Fri, Mar
35 New Articles

Blockchain and Personal Data Protection

Blockchain and Personal Data Protection

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

We are facing a remarkable growth of blockchain technologies. One of the main functionalities of this technology is to ensure the confidentiality, integrity, and availability of (personal) data. This article addresses possible advantages and risks for the protection of privacy and personal data posed by blockchain technologies and manners how to mitigate risks to protect the rights and freedoms of data subjects and other natural persons.

Achieving compliance with the Law on Protection of Personal Data in the context of blockchain principles requires a synergy of experts possessing technical, legal, and organizational skills.

Blockchain is a decentralised and reliable database ensuring transaction immutability. However, there are two sides to every coin - both the functionality of a product and compliance with the regulatory requirements must be implemented. The purpose of the Law on Personal Data Protection (“Law”) is to protect the privacy and personal data of individuals.

One of the main advantages of blockchain is that it belongs to a category of technology where a one-size-fits-all approach cannot be applied. There are various types of blockchain technologies, designed for different purposes such as cryptocurrencies, intellectual property, smart contracts, etc. This diversity requires a customized approach when assessing the compatibility of blockchain with the Law.

Blockchain technology vs. data security

Blockchain is composed of blocks that are linked together in chronological order, forming a chain (chain of blocks). Each block in the blockchain contains a unique cryptographic hash of the previous block. Blocks are permanently connected and transactions are recorded sequentially. From a security aspect, blockchain transactions are immutable and the (personal) data stored in a block cannot be altered retroactively by adversaries without altering all subsequent blocks. Multiply network participants collaborate to validate and record transactions, ensuring that no single entity from the security aspect has exclusive control over the system.

Immutability is considered to be one of the core characteristics and benefits of blockchain technology. It means that once data is recorded on the blockchain, it would be difficult for adversaries to rectify, alter, or erase them. This is achieved through cryptographic hashing, making it extremely difficult to modify the data. The purpose of this technique is to record financial transactions and other data preventing unauthorized subsequent rectifications.

Furthermore, blockchain is a technology based on a decentralized network of nodes. The concept of decentralization entails the absence of a central authority or intermediary meaning that only controllers can have control over personal data.

Minimisation principle

In accordance with the Law, personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In the blockchain, all participating nodes store a copy of the entire ledger. This can lead to the storage, i.e., processing of a significant amount of personal data that may not be directly relevant to a specific transaction - may not be relevant for the processing of a specific controller which further may violate the data minimization principle. The breach of the data minimisation principle can be established by raising awareness of the controllers who use blockchain technologies.

Data Protection Impact Assessment

To address the requirements of the Law for the confidentiality of the data in blockchain nodes it is necessary to assess the risk of the resilience of the hash function to a collision attack. Having that in mind, it is of utmost importance to choose a trustworthy provider of blockchain applications.

For addressing the said risks that may arise when it comes to different blockchain technologies, a Data Protection Impact Assessment (“DPIA”) would be considered advisable.

DPIA is a risk assessment of the impact of the processing operations on the rights and freedoms of citizens and shall be carried out when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, especially by using new technologies. Its purpose is to identify risks associated with the rights and freedoms of data subjects and other natural persons and shall result in defining adequate technical, organisational, and legal measures aimed to mitigate risks to an acceptable level.


While blockchain technology offers numerous advantages, it also poses challenges in ensuring data privacy and compliance with the Law. By conducting DPIAs and customizing strategies for each blockchain, organizations can achieve a balance between harnessing the potential of blockchain and respecting individuals' data protection rights.

Each blockchain is unique, and its structure and purpose may vary. Therefore, it is essential to conduct DPIA for each blockchain technology to determine compliance with the Law. This assessment should identify potential risks, recommend necessary changes, and guide the blockchain towards compliance with the Law.

By Ivan Milosevic, Partner, and Katarina Savic, Senior Associate, JPM

JPM Partners at a Glance

We are a full service commercial law firm in Serbia, with over 30 years of successful practice in SEE region and true and lasting partnerships with our clients.

Our diverse teams of lawyers are focused on practice in specific legal areas, handling some of the most high-profile multijurisdictional matters in energy, project development, mining, foreign investments, corporate and commercial. We are highly sought-after for legal advice in creative industries, environmental law and white-collar crime, as well as intellectual property, international arbitration, labor and data protection

As an exclusive member of Lex Mundi – the world’s premiere network of leading independent law firms, we interconnect and reach globally. Regionally, we advise clients in Montenegro directly, through well established partnership with ‘JPM Montenegro Partner Vukmirovic Misic law firm’ and close working relationships with selected first-rate firms in the region. Working together with our domestic and international clients on their most significant transactions and around entry to Serbian market, allows us to operate as the perfect hub for SEE and other cross-border transactions.

Our clients operate in increasingly competitive landscape and we are identifying new methods of using legal technology, to help them increase efficiency, save time and streamline work processes - document management, billing and accounting. By adopting LUMINANCE AI platform for legal professionals, we use machine-learning for contract analyses across our practice groups, as well as eDiscovery revolutionary software to simplify operations in all forms of litigation.

With exclusive access to EQUISPHERE – Lex Mundi Innovative service model, our clients can design their own legal team by choosing the best lawyers in the relevant jurisdictions, sharing documentation and communicating with all teams at any time, from a single point of contact.

Consistently recognized as a top-tier law firm, both by clients and leading independent legal directories Chambers & Partners, Legal 500 and IFLR1000, we remain committed to delivering highest quality service to our clients and help them succeed in overcoming cross-border challenges. We remain committed to continuously share our knowledge by regularly publishing articles, giving lectures and organizing international conferences.

Firm's website: http://jpm.rs/