How does data protection law apply to blockchains?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
- What personal information could be on a blockchain?
- When will data protection law apply to blockchain?
- Who is the controller in a blockchain?
- What are the considerations for individual rights when using blockchain?
- What issues does blockchain present for compliance with the data protection principles?
What personal information could be on a blockchain?
On-chain data may include personal information. If you plan to set up a blockchain or join an existing blockchain platform, you need to consider data protection.
Under the UK GDPR, personal data is any information relating to an identified or identifiable natural person. This can include things like ‘online identifiers’, a term explained in recital 30 of the UK GDPR:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
The examples provided above – IP addresses, cookie identifiers and RFIDs – are non-exhaustive and, depending on the context, a range of other online identifiers may be personal information.
In the context of blockchain, online identifiers can include:
- unique transaction identifiers;
- wallet addresses; and
- smart contract addresses.
Example – Wallet addresses
In the Bitcoin blockchain, a successful transaction needs the cryptocurrency account details (wallet addresses) of both the sender and recipient. The ledger records these addresses, along with the transaction details. Wallet addresses are unique and are effectively ‘online identifiers’ for their owners (ie the people using them). Therefore, they could count as personal information.
When will data protection law apply to blockchain?
If the information on (or accessible via) a blockchain is personal information then UK data protection law applies, subject to the territorial scope provisions of UK GDPR.
When evaluating what on-chain data is personal information, you should consider how someone could combine it with other sources of information to identify another person. You should consider ‘off-chain data’ (eg Know-Your-Customer data, IP logs), or if you collect additional metadata that makes someone’s re-identification possible.
Some on-chain data, like wallet addresses and transaction details, can belong to organisations rather than people. Where the data processed is about organisations, rather than identifiable people (including employees), then data protection law does not apply.
Example
A business consortium uses blockchain for recording deeds of important milestones in trading activities. They record business information on a blockchain such as trading prices, dates of business activities and completion dates. Although this is sensitive business data, it might not be personal information. If so, data protection law would not apply.
Does UK data protection law apply if we are outside the UK?
For the UK GDPR to apply, the controller or processor needs to be either:
- located in the UK; or
- offering goods or services to, or monitoring the behaviour of, people in the UK.
This means that the UK GDPR may still apply to blockchain participants not located in the UK if they sell goods or services to people in the UK via that blockchain.
This may also be the case for participants involved in generating or mining blocks that record transactions, as this may involve monitoring the behaviour of people in the UK (when there are UK-based people on the blockchain).
Does UK data protection law apply when someone uses a blockchain for a purely personal or household activity?
Data protection law does not apply to personal information used by people for a purely personal or household activity with no connection to a professional or commercial activity.
Organisations providing the means to use personal data will remain subject to data protection law. It is only someone’s use of that data for their own household or domestic activity that would not.
In theory people could use blockchains for personal and household activities. However, the nature of how blockchain works will make it difficult to argue that any processing of personal data is strictly a personal and household activity.
Sharing personal information with an unknown number of people is a strong indicator that a purpose is not purely for personal or household activities. The more people involved, the less likely it is that the data processing could claim to be ‘purely personal or household’.
One of blockchain’s key features is that all participants in the network have a copy of all information at any one time. In a permissionless blockchain scenario, this will include unknown participants who may be in anywhere in the world.
Therefore, by design, any personal information you put on a permissionless blockchain is available to an indefinite number of unknown people. Such unrestricted data sharing is unlikely to be for a purely domestic and household purpose.
When considering the context for using the data, you should think about whether the purpose for using personal data is:
- as part of a business or profession;
- in the context of a commercial activity; or
- in an employment context.
Further reading – ICO guidance
What about blockchain and international transfers?
The UK GDPR includes rules on transferring personal information to recipients outside of the UK where these recipients are not part of the same legal entity as you. Before transferring any personal information outside the UK, you must assess the level of data protection in the countries you want to transfer the personal information to. You should be aware of these obligations and identify the relevant non-UK parties you will share the personal information with. You should carefully verify and vet all blockchain nodes situated outside the UK. You must perform all transfers of personal information from the UK to other jurisdictions in compliance with UK GDPR.
