Lesson 2: What Counts as Personal Data?
Lesson 2: What Counts as Personal Data?
Personal data isn’t just someone’s name or email address. Under the GDPR, it’s any piece of information that relates to an identified or identifiable individual. This includes IP addresses, device IDs, geolocation, metadata, and yes, even wallet addresses or public keys if they can be linked back to a real person with reasonable effort.
In Web3, we often deal with pseudonymous data. But pseudonymity doesn’t equal anonymity. If there’s a realistic way to decrypt data — say, using off-chain data, analytics tools, or linking to known addresses — it still counts as personal data.
It’s also important to understand what “processing” means. It’s not just collecting or storing data. It includes any operation: organising, broadcasting, validating, or, on some occasions, even passing it through a mempool. So yes, running a node that validates transactions with personal data might be enough to trigger GDPR obligations.
Encrypted or hashed data? Still personal data under the GDPR, unless it’s truly anonymised — meaning it cannot be linked back by any means reasonably likely to be used. So most ZK systems, while privacy-enhancing, are not automatically exempt.
Reading: EUCI GDPR Booklet – Key Definitions, Anonymisation (Sections III, X)