GDPR Compliance of Enigma

Hey guys, I am a crypto-enthusiast and supporter of Enigma. I study European law and I write a bachelor thesis now on the topic of GDPR Compliant solutions in the blockchain space. I use Enigma as an example. However, I still have a lot of problems with understanding the technicalies of this project. Therefore, I would be very glad to get an answer to some of my concerns from more experienced collegues. That is why I decided to ask here my questions. I would be very gratefuly for help with them. Sorry for my limited understanding of Enigma, I am trying to catch up.

  1. I found two descriptions with respect to layers on which Enigma is built. On webpage, it is stated that Enigma is composed of Protocol, Platform and Application layer. On more specific article related to GDPR and Enigma (, I have read that Enigma is built of Protocol, Verification and Storage layer. How do they relate to each other?
  2. If I understand correctly, Protocol layer is built off-chain and it allows for the computation of data. Verification layer is synonymous to Platform Layer? I am really not sure. Nevertheless, the other two are built on Ethereum blockchain? Could someone give me a hand with understanding of this classification?
  3. How does it work with respect to the storage of data. I understand that data is splitted between nodes in accordance with multi-party computation. However, where does an invidual – data subject access his data? Which layer is responsible for that?

The other questions are more GDPR specific.

  1. Firstly, GDPR targets data controllers and data processors with respective obligations. Who is data controller with respect to Enigma. Is it the team of Enigma or the individual himself? I understand that that is the goal to achieve data sovereignty. However, how does it work at the moment?
  2. Who is data processor? Are nodes interacting with individual qualified as data processors in the light of GDPR? I understand that it is quite difficult question as data is also anonymised, but how is it legally resolved?
  3. My last question and actually the most important for my thesis, how is the right to be forgotten performed on Enigma? Is an individual able to erase his data? How does it work? Which layer is responsible for that? Does it happen off-chain or it is achieved forgetting the key to the service? I will be super grateful for answer to this question as my deadline for thesis is approaching and I am still a bit lost.



I’ll focus on GDPR and other person privacy identification like regulations with regard to Enigma Protocol.


I’m currently “engaged” as an software developer for healthcare companies. Consequently, because of NDA, try to stay away from specific patient privacy software solutions. However, the Enigma Protocol is innovation at a lower abstraction layer, therefore it’s at the “individual” level, regardless of industry use cases.

Although, healthcare has much to offer all industries regarding the “individual” privacy rights and protections.

In response to this GDPR specific topic, I recommended a step back to a higher level - consistent to the Enigma Protocol. If not, I’ll respond and continue for this thread, but will also create another…