← Back to all solutions GDPR Compliant

GDPR-Compliant Blockchain Image Storage

Reconciling the immutable blockchain with the GDPR Article 17 right to erasure is supposed to be impossible — yet it is the exact problem every European company certifying customer images, HR photos, insurance evidence or medical imaging has to solve since May 2018. CHECKHC, operated by a French SAS (SIREN 994 183 275) under CNIL jurisdiction, delivers the definitive answer: on-chain hash only, personal data never leaves EU soil, and a Flexible Certification tier that lets you exercise the right to be forgotten at any moment while the cryptographic anchor remains mathematically intact.

Start Compliant Storage

Flexible certification with deletion option. 10 free trials included.

The GDPR Challenge

Traditional blockchain is permanent by design—but GDPR requires the right to erasure. We've solved this conflict.

GDPR Article 17 requires the right to erasure ("right to be forgotten"). Until now, this seemed incompatible with blockchain's permanent nature. Our Flexible Certification solves this fundamental conflict.

📜 Permanent Certification

For content that should last forever—art, archives, historical records.

  • 200+ year guaranteed storage
  • Immutable blockchain proof
  • Ideal for NFTs and art
  • Cannot be deleted

🔄 Flexible Certification

GDPR-compliant option with full right to deletion.

  • Full blockchain certification
  • Delete anytime on request
  • GDPR Article 17 compliant
  • Ideal for contracts, sensitive data

Full GDPR Compliance Features

Right to Erasure: Delete certifications on request, meeting Article 17 requirements.

Local Processing: Files processed on your device, never uploaded to external servers.

Data Minimization: Only cryptographic hashes stored, not actual file content.

Consent Management: Clear opt-in for permanent vs. flexible storage options.

Audit Trail: Complete records of certification and deletion for compliance audits.

EU Data Residency: Processing and storage options within EU jurisdiction.

The Solution

⚖️

Legal Compliance

Meet GDPR requirements while still providing blockchain-grade proof of authenticity. No more choosing between compliance and certification.

🗑️

True Deletion

When you request deletion, we remove all certification data. Not just hiding—actual erasure that satisfies regulatory requirements.

🔒

Privacy by Design

Files never leave your device. Only cryptographic fingerprints are used for certification, protecting sensitive content inherently.

📋

Compliance Documentation

Generate compliance reports and audit trails for your DPO and regulators. Prove your data handling meets requirements.

Who Needs GDPR-Compliant Storage?

🏢

EU Businesses

Companies handling customer images, contracts, or documents that may require future deletion.

⚖️

Law Firms

Legal practices needing certified evidence that may need to be removed after case resolution.

🏥

Healthcare

Medical imaging certification with patient privacy rights fully preserved.

👤

DPOs

Data Protection Officers ensuring organization-wide compliance for image handling.

How GDPR-Compliant Blockchain Storage Works in Detail

The legal and technical architecture that resolves the blockchain-versus-Article-17 paradox — validated against CNIL's 2018 guidance.

The core insight is simple: the GDPR only applies to personal data, and a SHA-256 hash of a file is not personal data. CNIL's 2018 guidance paper "Blockchain: Solutions for a responsible use of the blockchain in the context of personal data" explicitly states that a cryptographic hash published on a public chain is considered "data that no longer allows identification" as long as the pre-image (the original file) remains under the controller's custody. CHECKHC's pipeline therefore computes the SHA-256 of your image locally on your device (via the API) or in our EU-based data centres, writes only that 64-character fingerprint plus an RFC 3161 timestamp to Solana and Arweave, and stores the original file in encrypted object storage hosted inside the European Economic Area.

When a data subject invokes their Article 17 right to erasure — or when the initial retention period ends — our Flexible Certification tier performs a verifiable delete-and-break operation. We delete the original file, delete any associated personal data (email, IP logs, account bindings), and rotate the server-side encryption key so even backup tapes become unreadable. The on-chain hash remains, but without the original file it becomes what CNIL calls "mathematically anonymous residual data" — it points to nothing, it reveals nothing, and it cannot be reversed. A signed deletion certificate is issued to the data subject and to your DPO, complete with CNIL reference number, deletion UTC timestamp, and an audit trail that passes ISO 27001 and ENS Level 2 scrutiny.

