The GDPR Challenge
Article 17 of GDPR grants individuals the 'right to erasure' — the right to have their personal data deleted. But blockchains are designed to be immutable. How do you reconcile these two requirements?
The Hash Solution
The answer is simple: **don't store personal data on the blockchain.** Instead, store only cryptographic hashes of that data.
Why Hashes Are Not Personal Data
Under GDPR, personal data is defined as any information relating to an identified or identifiable natural person. A SHA-256 hash:
- Cannot be reversed to reveal the original data
- Is statistically unique but not identifiable
- Has no meaning without the original data
The Article 29 Working Party (now EDPB) has stated that hashed data is generally not considered personal data **if the hash cannot be linked back to the individual**. Our hash-only architecture ensures this by design.
The 'Burn' Mechanism
- Even though hashes aren't personal data, we offer a de-linking mechanism for extra assurance:
- You register a 'burn key' for a specific hash
- We delete the association between your user ID and that hash from our database
- The hash remains on the blockchain, but is no longer linked to you
- We generate an 'Erasure Certificate' for your compliance records
EU AI Act Article 11
The EU AI Act requires high-risk AI systems to maintain logs with 'mathematical certainty' of integrity. Blockchain proof anchoring is the gold standard for this requirement. Our hash-only approach ensures you get the compliance benefits without the privacy risks.