News
Blockchain vs Data protection
At first sight, blockchain technology and the General Data Protection Regulation (GDPR) seem to be intrinsically incompatible. The convergence of personal data protection and blockchain technology raises therefore complex issues surrounding data privacy and data protection issues.

A blockchain is construed as a type of distributed ledger technology that is a replicated, shared and synchronised digital data structure spread across multiple sites and jurisdictions. Data are recorded in blocks which are linked together in a chronogical order to form a chain – the blockchain.
When blockchain technology is confronted with the legal framework for protecting personal data, the challenges are immense.
In terms of regulatory compliance, it is important to mention:
- The immutable nature of blockchain poses compliance challenges with regulations such as the GDPR in Europe, which provides the right to be forgotten and the deletion of personal data.
- Some blockchains, such as the Bitcoin or the Ethereum blockchains, are public and specific data types related to transactions can be consulted by anyone, which poses risks for the personal information stored on them.
- Although transactions can be pseudonymous, it is often possible to trace a person's real identity through in-depth analysis.
Conversely, the use of blockchain ultimately offers advantages for the protection of personal data, in particular:
- Once data has been entered into a blockchain, it cannot be modified or deleted, thus preventing malicious alteration.
- Data is often encrypted, ensuring that it can only be read by authorised persons.
- Data is not stored on a single server, but distributed across numerous nodes, reducing the risk of data loss.
- Blockchain enables the use of pseudonymous identities, limiting the amount of personal information shared.
Can these benefits offset the risks and challenges that the use of blockchain poses to the protection of personal data? Blockchain and crypto-assets have revolutionised various sectors, from finance to supply chain management. However, integrating personal data rules into decentralised systems poses unique challenges, in particular regarding the types of data collected, the potential data controllers, and their roles within blockchains.
Types of Data Collected and Pseudonymisation
According to the GDPR, ‘personal data’ refers to any information related to an identified or identifiable natural person. This includes online identifiers provided by devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers, or other identifiers. Even a dynamic IP address may constitute personal data.
In a blockchain, the types of personal data collected may include:
- Transaction Data: Details about a transaction amount, timestamp, and involved parties’ addresses.
- Identifiers: Addresses or public keys (analogous to bank account numbers).
- Metadata: Additional information such as IP addresses, device identifiers, and geolocation data (collected indirectly).
Although some argue that "blockchain data" is anonymous because it does not include names, it is actually pseudonymised data that may often be processed. Pseudonymised data refers to personal data that cannot be attributed to a specific natural person without additional information. Unlike anonymous information, which is not covered by the GDPR, pseudonymised data remains personal data and its processing falls within the scope of the GDPR. The same applies to encrypted data and hash functions: they may contribute to the confidentiality of personal data but do not render personal data irreversibly anonymous.
For instance, public keys that function as identifiers in blockchains, while concealing the identity of an individual, are linked to a specific natural person who can be identified through additional information. Therefore, they qualify as personal data.
Luxembourg virtual asset service providers (VASPs), such as providers of exchange services and of custodian wallets for virtual currencies, and crypto-asset service providers (CASPs), perform KYC and AML duties. These providers store real identities that reveal the person behind a public key.
Additionally, public keys may reveal patterns of transactions, which could be used to identify an individual user through transaction graph analysis.
On the Bitcoin blockchain, encrypted data can also reveal a user and transaction nexus, allowing transactions to be traced back to a specific user. Public keys can also be traced back to IP addresses and geolocation data, aiding in the identification of a user.
Data controller in Decentralised Networks
Under the GDPR, a data controller is the entity that determines the purposes and means of processing personal data – essentially, it decides on "the why and the how" personal data will be processed. In a traditional centralised system, determining the data controller may be relatively straightforward.
However, in a decentralised network, this is not the case. Data processing activities are distributed across numerous participants that validate and record transactions (network nodes), with each node having partial control over the data. Various other actors can also influence how personal data is processed on a blockchain. Blockchain actors may include:
- Entities using an application anchored on a blockchain layer: For example, the user of a smart contract algorithm qualifies as data controller.
- Software developers: Those who use or contribute to the establishment and maintenance of a blockchain are unlikely to qualify as data controllers.
- Miners: Miners are unlikely to qualify as controllers since they only validate the transactions submitted by participants and do not intervene in the substance of these transactions.
- Nodes: Nodes that store transactions in their own copy of the distributed database may be considered controllers.
- Users as natural persons entering personal data in the blockchain: These users may exceptionally not be considered data controllers if data is processed in the course of a purely personal or household activity. However, if transactions are part of a professional or commercial activity or conducted on behalf of other persons, the user can be considered a data controller such as, for example, VASPs and CASPs.
GDPR obligations and rights
The GDPR aims to protect individuals' privacy and gives them control over their data. Key principles and rights with which data controllers must comply include: data minimisation and purpose limitation, data subject rights, and accountability.
In the context of blockchains, complying with these principles is particularly challenging since blockchains are not a technology that can easily be equated with data minimisation. Furthermore, certain rights, such as the right to erasure, conflict with the immutable nature of blockchains which were purposefully designed to make any unilateral data modification hard.
Conclusion
Blockchain and the protection of personal data is conceivable even if the convergence of personal data and blockchain technology presents significant challenges. While the GDPR provides a comprehensive framework for data protection, its application to decentralised networks is complex and may require innovative technical solutions.
Article provided by INPLP members: Virginie Liebermann and Michel Molitor (Molitor, Luxembourg)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010