Employee data can be used to facilitate work, but their misusage may pose risks for individuals. Inverse transparency therefore aims to track all usages of personal data, allowing individuals to monitor them to ensure accountability for potential misusage. This necessitates a trusted log to establish an agreed-upon and non-repudiable timeline of events. The unique properties of blockchain facilitate this by providing immutability and availability. For power asymmetric environments such as the workplace, permissionless blockchain is especially beneficial as no trusted third party is required. Yet, two issues remain: (1) In a decentralized environment, no arbiter can facilitate and attest to data exchanges. Simple peer-to-peer sharing of data, conversely, lacks the required non-repudiation. (2) With data governed by privacy legislation such as the GDPR, the core advantage of immutability becomes a liability. After a rightful request, an individual's personal data need to be rectified or deleted, which is impossible in an immutable blockchain. To solve these issues, we present Kovacs, a decentralized data exchange and usage logging system for inverse transparency built on blockchain. Its new-usage protocol ensures non-repudiation, and therefore accountability, for inverse transparency. Its one-time pseudonym generation algorithm guarantees unlinkability and enables proof of ownership, which allows data subjects to exercise their legal rights regarding their personal data. With our implementation, we show the viability of our solution. The decentralized communication impacts performance and scalability, but exchange duration and storage size are still reasonable. More importantly, the provided information security meets high requirements. We conclude that Kovacs realizes decentralized inverse transparency through secure and GDPR-compliant use of permissionless blockchain.

翻译：员工数据可用于促进工作，但数据滥用可能给个人带来风险。反向透明度旨在追踪所有个人数据的使用情况，使个人能够监控这些使用行为，从而确保对潜在滥用的问责。这需要一个可信的日志来建立一致且不可否认的事件时间线。区块链的独特属性通过提供不可篡改性和可用性来促进这一实现。对于工作场所等权力不对称的环境，无需可信第三方的无需许可区块链尤为有利。然而，仍存在两个问题：(1) 在去中心化环境中，没有仲裁者能够促进和认证数据交换。相反，简单的点对点数据共享缺乏所需的不可否认性。(2) 当数据受GDPR等隐私法规约束时，不可篡改性的核心优势反而成为负担。在合法请求后，个人数据需要被更正或删除，这在不可篡改的区块链上无法实现。为解决这些问题，我们提出了Kovacs——一个构建于区块链之上、用于反向透明度的去中心化数据交换与使用日志系统。其新型使用协议确保了不可否认性，从而实现了反向透明度的问责机制。其一次性假名生成算法保证了不可链接性并实现了所有权证明，使得数据主体能够就个人数据行使合法权利。通过我们的实现，我们展示了解决方案的可行性。去中心化通信对性能和可扩展性有影响，但交换时长和存储大小仍在合理范围内。更重要的是，所提供的信息安全满足高标准要求。我们得出结论：Kovacs通过安全且符合GDPR的无需许可区块链使用方式，实现了去中心化反向透明度。