GDPR and verifiable credentials: A compliance guide

I'm a privacy lawyer who's been working with several clients implementing VC-based identity systems. Here's my take on GDPR compliance. ## The Good News Verifiable credentials are actually **privacy-enhancing** and align well with GDPR principles: ### Data Minimization (Article 5) VCs enable selective disclosure - share only what's needed. This is exactly what GDPR demands. ### Purpose Limitation Each verification request specifies exactly what data is needed and why. Clear purpose limitation. ### Storage Limitation With VCs, the verifier doesn't need to store the credential data. Verify and discard. ## Key Considerations ### 1. Lawful Basis You still need a lawful basis for the verification. Common bases: - Contract performance (KYC for financial services) - Legal obligation (AML requirements) - Legitimate interest (age verification for restricted goods) ### 2. Data Controller Responsibilities Even though you're verifying, not storing, you may still be a data controller for: - The verification request itself - Any logs you retain - Derived data (e.g., "user is verified") ### 3. User Rights Users can still exercise rights: - Right to know (what verification requests were made) - Right to erasure (of verification logs) ## Documentation Keep records of: - What credentials you request and why - Which issuers you trust and why - Your data retention policy for verification records Happy to answer questions on specific scenarios!