Can a DAO be required to comply with privacy regulations for the transfer or sharing of personal data with third parties?
A DAO can be required to comply with privacy regulations for the transfer and sharing of
personal data with third parties, if it falls within the scope of the respective data privacy
regulations. This depends on the single case, in particular on the activities of the given DAO.
Regarding the German market, currently the GDPR is most likely to be relevant.
Basically, the GDPR does not differentiate between the transfer, sharing and the other forms
of processing of personal data (see Art.4 (2) GDPR). This means that all general obligations
related to the processing of personal data apply here accordingly. Additionally, some specific
obligations regarding the transfer of data to third countries and international organizations
(see Chapter 5 GDPR) may apply.
The applicability of the GDPR requires basically that the DAO is established in the territory of
the EU and processes personal data in a wholly or partly automated manner. However, not
all entities falling under GDPR are automatically subject to all relevant obligations arising
from it. In particular, some relevant obligations require that the DAO qualifies as a controller
as set out in Art.4 GDPR. That means that the DAO must, alone or jointly with others,
determine the purposes and means of the processing of personal data.
As a consequence, whether a DAO is required to comply with privacy regulations for the
transfer or sharing of personal data with third parties depends on the circumstances of the
given case and hence requires a particular assessment.