Lesson 4: What Rights Do Users Have?

Under the GDPR, individuals have strong legal rights over their personal data. These include the rights to access, correct, delete, restrict, port, and object to data processing, and the right not to be subject to fully automated decisions with significant effects.

This becomes complicated in blockchain environments. Deletion and correction are particularly difficult on immutable chains. But the law doesn’t bend just because the tech is hard — GDPR rights apply regardless of architecture.

The recent EDPB Guidelines recommend off-chain processing wherever possible. On-chain, you should only include data that’s strictly necessary, ideally hashed or encrypted, with off-chain links enabling revocation if needed. However, the off-chain personal data should also be appropriately protected. 

You must also provide meaningful explanations for automated decisions — including those made by smart contracts — and offer human intervention where required.

Reading: EUCI GDPR Booklet – Data Subject Rights (Section IV)

Michele Fink – Smart Contracts as a Form of Solely Automated Processing Under the GDPR