GDPR

The General Data Protection Regulation (GDPR) is the EU's comprehensive data-protection law, in force since May 2018. It gives EU residents rights over their personal data — access, erasure, portability, objection to processing — and imposes obligations on anyone processing that data, regardless of where the processor operates.

Three GDPR provisions shape LearnCoin's architecture most directly: Article 5 (data-minimization principle), Article 17 (right to erasure), and Article 32 (security of processing). The right to erasure is the tightest constraint — it's fundamentally incompatible with immutable blockchain storage of personal data. Our GDPR-aware schema split (pseudonymous IDs on-chain, PII off-chain and deletable) is the direct architectural consequence.

Non-EU tenants are still subject to GDPR if they process EU residents' data, which in practice means nearly every tenant. LearnCoin operates under GDPR assumptions for every credential regardless of tenant jurisdiction — it's easier and closer to the pan-global direction of data-protection law anyway.