Goodcoin – Robust Privacy for Loyalty Programmes and Payment Systems

The Goodcoin project was a three-year research project with the aim of developing a data protection-friendly bonus point and customer loyalty system. The project was conducted by Humboldt-Universität zu Berlin; the accompanying research was conducted in cooperation with the Humboldt Institute for Internet and Society, and Bonsum UG.

Reconciling conflicting interests through technological innovation

Bonus or loyalty point systems are often used to analyze purchasing behavior and to create comprehensive profiles of buyer interests. On this basis, retailers then want to make personalised offers and address potential buyers individually. In order to harmonise the interests of the consumer for informational self-determination with the wishes of the retail trade, the “Goodcoin” project researched an efficient but anonymous bonus point system.

The goal was to prevent the creation of consumer profiles by e-commerce providers. Nevertheless, providers should be able to statistically evaluate consumer behavior in order to determine new market trends and align their product structure to them at an early stage. The project also explored ways of implementing data protection-friendly product recommendation systems in order to offer customers digital product advice.

From a technical point of view, algorithms were developed to generate anonymous bonus points and purchasing statistics.

The generation of bonus points is based on a model with blind signatures in a tripartite system consisting of customers, retailers and the Goodcoin operator. After each transaction at participating merchants, customers receive bonus points that can be used again as a means of payment at a later date. The results were published under [1].

After the project initially planned to work with probabilistic data structures for the generation of anonymous purchasing statistics, this was discarded when these proved to be too imprecise to allow an individual approach, and switched to research into a correlation analysis method. Since such procedures existed at that time only for unencrypted databases, two new solution concepts were developed for its implementation. The results were published under [2].

The accompanying legal research concentrated on the evaluation of the payment module and the statistics module.

It turned out that the system structure planned by the Goodcoin project with regard to the payment module is subject to the requirements of the Payment Services Supervision Act, since the bonus points are e-money in the sense of § 1 para. 2 p. 2 of this Act. However, the legal analysis of the statistics module was less clear. The aim was to ensure anonymity not only in the technical but also in the legal sense through the system architecture, both to avoid the regulatory requirements of the GDPR and because it treats anonymisation as a suitable guarantee for the rights and freedoms of the persons concerned. The problem is that the concept of anonymity in data protection law is autonomous from the (many) technical concepts of anonymity and does not refer to a specific extra-legal concept. Furthermore, it was also not possible to fall back on an elaborated approach for the verification of a computer system for the fulfillment of legal requirements, since such an approach does not exist within the legal sciences. In this respect, it was therefore necessary to resort to a non-legal method that originated in systems engineering: validation. The object of the test is not a concrete technical system, but its abstract representation on the level of the specification, which can then be compared with legal requirements by means of a semantic analysis. It turned out that the legal concept of anonymisation currently suffers from unrecoverable inconsistencies, which makes a final comparison with technical anonymity concepts impossible. The research results in this area have been published under [3] and [4].


[1] S. Brack, S. Dietzel, and B. Scheuermann, “ANONUS: Anonymous Bonus Point System with Fraud Detection,” in 2017 IEEE 42nd Conference on Local Computer Networks (LCN), 2017, doi: 10.1109/lcn.2017.50. Available:

[2] S. Brack, R. Muth, S. Dietzel, and B. Scheuermann, “Recommender Systems on Homomorphically Encrypted Databases for Enhanced User Privacy,” in LCN’ 19: Symposium of the 44th IEEE Conference on Local Computer Networks, 2019, doi: 10.1109/LCNSymposium47956.2019.9000668. Available:

[3] J. Hölzel, “Anonymisierungstechniken und das Datenschutzrecht,” Datenschutz und Datensicherheit – DuD, vol. 42, no. 8, pp. 502–509, Jul. 2018, doi: 10.1007/s11623-018-0988-z. Available:

[4] J. Hölzel, “Differential Privacy and the GDPR,” European Data Protection Law Review, vol. 5, no. 2, pp. 184–196, 2019, doi: 10.21552/edpl/2019/2/8. Available:

[5] S. Brack, J. Hölzel, B. Scheuermann, and S. Dietzel, “Goodcoin: Starker Datenschutz für Bonus- und Zahlungssysteme; Teilvorhaben: Algorithmenentwicklung und juristische Begleitung : Abschlussbericht,” [Humboldt-Universität zu Berlin], 2018 [Online]. Available:


Duration01/2016 – 12/2018
SponsorsThe project Goodcoin is part of the BMBF-network project “Datenschutz: selbstbestimmt in der digitalen Welt”


Julian Hölzel

Associate Researcher: Data, actors, infrastructures

Support us

Via the Internet & Society Foundation or with a donation.

Former employees

Journal articles and conference proceedings

Hölzel, J. (2018). Anonymisierungstechniken und das Datenschutzrecht. Datenschutz und Datensicherheit, 42(8), 502–509. Publication details

Other publications

Hölzel, J. (2017). Bitcoin – Plutokratie auf Raten? Digital Society Blog. Publication details

Lectures and presentations

PETable GDPR? Anonymization Techniques and the Law
PET-CON 2018.1: 8th Privacy Enhancing Techniques Convention. GI: Fachgruppe Datenschutzfördernde Technik. Einstein Center Digital Future, Berlin, Germany: 20.05.2018

Julian Hölzel

Personenbezug hat als Unterscheidungskriterium ausgedient: Wie Grundrechte und Grundfreiheiten auch durch die Verarbeitung nicht-personenbezogener Daten bedroht werden können
Digitalisierung und Mobilität: Grundsatzfragen Informationsfreiheit und Datenschutz. instkomm – Institut für Kommunikationsforschung. Europäische Akademie, Berlin, Germany: 17.07.2017

Jörg Pohle, Julian Hölzel

Richterratschlag 2016: Kryptografische Währungen am Beispiel von Bitcoin. Justizakademie Nordrhein-Westfalen, Recklinghausen, Germany: 05.11.2016

Neue Richtervereinigung - Zusammenschluss von Richterinnen und Richtern, Staatsanwältinnen und Staatsanwälten e.V.

Organisation of events

Privacy: Historischer Überblick und Vergleich ausgewählter Konzepte
Security und Privacy in dezentralen Systemen. From 01.11.2017 to 14.02.2018. Humboldt-Universität zu Berlin, Berlin, Germany. Co-Organised by: Schoppmann, Phillipp; Sparka, Hagen; Brack, Samuel; Henningsen, Sebastian; Scheuermann, Björn; Dietzel, Stefan (National)

Julian Hölzel

Geschichte und Theorie des eGovernment
with attending Vip: Klaus Lenk. 19.04.2017. Alexander von Humboldt Institut für Internet und Gesellschaft, Berlin, Germany (National)

Julian Hölzel, Jörg Pohle

Regulatorische Aspekte von Kryptowährungen
Digitale Währungen (M.A. Informatik/Humboldt-Universität zu Berlin). with attending Vip: Samuel Brack. From 18.04.2017 to 18.07.2017. Humboldt-Universität zu Berlin, RUD 25, Raum 3.113, Berlin, Germany (National)

Stefan Dietzel, Julian Hölzel