Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019

Sunday September 29th, 2019 by Silvan Jongerius

On September 12, the German Federal Ministry of Economy and Energy, and the German Federal Ministry of Finance published the German Federal Blockchain Strategy (German, PDF).

After analysing the statements relating to Data Protection and GDPR, here is some high level response to the key points.


Blockchain Strategy Implementation Principles [p5]

“IT-Sicherheit und Datenschutz garantieren: Nur wenn Blockchain-Anwendungen den von Expertinnen und Experten empfohlenen Anforderungen an die IT-Sicherheit und den rechtlichen Anforderungen des Datenschutzes genügen, können Risiken minimiert, Missbrauch verhindert und eine hohe Akzeptanz erreicht werden.”

Machine Translated Version
“Guarantee IT security and data protection: Only if blockchain applications meet the IT security and legal requirements for data protection recommended by experts can risks be minimized, misuse prevented and a high level of acceptance achieved.”

In its current implementation this would disregard one of the key differentiator and benefits of blockchain technology: the decentralisation of responsibilities to enable trust. Expecting that blockchain can meet all requirements by itself, is like fitting a square peg in a round hole.

Misuse in blockchain does not always come from the classical and expected angle: centralisation in an environment that is expected to be decentralised can be a large problem for the integrity of the network and the data. To prevent misuse of this kind, the regulatory framework must inherently support new governance structures.

Creating the right framework conditions, 3a [p13]

“Insbesondere die Kompatibilität der Blockchain-Technologie mit der Datenschutz-Grundverordnung (DSGVO) ist immer wieder Thema. Aus Sicht der Bundesregierung ergibt sich aus der Blockchain-Technologie aktuell kein Änderungsbedarf bei der DSGVO. Vielmehr muss die Blockchain-Technologie datenschutzkonform ausgestaltet und angewendet werden.”

Machine Translated Version
“In particular, the compatibility of blockchain technology with the General Data Protection Regulation (GDPR) is a recurring issue. From the point of view of the Federal Government, there is currently no need for changes to the GDPR as a result of blockchain technology. Rather, the blockchain technology must be designed and applied in compliance with data protection regulations.”

This completely disregards that the very clear definitions in the GDPR about Data Controllership and Data processorship are too narrow for any distributed system. There is no sensible way actors in a distributed (or decentralised) environments can fit the definitions. At the very least, there should be clear guidance on how this is to be interpreted and how the controller and processor roles under the GDPR should be fulfilled in an environment where, by design, no one party is fully responsible in all situations, all of the time. On the notion of the right to erasure, it should be understood that a ‘mutable blockchain’ does not aid in decentralising trust as the very concept foresees. Much more important may be defining what precisely constitutes personal data.

I would also plea for the implementation of guidance that takes specific situations into account: Are there data that will not have to be deleted if they are collected under specific circumstances? At current, the guidance can not be applied directly, and no guidance is available, which makes different groups of experts speculate about different possible solutions. This is not helpful for the ecosystem.

Creating the right framework conditions, 3a [p13] (continued)

“Etwaige Unsicherheiten bei Entwicklern und Anwendern von Blockchain-Lösungen sollten adressiert werden, um die Entwicklung verbraucher- und datenschutzkonformer Lösungen zu befördern. Dabei sollten bestehende technische Lösungen (u. a. Verwendung von Hashwerten, Pseudonymisierung, Zero-Knowledge-Proof) und die Grundsätze privacy-by-design und privacy-by-default Anwendung finden.”

Machine Translated Version
“Any uncertainties among developers and users of blockchain solutions should be addressed in order to promote the development of consumer- and data protection-compliant solutions. Existing technical solutions (e.g. use of hash values, pseudonymisation, zero knowledge proof) and the principles of privacy-by-design and privacy-by-default should be applied.”

While the usage of existing technical measures as well as data protection by design is already mandatory under the GDPR, addressing the uncertainties in this regard is elemental to ensure. These uncertainties may be addressed through clear guidance by the data protection regulators. The finding of data protection-compliant solutions however, may very likely require a combination of technical solutions and legal leeway. Claims by software developers having found so called ‘GDPR compliant’ blockchain solutions should be assessed in detail. More often than not it will only solve a subset of compliance problems, and will usually come at cost to decentralisation or governance.

The mentioned initiative of organising a round table on data protection and blockchain in the first half of 2020 is a great way to exchange further ideas and implementable solutions. I would be happy to contribute.



Silvan Jongerius

Managing Partner

Managing Partner, TechGDPR ( Member, Bundesverband Blockchain e.V. ( Co-chair of the Privacy working group, INATBA ( President of the Board, BerChain e.V. (

How to use legitimate interest under the GDPR?
January 29th, 2021

The impact of the GDPR on Big Data
December 1st, 2020

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
Uncategorized (2)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
CJEU ruling
Cold calling
Data transfers
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
International transfers
medical data
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
January 2021 (1)
December 2020 (1)
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.