The objectives of GDPR are to protect, on the territory of the European Union, people whose personal data is processed, and to reinforce the responsibility of those processing this data.

Any private or public company, regardless of the technology they use, that processes personal data of European citizens must comply with certain obligations, which are based on 5 major principles.

• Inform data subjects so that they can give their consent to the collection and processing of their personal data.

• Use data in a transparent and relevant way with regard to its collection and processing;

• Give data subjects access to their data so that they can consult, modify, and delete it at any time.

• Control and limit the sharing and circulation of data.

• Secure personal data both electronically and physically.

Understanding whether we are processing personal data is therefore key to understanding whether GDPR applies to activities carried out on a blockchain.

After the previous section, you will understand more easily that the intention of the legislator is to give back the control of personal data to its owner and to limit, or at least to frame the use and the processing by the professionals who can have access to it.

What is personal data? What is personal data on a blockchain

According to CNIL, personal data is "any information concerning an identified or identifiable natural person". Generally, an individual can be identified by a name, an address, a number, but this can also include other identifiers such as an IP address, a cookie identifier or similar identifying metadata collected by a website or an application.

Even if a person cannot be strictly identifed from the information processed, that person may still be deemed identifiable. Therefore, only information that is truly anonymous (i.e. “such a manner that the data subject is not or no longer identifiable”) or not "about" the person is not covered by GDPR.

On a blockchain, the personal data processed can be quite basic. For example, a pseudonym, a bank account number, the public address of a wallet, a signature; or much more complex, such as the transfer of financial or insurance assets, the "hash" of patients' medical data.

Once processing of personal data is established on a blockchain, GDPR analysis applies: identification of the data controller, enforcement of rights, implementation of appropriate safeguards, security obligations, etc.

Who are the main actors involved in a blockchain?

Data protection originated in the management of centralised data within specific entities. For blockchain technology, the decentralised governance of data and the multiplicity of actors involved in the processing of data make it considerably more difficult to define the role of each actor.

Three types of actors can be identified:

• The "accessors", who have the right to read and hold a copy of the chain;

• The "participants" who have the right to make entries, ie, to carry out a transaction for which they request validation;

• The "miners" who validate a transaction and create blocks by applying the rules of the blockchain to have them "accepted" by the community.

Which actor acts as the data controller in a blockchain?

According to CNIL, a controller is, "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

CNIL has clarified that participants, who have the right to write on the blockchain and who decide to send data for validation by miners, can be considered as data controllers. Indeed, the participants in the blockchain must define the purposes (objectives pursued by the processing) and the means (data format, use of blockchain technology, etc) of the processing.

More specifically, CNIL considers that the participant may be qualified as a data controller,

• "when said participant is a natural person and the processing is related to a professional or commercial activity (ie, when the activity is not strictly personal);

• when the said participant is a legal person that registers personal data in the blockchain".

On the other hand, miners are not considered as data controllers, since they only validate the transactions submitted by participants and are not involved in the purpose of these transactions.

The Arweave blockchain and the applications that work on the Arweave blockchain are very promising in terms of data protection by their design and the control offered to users. The Akord protocol and application is a good example.