Cryptocurrency as Personal Data
A Bitcoin wallet address is a string of 26–35 alphanumeric characters in Base58Check encoding, beginning with "1", "3", or "bc1". An Ethereum address is "0x" followed by 40 hexadecimal characters. These addresses are pseudonymous — they do not directly identify individuals — but under GDPR, pseudonymous data that can be linked to an individual through additional processing is personal data.
A cryptocurrency exchange that holds KYC data (linking wallet addresses to verified customer identities) holds personal data within GDPR's scope: the wallet address, in combination with the KYC record, identifies a natural person. The wallet address alone is personal data within the exchange's data environment, because the exchange can link it to an individual.
EU MiCA (Markets in Crypto-Assets) regulation, effective from December 2024, adds a financial regulatory layer: cryptocurrency asset service providers (CASPs) must implement appropriate controls for customer data protection. The intersection of MiCA and GDPR means that a European crypto exchange faces both financial regulation (MiCA's data protection requirements for CASPs) and general data protection law (GDPR) for the same wallet address data.
The Detection Gap
Standard PII detection tools were designed for traditional financial identifiers: IBAN, account number, routing number, SWIFT/BIC. These tools have no awareness of cryptocurrency address formats. A document containing a Bitcoin wallet address, an Ethereum address, and a SWIFT code will have the SWIFT code detected and the two cryptocurrency addresses missed by any tool that does not include crypto address entity types.
For a European crypto exchange processing KYC documents: customer bank account IBANs are detected by standard tools. The customer's Bitcoin wallet address used for initial funding is not detected. The SWIFT code for the wire transfer from their bank is detected. The Ethereum address used for token purchases is not detected.
The missing detection is not a minor gap — wallet addresses are core financial identifiers in crypto contexts, as sensitive as account numbers in traditional banking contexts.
GDPR Article 32(1)(a) requires pseudonymization and encryption as baseline technical measures. 56% of GDPR fines cite inadequate encryption as a contributing factor. An organization that encrypts all detected PII but fails to detect cryptocurrency wallet addresses has encrypted nothing relevant to its core business operations.
Sources: