The Blockchain is a database in which data are stored and distributed on many computers and in which all the entries made in the register, called “transactions”, have been visible to all users since its creation.
The Blockchain is not, by itself, a data processing with a purpose in its own: it is rather a technology, which can serve as a support for various processing.
This technology raises many questions, including its compatibility with the GDPR. For this reason, the CNIL has proposed concrete solutions to the actors wishing to use it in the context of a personal data processing.
The Blockchain is a technology whose concrete interest in the objectives and characteristics of each processing must be appreciated.
In this context, the CNIL called the actors to envisage at the early stages, in application of the data protection principle (Privacy by Design provided by Article 25 of the GDPR), the opportunity to use blockchain technology instead of alternative technology to implement their processing. The controller must also envisage the type of Blockchain to favour.
As regarding the exercise of data subjects’ rights, the French supervisory authority explained that certain rights can be exercised (for example, the right of access and the right to portability). However, the rights to erasure, rectification and opposition to processing deserve to be evaluated.
Moreover, it is advisable not to resort to storage of personal data in plaintext on the Blockchain.
The CNIL has also specified that the principles related to security remain fully applicable in the Blockchain. In any case, the data protection impact assessment (DPIA) allows an analysis of the necessity and the proportionality of the device and to identify suitable solutions.