Blockchain involves various computers that are located in different states around the world so that the jurisdictions and applicable laws are questionable and assumingly not known to the parties using the blockchain technology.

In principle a blockchain is a distributed ledger, that can be defined as a replicated, shared, and synchronized digital data structure maintained by consensus algorithm and spread across multiple locations, countries, and/or institutions. In the blockchain digitally recorded data are stored in packages called blocks which are linked together in chronological order. It is technically very difficult to change the order such blocks, without changing the order of all subsequent blocks. Each block on the network contains a complete copy of the entire ledger, from the first block created to the most recent block and each block contains a hash pointer as a link to a previous block, a timestamp and transaction data.

In order to be legally compliant, GDPR requires that a data controller is in compliance when implementing projects which involve the processing of personal data of customers, employees or third parties. Below are some questions, which should be considered before the blockchain technology is used for processing of such personal data:

  • Whose personal data are involved?
  • What type of personal data will be processed?
  • Will special categories of personal data be processed?
  • Who is the data controller? Is there a single data controller or are there several data controllers?
  • Who is the data processor? Are there various data processors further down the processing chain?
  • Are there any other parties involved with the data processing? What is their involvement?
  • Is there transfer of personal data outside the EU? Are there appropriate legal safeguards implemented for such transfer like Model Clauses, Privacy Shield, Binding Corporate Rules?
  • What type of blockchain technology will be used for the processing?
  • Can this processing project be carried out in such a way that data protection does not apply, considering its scope?

Furthermore, other GDPR issues for the specific processing activity should also be considered:

  • Will the processing be carried out in a fair, lawful and transparent manner?
  • Are there sufficient operational and technical measures in place to safeguard the personal data from unauthorised acts of interference, amendment, deletion or similar?
  • Can the personal data be modified after request by the data subject?
  • Is the processing activity designed in such a manner that it is minimized to the greatest extent possible?
  • Can the personal data be erased, in the context of the data subject’s right to be forgotten?
  • How is the reporting on the blockchain technology’s use carried out in a legally compliant manner?

Further, given the cross-border nature of the blockchain technology, and the GDPR’s broad territorial reach, GDPR  rules are likely to apply to many blockchain based transactions that have little or no connection to Europe.