Legal Aspects of Blockchain Technology: Data Protection Law


This article is the fifth publication of the series “legal aspects of blockchain technology” by the Frankfurt School Blockchain Center (FSBC), Datarella, and CMS Hasche Sigle. This research is part of the KOSMoS project, a research project funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 02P17D020. The Frankfurt School Blockchain Center gGmbH and Datarella GmbH are part of the “KOSMoS” consortium. Together with partners from the industry (Schwäbische Werkzeugmaschinen GmbH, Alfred H. Schütte GmbH & Co. KG, ASYS Automatisierungssysteme GmbH), academia (Universität Stuttgart, Hochschule Furtwangen), and software development (inovex GmbH, Ondics GmbH), they create a blockchain-based solution allowing manufacturing companies to establish a DLT-based framework for producing machines in order to a) execute dynamic leasing contracts, b) provide transparent maintenance documentation and c) ensure high-quality documentation of manufactured products.


With the General Data Protection Regulation (GDPR), the issue of data privacy has attracted attention in the public debate. On the one hand, every person and every company operating on the Internet provides and possibly discloses data. On the other hand, data is produced through, e.g., search behavior using search engines. Also, a vast amount of data is created and stored within companies. What does this relate to blockchain technology?

Introduction to data protection law

With the GDPR, data protection law has been mostly standardized throughout Europe. The regulation only protects defined personal data (Art. 2 (1) GDPR): Personal data is information that relates to an identified or identifiable natural person (Art. 4 (1) №1 GDPR). In this context, it is sufficient if there is only a certain probability that a person can be identified.

  • Jane Sample lives in Any City.
  • Description of persons: The boy with shoulder-length hair from Class 1b of school ABC in XYZ has a fountain pen.
  • Text in exams:using text analysis, conclusions about a person can be derived.[1]
  • IP addresses for website providers:via the Internet Service Provider, a specific person can be identified with reasonable effort.[2]
  • 35 persons live in Any City (not referable to one person)
  • Machine X is worth EUR 454,323 (not related to a person)

Location of the computer nodes

In most cases, the nodes of a blockchain network are widely dispersed around the world or at least rarely located in one country. This dispersion is a major factor behind the resilience and decentralized nature of blockchain technology. Legally, it is important to discuss, especially in terms of data protection, how data stored on a blockchain in different countries, each with different data protection laws, should be handled. As this could quickly lead to significant complexity, we assume that the nodes are mostly all physically located in EU territory.

Personal data

In the EU, the location of computing nodes is irrelevant since personal data are equally protected throughout the area (cf. Art. 44 GDPR). However, personal data may not be transferred to third countries unless their protection is also guaranteed in these areas (Art. 44 GDPR). If, for example, data protection in the third country is equivalent to the GDPR, data may be stored there in the same way as in the EU. This is specified by the EU Commission in a specific list.[3] Otherwise, according to Art. 46 GDPR, special contractual clauses, or organizational guarantees are required to protect personal data from unauthorized access. The most important case is the conclusion of the so-called EU standard contractual clauses [4] between the data exporting and data importing company in the third country. If these are concluded, the level of data protection in this third country is considered adequate, and personal data may be transferred and processed there.

Machine data

From a legal perspective, there are far less restrictions regarding where computing nodes are located that process machine data instead of personal data. On the assumption, however, that machine data are protected within the EU, for example, by certain database rights, this protection no longer exists if the data are stored on computer nodes abroad, and the respective foreign legal system does not have a corresponding database right.[9] While other jurisdictions may provide database protection comparable to that in Europe, this would have to be clarified on a case-by-case basis. Besides, the parties are, of course, free to agree on contractual confidentiality clauses which contribute to the protection of machine data.

Personal data

The processing of personal data by a company without a legal basis is inadmissible. It may result in fines and other measures by data protection supervisory authorities (Art. 58, 83 GDPR) as well as lawsuits by affected persons, e.g., for damages (Art. 79, 82 GDPR).

Machine data

In the case of machine data, a risk may exist under certain circumstances. If this machine data originates from third-party databases and can possibly be classified as trade secrets, there is such a risk.


[1] ECJ, 20.12.2017, Nowak, ECLI:EU:C:2017:994.

About KOSMoS

KOSMoS is a research project funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 02P17D020. More information about the project can be found on the website.


If you like this article, we would be pleased if you would forward it to your colleagues or share it on social networks. More information about the Frankfurt School Blockchain Center on the Internet, on Twitter or on Facebook.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonas Gross

Jonas Gross


Jonas Gross is Chairman of the Digital Euro Association (DEA) and Head of Digital Assets and Currencies at etonec. Further, Jonas holds a PhD in Economics.