Page 0032


Deleting personal data and

upholding data subject rights

While a detailed contractual governance framework will go

some way to addressing GDPR obligations and concerns,

there are certain data protection problems which remain

unsolved. In particular, these problems stem from a data

subject's rights to request that: (1) their personal data be

deleted; and (2) their personal data be corrected wherever

it is inaccurate.


The right to be forgotten and the

obligation to delete data

1 - The challenge

For its part, one of the most valuable properties of

blockchain technology is its immutable nature. This

ensures the permanence (and, therefore, reliability)

of the data on the blockchain. That being said, the

immutability of data on a blockchain is at odds with a

right to erasure (the so-called 'right to be forgotten') or an

obligation to delete data. This particular challenge is thus

understandably one of the most widely discussed in the

context of the GDPR and blockchain.

As discussed above, it will be difficult in most cases to be

certain that no personal data is stored on the blockchain.

Thus, blockchain solutions must confront the need to

manage personal information in compliance with the

GDPR. This includes abiding by the data minimisation

obligation discussed in Section 4.3, and the right to

erasure discussed in Section 4.6 (A).

The data minimisation obligation will be satisfied so

long as the data are limited to what is necessary for

the purpose for which they are processed. Thus, if the

personal data stored on the blockchain remain necessary

for the purpose for which they are processed, retention

of the data on the blockchain does not violate the data

minimisation obligation. Similarly, the qualified right to

erasure does not require blockchain members to delete

personal data if a valid purpose still exists to process

that data. As discussed above, one such valid purpose is

where the processing of said data is required by EU or EU

Member State law.

In almost all cases, however, after a sufficient period of

time, personal data will no longer need to be retained to

fulfil the purposes for which it was collected. At this point,

the exception to the right of erasure will no longer apply

and the personal data must be deleted upon a request

by the relevant individual. Additionally, the obligation in

Article 5 of the GDPR (to retain personal data for only

so long as is necessary for the purpose for which it is

processed), requires data controllers to delete personal

data once they are no longer needed, even absent a

request from the individual. Almost any means used to

store personal data in a business context must, therefore,

enable deletion of that personal data.

2 - Potential solution: Blockchain "pruning"

If the personal data on a particular blockchain network

must be retained for a certain number of years to satisfy

a particular legal or regulatory obligation, one option

may be to "prune" the blockchain. Pruning is the process

of deleting historical blocks on the blockchain that

pre-date a certain point in time. For example, if regulation

requires data to be stored for seven years, the blockchain

governance framework could require that all participants

in the blockchain network delete all blocks of data that are

greater than seven years old.

30 I GDPR and the Blockchain


  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052