In a permissioned blockchain setting, participants must assess data protection laws in countries where the nodes are located. If needed, participants will also need to put in place appropriate international transfer mechanisms with non-UK participants before processing personal information on-chain.
Further reading
Who is the controller in a blockchain?
The UK GDPR defines a controller as an entity that, alone or jointly with others, determines the purpose and means of processing activities. Controllers exercise overall responsibility for the personal information processed and are ultimately in charge of the processing.
If you are a controller, you must put in place appropriate technical and organisational measures to ensure and demonstrate that you are carrying out your processing in line with the UK GDPR. These must include how you:
- comply with the principles and data protection by design and default obligations; and
- facilitate people’s data protection rights.
The decentralised governance model of blockchains may make it complicated to determine what data protection roles and responsibilities participants have. This is particularly the case with permissionless blockchains. Participants covered by the UK GDPR may include organisations that:
- seek to build or design a blockchain-based solution;
- participate in an existing blockchain solution; or
- provide blockchain infrastructure including blockchain-as-a-service.
As a controller you must tell people if you use their personal information on a blockchain. If the information was initially processed for a certain purpose and you later decide to use it for a further, separate purpose, you must inform the people concerned (as well as ensuring the new purpose is compatible with the previous one). You should not swap to a different lawful basis for processing without good reason.
Joint controllers exist when two or more controllers determine the purposes and means of processing together.
These concepts may apply in the blockchain context as follows:
Participants who create transactions containing personal information and send them for validation (and as such permanently include them in a block) are likely to be controllers. This is because they make decisions about the purposes (the ‘why’ of the processing) and the means (the ‘how’, eg embedding personal information in a blockchain transaction and broadcasting it to the network). If a group of participants perform this role, they will likely be joint controllers, depending on the arrangement’s specifics.
Participants who operate validator nodes will likely be processors, as long as they only validate transactions that other participants write and do not define the purposes and means of the processing. However, validators may be controllers if they have more decision-making power, like in more centralised, private or permissioned blockchains.
Example
If an educational institution chooses to use blockchain to issue educational credentials to prove that the holder has a qualification (ie a degree), the institution would be the controller. This is because the educational institution has determined the purpose and means for processing; the personal information that the educational credential contains.
If a blockchain participant uses the services of supporting infrastructure providers (eg smart contract developers, smart contract auditors or digital wallet developers), then these providers will be processors where they process personal information on behalf of the blockchain participant. The controller (or joint controllers, where applicable) are responsible and accountable for data protection compliance.
Example
A consortium decides to set up a permissioned blockchain for their business purpose. The consortium uses an external third party to maintain the blockchain infrastructure and carry out transaction validation, against a set of instructions.
The third party has no say in deciding the purpose or means. They only carry out transaction processing according to the consortium’s instructions and receive payment for their technical support in return.
In this case, the third party only acts on behalf of the consortium. They are therefore a processor.
A person who uses the blockchain for purely household purposes is not a controller. However, when organisations provide the means for such processing, data protection law applies.
Example
When a person acts as a participant and uses blockchain to make online purchases or invest in trading platforms, they will not be a controller for this processing of personal information if they are doing it in a purely personal or household context.
This does not mean that the organisations or person(s) providing the means for such an economic activity are out of scope of data protection law.
If you are part of a consortium and you decide to put personal information on a blockchain or direct someone to process personal information, you must undertake a factual assessment. This assessment is to decide the degree of your respective data protection responsibilities. If you are a joint controller, all of you must:
- transparently set out the compliance responsibilities of each participant by means of an arrangement;
- make the essence of this arrangement available to people; and
- decide on how the joint controllers are going to facilitate people’s rights (for example, by specifying a single point of contact).
