“Right to erasure” and private blockchain in the European Union: legal requirements and technical possibilites

Abstract

Blockchain, serving as one of the most complex networks used within an organization may be regarded as challenging for the applicability and realization of the General Data Protection Regulation Article 17, which gives the data subject right to erasure or a “right to be forgotten” to ones’ personal data. The immutability and decentralized character of the system does not prescribe the erasure of personal data on the chain, as well as poses problems in determining the competent authority responsible for data protection compliance, when the data subject needs to exercise its rights under the GDPR. The thesis examines whether the compliance with the General Data Protection Regulation’s Article 17 could be ensured while using private blockchain within an organization, by determining the authorities responsible for the compliance in decentralized system, and, examining the conditions when immutability may allow for data erasure. Thus, proposing possible solutions and developing the guidelines for businesses how to mitigate the enforcement of the Regulation regardless of technological pattern of private blockchain.