GDPR Compliance Guide
This guide explains how Galileo enables GDPR-compliant implementations while maintaining blockchain immutability benefits.
The Challenge
GDPR Article 17 grants data subjects the "right to erasure" (right to be forgotten). This conflicts with blockchain's immutability. Galileo solves this through architectural separation.
CRAB Model
Galileo's CRAB (Claim-Raw-Access-Blinded) model provides GDPR compliance:
C — Claim Hash On-Chain
Only cryptographic hashes are stored on-chain, not personal data:
// On-chain: just a hash
bytes32 dppHash = keccak256(abi.encode(dppContent));
token.setDPPHash(dppHash);R — Raw Data Off-Chain
Actual personal data lives in off-chain storage that can be deleted:
// Off-chain DPP with personal data
{
"ownerName": "Jean Dupont", // Deletable
"email": "jean@example.com" // Deletable
}A — Access Controlled
Role-based access control limits who can see personal data:
- Owner: Full access to own data
- Brand: Product data, anonymized owner
- Public: Product attributes only
B — Blinded Deletion
When data is deleted, the hash remains valid but data is gone:
// After deletion
{
"ownerName": "[REDACTED]",
"email": "[REDACTED]",
"_deletedAt": "2024-01-15T00:00:00Z",
"_deletionReason": "GDPR_REQUEST"
}Implementation Checklist
- Personal data stored off-chain only
- On-chain contains hashes, not raw data
- Deletion API implemented
- Access control enforced
- Audit trail maintained
- Data retention policy defined
Data Subject Rights
| Right | Implementation |
|---|---|
| Access | API endpoint for data export |
| Rectification | Update off-chain data, new hash on-chain |
| Erasure | Delete off-chain, hash remains |
| Portability | JSON-LD export |