Example
Several organisations collaborate to design a blockchain-based betting application that they will all use. The application offers betting services to players registered with them. The organisations may have different levels of influence over the processing of player data, but they all take part in deciding what happens, how it happens and why. These organisations will be joint controllers and will need to set out responsibility amongst themselves for compliance with controller obligations.
Processors act on behalf of the relevant controller and under their authority. If you are acting as a processor, then you must:
- put in place a contract to govern the processing of personal information and include the requirements listed in Article 28(3); and
- only act in accordance with the contract with the controller, including when engaging other validator nodes.
Relevant provisions in the legislation
Further reading
What are the considerations for individual rights when using blockchain?
If you are planning on using blockchain in products that use personal information and the UK GDPR applies, then you must adopt a data protection by design approach. This means that, before you use a blockchain solution, you must consider how you will:
- handle personal information;
- protect it appropriately; and
- enable people to exercise their rights.
People whose personal information is processed on blockchain have the same rights as they do in any other processing scenario. However, some of the inherent features of blockchain can make it challenging for controllers to facilitate those rights.
Thinking about these issues at the design stage will help you ensure that people can exercise their data protection rights effectively.
Blockchain and the right to be informed
The right to be informed is a key transparency requirement of data protection law. You must provide people with privacy information when you collect their personal information. This includes information such as:
- your purpose for processing their personal information,
- your retention period for that personal information; and
- who you will share it with.
Our guidance on lawful bases explains that if there’s a genuine change in circumstances, or you have a new and unanticipated purpose that means there’s a good reason to review and change your lawful basis, then you must inform the people concerned and document the change. This should include updating your privacy information. In particular, you must also inform people of their right to object to processing.
In a permissioned blockchain, the identified controller can comply with this individual right straight away. If you are using a permissioned blockchain, you must fulfil these transparency requirements immediately. You must inform people if you are going to record their personal information on a blockchain.
Organisations may struggle to demonstrate compliance with these requirements when processing personal information on a permissionless blockchain. For example, it is not possible to describe the recipients or categories of recipients of personal information on a permissionless blockchain because their identities are unknown. This presents challenges for complying with the right to be informed.
Further reading
Blockchain and the rights to rectification and erasure
Blockchain’s immutability can pose challenges for compliance with the rights of erasure and rectification in the UK GDPR, as well as the storage limitation principle.
For example, the inability to modify a given block makes it conceptually challenging to rectify any inaccurate personal information within that block or to erase that information. In practice, although it is possible to include a new block amending the details to improve accuracy, it is more difficult to erase on-chain data.
If you rely on consent to process personal information, then people have to be able to withdraw that consent at any time. If someone does so, then you must stop any processing based on this consent.
If someone makes an erasure request, you must comply with this request without delay, unless you have another purpose under another lawful basis to continue to hold their personal information.
As part of taking a data protection by design approach, you must consider how you can enable these rights, considering the specifics of your implementation and the data involved. For example, you should consider whether you can:
- use a later transaction to ‘cancel’ an earlier one (in the context of the right to rectification);
- put information beyond use (in the context of the right to erasure); or
- avoid putting personal information on the blockchain in the first place (ie using off-chain storage approaches).
In practice, you should consider using off-chain storage to hold any personal information about people and their transactions.
Off-chain storage uses traditional storage mediums, such as servers or cloud storage. The blockchain refers to it via a ‘pointer’. Usually, a hash of the data is also linked in the transaction to ensure its integrity.
In the case of a rectification request, you can modify the data at the location and update the hash with a new transaction entry to the ledger. In response to an erasure request, you can delete the off-chain data and the on-chain ‘pointer’ will become a ‘null pointer’, as it now points to nothing.
Off-chain storage makes it easier for you to respond to erasure and rectification requests. This is because you can respond to the requests by rectifying or erasing the personal information held off-chain, without needing to make any changes to the blockchain itself. Off-chain data storage can help with principles like data minimisation, storage limitation and individual rights, provided the ‘pointer’ cannot be linked to a person or used to single out and take action against someone.
