The European Data Protection Board (EDPB) has published its draft Guidelines 02/2025 on the processing of personal data through blockchain technologies. The guidelines aim to clarify how GDPR applies to blockchain-based data processing. The document is currently open for public consultation and may be subject to change before final adoption.
Key excerpts from the draft guidelines:
- Blockchain’s complexity creates GDPR challenges: The distributed and mathematically complex nature of blockchain introduces uncertainties and compliance risks, particularly affecting data subjects’ rights.
- Data Protection by Design is essential: Blockchain’s features (like immutability) make it hard to meet GDPR obligations such as the right to erasure and storage limitation, requiring reinforced data protection by design measures from the outset.
- Roles and architectures must be assessed early: The guidelines stress evaluating blockchain architectures and defining the roles and responsibilities of involved actors during the design phase to ensure GDPR compliance.
- Avoid storing personal data on-chain: As a general rule, personal data should not be stored on the blockchain if it conflicts with data protection principles. If on-chain storage is necessary, advanced privacy-preserving techniques and safeguards must be applied.
- DPIAs are critical for blockchain projects: A structured Data Protection Impact Assessment (DPIA) is required before using blockchain for personal data processing, with specific attention to blockchain-related risks and GDPR principles like transparency, rectification, and erasure.
Click here to read the draft guidelines.