4.3
Processing of personal data
under the GDPR
The GDPR regulates the "processing" of personal data.
Processing is defined extremely broadly as:
"any operation or set of operations which is
performed on personal data or on sets of
personal data, whether or not by automated means,
such as collection, recording, organisation,
structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making
available, alignment or combination, restriction,
erasure or destruction."
This effectively captures almost anything one might do
with data, including merely storing it. Blockchain
solutions with the functionality to store or share personal
data will inevitably be involved in the "processing" of that
personal data.
The GDPR requires that personal data must be:
• processed lawfully, fairly and transparently;
• collected (and processed) for specified, explicit and
legitimate purposes (the purpose limitation);
• adequate, relevant and limited to what is necessary for
the purpose for which they are processed (the principle
of data minimisation);
• accurate and kept up-to-date;
• retained (i.e. kept in an identifiable form) for no longer
than is necessary for the purpose for which they are
processed (the storage limitation); and
• processed securely.
The GDPR also requires that all processing of personal
data must have at least one of a defined list of legal bases.
These bases include:
• processing based on the relevant individual's
specific, informed, unambiguous, freely given and
revocable consent;
• processing necessary for the performance of a contract
with the relevant individual;
• processing necessary for compliance with a legal
obligation; and
• processing necessary for the legitimate interests
pursued by the controller or a third party (except
where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject).
Even higher thresholds apply to processing of special
categories of personal data.7
16 I GDPR and the Blockchain