Skip to main content
JUST TECH SOLUTIONS
7 min read A.F.

GDPR and Blockchain — How Do They Fit Together?

The GDPR guarantees the right to erasure of personal data. Blockchain technology is built on immutability. These two principles stand in seemingly irreconcilable contradiction. For DAO projects operating in Europe or serving European users, this contradiction is not a theoretical problem but a concrete compliance challenge.

At Just Tech Solutions, we regularly advise projects facing exactly this question. In this article, I describe how we resolve the tension in practice, which strategies have proven effective, and how you can build a decision framework for your own project.

Understanding the Contradiction

Article 17 of the GDPR, the "right to be forgotten," gives data subjects the right to request the erasure of their personal data. The controller must comply with this request "without undue delay," unless exceptions apply.

On a blockchain, data once written cannot be deleted. This is not a technical deficiency but the central design principle. The immutability of the blockchain is the foundation for trust, transparency, and tamper resistance. Without it, a blockchain would be merely a slow database.

However, not everything stored on a blockchain constitutes personal data under the GDPR. And not all data in a blockchain project needs to reside on the blockchain. This is where the solution begins.

What Constitutes Personal Data on a Blockchain?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. In the blockchain context, the key question is: is a wallet address personal data?

The answer from European data protection authorities is nuanced but tends toward yes. An Ethereum address is pseudonymous, not anonymous. If it can be linked to a real person, whether through KYC data at an exchange, through public association via ENS, or through transaction patterns that enable identification, then it is personal data.

This means: transaction data containing a wallet address is potentially personal. Governance votes assigned to an address are potentially personal. On-chain messages sent from an identifiable address are potentially personal.

The practical consequence: minimize the amount of personal data that ends up on-chain. Everything that does not strictly need to be on-chain belongs in off-chain systems.

Strategy 1: Strict On-Chain/Off-Chain Separation

The most effective pattern is a clear architectural separation: only data that contains no personal information, or that has been anonymized through aggregation, is stored on-chain. Personal data is managed exclusively off-chain.

In concrete terms, this means:

  • On-chain: Voting results (aggregated, not per address), smart contract logic, token transfers, cryptographic hashes as integrity proofs.
  • Off-chain: User profiles, communications, membership lists, personal settings, anything that could identify a natural person.

The connection between on-chain and off-chain is established through cryptographic references. A hash of a document can be stored on-chain to prove its existence and integrity at a specific point in time, without revealing the document's content. If the off-chain document is deleted, the on-chain hash becomes meaningless.

Strategy 2: Hashes Instead of Plain Data

When you need to prove that a specific event occurred without revealing the details, cryptographic hashes are the tool of choice. Example: a DAO wants to prove that a specific member voted at a specific time, without permanently linking the vote to the member's identity.

The process: the vote is stored off-chain, along with all personal details. A hash of the vote is written on-chain. As long as the off-chain data exists, anyone can verify integrity by recomputing the hash. If the member is deleted and the off-chain data removed, the hash remains on-chain but can no longer be attributed to a person.

Important: the hash must be computed in a way that makes it practically impossible to infer the input data. With small input spaces, such as when only a few people were eligible to vote, an attacker could try all possible inputs. In such cases, a salt must be used that is deleted together with the off-chain data.

Strategy 3: Privacy Layers and Zero-Knowledge Proofs

For use cases where data must be verifiable on-chain but should not be readable, zero-knowledge proofs (ZKPs) offer an elegant solution. A ZKP can prove that a statement is true without revealing the underlying data.

In the GDPR context, this means: instead of storing personal data on-chain, only a ZKP is stored that proves a certain property. For example: "This address belongs to a verified EU citizen" or "This member has the required reputation for this vote."

The challenge lies in the technical complexity. ZKP systems like zk-SNARKs or zk-STARKs require specialized knowledge and are computationally intensive. For most DAO projects, the hash-based strategy is more pragmatic. But when requirements demand it, ZKPs are the most privacy-friendly solution.

Who Is the Controller?

One of the most difficult GDPR questions in the blockchain context concerns the data controller. The GDPR assumes that there is an identifiable controller, a natural or legal person who determines the purposes and means of data processing.

With a public, permissionless blockchain, it is unclear who this controller is. Is it the developer of the smart contract? The node operator? The DAO as an organization? Every individual user who initiates a transaction?

European case law has not yet provided a definitive answer. But for DAO projects that operate as a recognizable organization and run infrastructure, we recommend a pragmatic approach:

  • The DAO or its legal wrapper (e.g., a GmbH or foundation) assumes the role of controller for off-chain data.
  • For on-chain data, the position is maintained that through minimization and anonymization, this data does not fall under the GDPR.
  • A data protection concept transparently documents the measures taken and the reasoning.

Decision Framework: What Belongs On-Chain?

Before you write data on-chain, ask yourself four questions:

1. Does the data contain personal information? If yes, check whether it can be anonymized or pseudonymized before going on-chain. If anonymization is not possible, it does not belong on-chain.

2. Is immutability strictly necessary? Not every piece of data needs blockchain guarantees. Ask yourself honestly whether a signed database would serve the same purpose. If so, choose the simpler solution.

3. Can the data be linked to a natural person? Even seemingly anonymous data can become identifiable through correlation. Transaction patterns, timestamps, and amounts can, in combination, identify a person even when no address is directly assigned.

4. What happens when a deletion request arrives? Walk through the scenario: a user submits a deletion request under Article 17 GDPR. Can you comply? If the answer is "no" because the data resides on-chain, you have a problem. Restructure the architecture before going to production.

Practical Recommendations

Based on our consulting practice, we recommend the following measures for DAO projects:

  • Privacy by design: Data protection must be built into the architecture from the start, not retrofitted. The decision about which data goes on-chain and which stays off-chain should be the first architectural decision.
  • Data minimization: Store only the absolute minimum on-chain. Every additional byte of personal data on-chain increases compliance risk.
  • Documentation: Create a record of processing activities that clearly breaks down which data is stored where, which legal basis applies, and how data subject rights are ensured.
  • Technical measures: Implement hash-based referencing consistently. Use encryption for all off-chain data. Consider ZKPs for sensitive use cases.
  • Legal counsel: This article does not replace legal advice. The intersection of GDPR and blockchain is an evolving area of law. Seek specialized legal counsel.

Conclusion

GDPR and blockchain are not an irreconcilable contradiction. They do, however, require conscious architectural design that respects both requirements: immutability for trust and transparency, data protection for the rights of data subjects.

The solution lies not in choosing between blockchain and GDPR, but in the intelligent combination of on-chain and off-chain systems. Those who commit to data minimization and privacy by design from the beginning can have both: the advantages of decentralized systems and compliance with European data protection law.

Back to Blog