Lesson 6: How Can You Lawfully Process Personal Data?

The GDPR requires a legal basis for all personal data processing. There are six options: consent, contract, legal obligation, vital interest, public task, or legitimate interest.

In Web3, consent is hard, if not impossible — it must be revocable, informed, and specific. On an immutable blockchain, revoking consent is often not an option. That makes consent a risky choice.

Legitimate interest is more viable but requires a balancing test. You must prove your interest doesn’t override user rights, document your assessment, and implement safeguards.

You should also evaluate each processing activity separately — there's no blanket legal basis for your whole protocol. Context matters.

Reading: EUCI GDPR Booklet – Lawful Basis & Blockchain Implications (Section V)