On April 14, 2025, the European Data Protection Board (EDPB) released guidelines detailing how to process personal data using blockchain technologies in compliance with the General Data Protection Regulation (GDPR) (Guidelines 02/2025 on processing of personal data through blockchain technologies). These guidelines highlight certain privacy challenges and provide practical recommendations.

Challenges Under the GDPR

Blockchain’s immutability conflicts with rights to data rectification and deletion (Articles 16 and 17 GDPR). Its decentralized nature makes it difficult to comply with GDPR principles like data minimization, storage limitation (Article 5) and data protection by design (Article 25). International data transfers are also complicated, prompting the EDPB to recommend using standard contractual clauses for node participation to ensure Chapter V compliance.

Key Recommendations for Organizations

In order to minimize risks and ensure GDPR compliant data processing when using blockchain, the EDPB establishes certain rules for organizations to follow.

Roles and Responsibilities

Roles must be clearly defined based on service nature, governance and relationships. The EDPB makes a special mention of nodes in public permissionless blockchains. Nodes in public blockchains may be considered data controllers. A legal entity (e.g., a consortium) is encouraged when nodes jointly determine processing purposes.

Technical and Organizational Measures

Organizations should assess:

1. Whether personal data will be stored
2. If so, why is the blockchain needed
3. The type of blockchain to be used (public only if necessary)
4. The adequate technical safeguards to be implemented

Public blockchains should be avoided unless essential. Personal data should only be identifiable if necessary and justified via a Data Protection Impact Assessment (DPIA). The techniques the EDPB suggests limiting the identifiability of the personal data include:

• Encryption – Protects data, but remains personal under GDPR.
• Hashing – Offers security, but risks remain if keys are compromised.
• Cryptographic commitments – Securely obscure data when original inputs are deleted.

GDPR Principles and Data Subject Rights

• Deletion and objection – Due to blockchain’s permanence, erasure may require deleting parts of the chain or anonymizing data. Off-chain storage of personal data is preferred.
• Data retention – If data isn’t needed for the blockchain’s full life, it shouldn’t be stored on-chain unless anonymized.
• Security – Suggested safeguards include emergency protocols, breach notifications and protections against 51% attacks and rogue participants.
• Rectification – If rectification requires deletion, standard erasure methods apply. Otherwise, new transactions must correct prior data without altering old entries.
• Automated decisions – Controllers must meet Article 22 GDPR requirements even if a smart contract has executed.

Next Steps

Public consultation is open until June 9, 2025. The final version is expected to remain largely consistent with the draft, offering essential guidance for GDPR-compliant blockchain use.

This article was co-authored by Damian Perez-Taboada