New EDPB guidance on blockchain and GDPR compliance
The EDPB has also opened a public consultation on these guidelines, inviting feedback until 9 June 2025.
On 14 April 2025, the European Data Protection Board (EDPB) introduced new guidelines addressing the processing of personal data via blockchain technologies. These guidelines aim to assist organisations in aligning blockchain applications with the General Data Protection Regulation (GDPR).
Understanding blockchain in the context of GDPR
Blockchain, a decentralised digital ledger, records transactions and can verify ownership of digital assets like cryptocurrencies. Its design ensures data integrity and traceability. However, the immutable nature of blockchain presents challenges when reconciling with GDPR’s requirements, such as data minimisation and the rights to rectification and erasure.
Key recommendations from the EDPB
- Early Implementation of Safeguards: Organisations are encouraged to incorporate technical and organisational measures during the initial design phases of blockchain-based data processing.
- Clarifying roles and responsibilities: It’s essential to define the roles of various participants in blockchain networks, distinguishing between data controllers and processors, especially in complex architectures.
- Conducting data protection impact assessments (DPIAs): Before initiating processing activities that might pose significant risks to individual rights, organisations should perform DPIAs to identify and mitigate potential issues.
- Avoiding on-chain storage of personal data: Whenever possible, personal data should not be stored directly on the blockchain to prevent conflicts with data protection principles.
- Upholding data subject rights: The guidelines emphasise the importance of ensuring transparency and facilitating the rights of individuals to access, rectify, and erase their personal data.
The EDPB has also opened a public consultation on these guidelines, inviting feedback until 9 June 2025. Additionally, the Board plans to collaborate with the EU AI Office to develop guidance on the intersection of the AI Act and EU data protection laws.
