Due to the advancing digitalization, the importance of data is constantly increasing. Application domains such as smart cars, smart cities, or smart healthcare rely on the permanent availability of large amounts of data to all parties involved. As a result, the value of data increases, making it a lucrative target for cyber-attacks. Particularly when human lives depend on the data, additional protection measures are therefore important for data management and provision. Blockchains, i.e., decentralized, immutable, and tamper-proof data stores, are becoming increasingly popular for this purpose. Yet, from a data protection perspective, the immutable and tamper-proof properties of blockchains pose a privacy concern. In this paper, we therefore investigate whether blockchains are in compliance with the General Data Protection Regulation (GDPR) if personal data are involved. To this end, we elaborate which articles of the GDPR are relevant in this regard and present technical solutions for those legal requirements with which blockchains are in conflict. We further identify open research questions that need to be addressed in order to achieve a privacy-by-design blockchain system.