The European Data Protection Board (the EDPB) has published a draft version of its long-awaited Guidelines 02/2025 on the processing of personal data through blockchain technologies tackling one of the most complex challenges in today’s digital landscape.
A blockchain is a distributed digital ledger system that can confirm transactions and establish who owned a digital asset (such as cryptocurrency) at a given time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.
As the use of blockchain technologies is expanding, the EDPB considers it important to help organisations using these technologies to comply with the GDPR.
Key takeaways from the EDPB’s draft guidelines
1. Data minimisation and defining purposes from the beginning.
In line with the data minimisation principle, only data that is strictly necessary should be processed. This is particularly important in the blockchain context, where recorded data is immutable and cannot be modified or deleted.
The EDPB stresses that personal data should not, by default, be accessible to an indefinite number of people. As a general principle, storing personal data on a blockchain should be avoided if it would conflict with data protection rules. The guidelines provide examples of techniques for data minimisation, as well as approaches for handling and storing personal data.
2. Minimisation of on-chain (i.e., within the blocks) storage of unencrypted personal data.
The EDPB notes that doing so—without appropriate safeguards—almost inevitably breaches GDPR principles. It therefore proposes the following recommendations:
- Storing of personal data off-chain whenever possible, with only a non-identifying reference stored on-chain;
- and, at a minimum, applying techniques such as encryption, hashing, commitments, or zero-knowledge proofs—while remaining mindful of their limitations.
3. Ensuring the effective exercise of data subject rights.
Controllers must also implement practical mechanisms to exercise data subject rights — including access, rectification, erasure, and objection — despite the technical complexity posed by immutable and decentralised infrastructures.
4. Roles & Responsibilities
The EDPB clarifies that the roles and responsibilities of different actors must be assessed during the design phase of the processing. Determining who is the data controller in decentralised environments depends on a factual analysis of who determines the purposes and means of processing. The governance mechanism of the blockchain and the relationships between the different actors involved are crucial.
5. Data Protection Impact Assessment (DPIA)
Since blockchain typically involves processing that may significantly impact data subjects’ rights, conducting a DPIA is likely to be required in most instances.
The DPIA should address among others:
- Will the blockchain contain personal data?
- Why is blockchain necessary and proportionate for this processing? What’s the rationale? What are the alternatives?
Final considerations
Ultimately, compliance in blockchain is achievable — but it requires intentional design, thorough risk assessments, and a firm commitment to protect data subjects’ rights.
The guidelines are open to public consultation until 9 June 2025, and the EDPB will cooperate with the AI Office to draft guidelines on the interplay between the AI Act and EU data protection legislation.
Newsletter Subscription
Get in touch