For content that must be preserved indefinitely — artworks, historical archives, NFT provenance, contract signatures — we offer Permanent Certification: the same hash plus a full Arweave 200+ year replica. You choose the tier per-file, per-collection or per-API-call, and you can upgrade Flexible to Permanent at any time (but not the reverse, by design). Our French SAS status (SIREN 994 183 275, Rochefort) places all processing under CNIL jurisdiction, and we publish a Data Processing Agreement compliant with Standard Contractual Clauses 2021/914 for EU controllers. See also prove-photo-is-real, newsroom verification and NFT authenticity pages for concrete downstream workflows.

Three Concrete Use Cases for GDPR-Compliant Image Storage

🏥

Scenario 1 — Hospital Imaging Archive with Patient Withdrawal

A regional French hospital needed to certify MRI images for a research consortium while preserving every patient's right to withdraw from the study at any time. CHECKHC's Flexible tier processes each DICOM export locally, writes the SHA-256 to Solana, and retains the file in EU storage. When three patients withdrew in Q4 2024, a single API call broke their encryption keys within minutes; the research cohort remained mathematically verifiable for the remaining participants.

⚖️

Scenario 2 — Law Firm Certifying Case Evidence

A Paris-based litigation firm needed to timestamp thousands of photographs submitted as discovery evidence. Under French civil procedure rules, evidence files must be provably authentic at the moment of submission, yet personal data on minors and witnesses triggers mandatory deletion post-judgment. Flexible Certification handles both: the Solana hash proves the submission timestamp for the court, and the post-judgment deletion satisfies the firm's data retention policy without undermining the historical court record.

🏢

Scenario 3 — HR Department Certifying ID Photos

A CAC 40 company's HR department certifies candidate ID photos during recruitment — under GDPR, these photos must be deleted within 2 years if the candidate is not hired. Before CHECKHC, they faced a dilemma: certify for fraud protection (permanent) or delete for compliance (no proof). Now the two-year clock triggers automatic Flexible deletion, the Solana hash remains as anonymous residual data, and the DPO produces one-click CNIL-compliant audit reports.

Blockchain Proof + GDPR Compliance

Finally, certification that respects privacy rights. Start with flexible storage today.

