a frontend relaying data to a backend), you may be a processor.

Joint controllership is also an important concept: if multiple parties together decide how personal data is handled, they may be jointly responsible. 

The takeaway? Your role under GDPR depends on your actual influence, not your job title or how decentralised your branding is. If your actions shape how personal data flows through a system, GDPR may hold you responsible.

Reading: EUCI GDPR Booklet – Responsibilities & Roles (Sections III, VIII)