Technological advancements or certain blockchains may allow ‘purging’, ‘pruning’ or deleting of historical data from a certain time period. The idea is to retain only essential data and use summary blocks after a certain point. However, you need to think about whether essential data that you cannot delete includes personal information.
Further reading
Blockchain and automated decision-making (ADM)
Article 22 of the UK GDPR gives people the right not to be subject to solely-automated decisions that have legal or similarly significant effects on them. A solely-automated decision is one that has no meaningful human involvement.
This is relevant for the way blockchains process personal information, particularly in the context of smart contracts.
Smart contracts embed instructions for carrying out activities in an automated way, using data provided by the transaction sender. Smart contracts can also pull data from other sources outside of the blockchain ecosystem. These sources are referred to as data oracles. Once a smart contract is installed on a blockchain, there is no human intervention involved in the processing of on-chain data.
If the decision carried out by a smart contract involves the processing of personal information and has a legal or similarly significant effect on the data subject, this would engage Article 22 of the UK GDPR.
If you are making solely-automated decisions with legal or similarly significant effects, you can only do so if one of the exceptions outlined in Article 22(2) applies, and if you have appropriate safeguards in place.
You can only make solely-automated decisions with legal or similarly significant effects on someone when the decision is:
- necessary for entering into, or performance of, a contract between the individual and a data controller;
- authorised by law; or
- based on someone’s explicit consent.
Can a smart contract trigger the contract exception?
Yes, in some cases. If the automated decision-making encoded in a smart contract is necessary for entering into or for the performance of a contract, this could trigger the contract exception in Article 22(2) and implement the measures of Article 22(3), provided it meets the requirement for contract law.
For example, the UK Jurisdiction Taskforce determined that a smart contract can be considered a legal contract, provided that it meets the requirements for contract law in England and Wales.
However, controllers should consider on a case-by-case basis whether a smart contract constitutes a legally binding contract and must consider whether the automated decision-making is necessary for its performance.
Can we rely on explicit consent?
You may be able to rely on the explicit consent exception if you are making solely-automated decisions with legal or similarly significant effects. For this, you must ensure consent is:
- freely given;
- specific and informed; and
- an unambiguous statement of the person’s wishes.
Further reading
- Read our guidance on Automated decision-making and profiling
- Consent
What issues does blockchain present for compliance with the data protection principles?
The ongoing sharing and replication of records across multiple blockchain nodes results in persistent progression of the ledger. This has implications for compliance with the UK GDPR principles, particularly purpose limitation, data minimisation and storage limitation.
Blockchain and purpose limitation
Your purposes for using personal information must be specific, explicit and legitimate. This means you must be clear from the outset about why you need to use personal information on a blockchain.
Later, if you want to process for a new, different purpose, you must assess whether that is compatible with the purpose(s) for which you initially collected the personal information.
If a controller of a blockchain wants to use that personal information for a new purpose, they can only do so if that new purpose is necessary and compatible with the original purpose.
Any new participant to the blockchain will receive a copy of the ledger when they join the network. If they decide to use personal information on that network for a new purpose they must also take these steps to comply with the purpose limitation principle.
Blockchain and data minimisation
The data minimisation principle means you must only collect, process and store the personal information necessary to achieve your purpose. As the size of the on-chain ledger increases and more participants join the network, the purpose and means of processing may change over time. You must take this into account and consider ways to comply with the data minimisation principle, such as using off-chain data storage or data purges.
Blockchain and storage limitation
The storage limitation principle means you must only keep personal information for as long as you need it to achieve your purpose.
You must consider whether it is necessary and proportionate to retain the data for as long as the blockchain in question exists. You should implement solutions such as off-chain data storage, as these can be useful ways to comply with the storage limitation principle. This is because it would not affect the blockchain’s overall integrity if you erased the off-chain data in line with a retention period. You must think about this from the start of the design phase.