Start Compliant Certification

10 free certifications • Full deletion rights

View Individual Plans → View Business Plans →

Frequently Asked Questions

How is it legally possible to "delete" data that has been written to Solana or Arweave? +
The legal fiction — validated by CNIL's 2018 blockchain guidance and later by the EDPB — is that only personal data falls under GDPR Article 17, and a SHA-256 hash is not personal data as long as the pre-image is under controller custody. CHECKHC never writes the original image to a blockchain; it writes only the 64-character cryptographic fingerprint plus a timestamp. When you invoke your right to erasure, we delete the image from our EU-hosted encrypted storage and rotate the encryption key. The on-chain hash remains but becomes mathematically anonymous — it points to a file that no longer exists, it cannot be reversed, and it reveals zero personal data. This architecture has been reviewed by French data-protection counsel and is the standard approach for blockchain-GDPR reconciliation.
Is CHECKHC truly GDPR compliant — and who audits that compliance? +
Yes. CHECKHC is operated by a French SAS registered at SIREN 994 183 275 in Rochefort, which places it directly under CNIL jurisdiction. Our Flexible Certification tier meets Article 17 (right to erasure), Article 25 (privacy by design), Article 28 (processor obligations) and Article 32 (security of processing). We publish a Data Processing Agreement compliant with Standard Contractual Clauses 2021/914, processing happens in EEA data centres, and we maintain ISO 27001-equivalent controls. For EU-based enterprise customers we provide a full compliance pack — DPA, Records of Processing Activities (ROPA), Data Protection Impact Assessment (DPIA) template, subprocessor list — reviewable by your DPO ahead of contracting.
What is the real difference between Permanent and Flexible Certification? +
Permanent Certification anchors the SHA-256 hash on Solana plus a full Arweave replica for 200+ year preservation. It cannot be deleted, which is exactly what you want for artwork provenance, historical archives, NFT contracts and long-term copyright evidence. Flexible Certification anchors the same hash on Solana but keeps the original file in EU encrypted storage with a deletion-ready key; when you invoke erasure, we break the key and the hash becomes anonymous residual data. Choose Permanent for "I want this to outlive me" and Flexible for "I must respect GDPR erasure requests". You can upgrade Flexible to Permanent at any moment; the reverse is impossible by design, which is what makes Permanent trustworthy in the first place.
How do I request deletion on behalf of myself or a data subject? +
For Individual and Business customers, deletion is a one-click action from your dashboard: select any Flexible certification, click "Erase", confirm, and you receive a signed deletion certificate within 72 hours (usually within minutes). For API customers, a DELETE /v1/certifications/{id} call triggers the same pipeline. The deletion certificate includes the original file hash, the UTC deletion timestamp, the operator reference, the CNIL-style audit signature, and a proof-of-key-destruction hash — everything your DPO needs to close the request in your Records of Processing Activities. Enterprise customers with an EU Data Processing Agreement can also trigger bulk deletions via their SSO-protected admin portal.
Can I switch from Flexible to Permanent later, or combine both in one pipeline? +
Yes to both. The upgrade path from Flexible to Permanent is one API call or one dashboard action: the file is replicated to Arweave, the erasure flag is lifted, and the certification becomes permanent from that point forward. The reverse (Permanent to Flexible) is impossible by design, because a tier that could be silently downgraded would defeat the purpose of Permanent. Enterprise pipelines routinely mix both: Flexible for customer-identifying imagery that must respect Article 17, Permanent for corporate archives, marketing assets, and IP proofs. A single API endpoint lets you specify the tier per-file and tag the request for downstream auditing.
Where is the data physically stored and does it leave EU jurisdiction? +
Original files are stored in encrypted object storage hosted in European Economic Area data centres operated by Tier-III or Tier-IV EU providers, with no cross-border transfer outside the EEA unless you explicitly opt into a multi-region backup. Solana is a public blockchain whose validators are globally distributed, but CHECKHC writes only the hash — not personal data — so this does not constitute a GDPR international transfer under Chapter V. Arweave permanent storage is similarly hash-only. For customers with strict data sovereignty requirements (French public sector, SecNumCloud, HDS health certification), we offer a France-only storage region backed by a French hyperscaler and can provide the corresponding attestations.
Does CHECKHC provide a Data Processing Agreement and sub-processor list? +
Yes. Every Business and Enterprise customer signs a DPA aligned with the European Commission's 2021 Standard Contractual Clauses template. We maintain a public sub-processor list covering our EU cloud provider, our Solana RPC endpoint provider, our Arweave gateway, and any email/notification delivery processors, and we notify customers by email at least 30 days before adding a new sub-processor so you can exercise your objection right. Our French SAS jurisdiction (SIREN 994 183 275) means you benefit from direct CNIL recourse if an issue arises, without the complexity of a US/EU cross-border dispute.
How does this compare with keeping images on AWS S3 or Azure Blob with object-lock? +
Object-lock on S3 or Azure Blob gives you Write Once Read Many (WORM) immutability within a single cloud provider, but it does not give you independent cryptographic proof of a timestamp, it does not protect you if the provider is breached, and it does not automatically reconcile with GDPR erasure requests. CHECKHC layers a public Solana timestamp and an Arweave mirror on top of your existing storage strategy, so you keep the operational benefits of your current cloud (EU region, IAM, lifecycle rules) while gaining a cryptographic second source of truth. Many EU enterprise customers use both together: S3/Blob for operational hot storage, CHECKHC for the Article 17-compatible cryptographic proof layer.