Blockchain is one of the most important technologies of our time, not only because so-called cryptocurrencies such as Bitcoin are based on it. As the decentralised structure of blockchain poses a number of data protection challenges, the European Data Protection Board (EDPB) has issued its own guidelines on the subject.
The EDPB guidelines on blockchain
On 8 April 2025, the EDPB published its Guidelines 02/2025 on processing of personal data through blockchain technologies (PDF). These guidelines are aimed at organisations that use or plan to use blockchain solutions and provide a comprehensive guidance of the data protection requirements applicable to this innovative technology.
Challenges of blockchain technology
Blockchain architectures are characterised by decentralisation, immutability and transparency. However, these defining characteristics lead to considerable data protection challenges:
- The permanent availability of transaction data poses risks to the rights and freedoms of data subjects.
- The right to erasure and the right to rectification are often difficult to implement technically.
- International blockchain networks can easily lead to third-country transfers that are problematic from a data protection perspective.
The EDPB therefore emphasises that the use of blockchain must be designed from the outset in such a way that the requirements of the General Data Protection Regulation (GDPR) are complied with, above all the principle of privacy by design and privacy by default in accordance with Art. 25 GDPR.
Key elements of the EDSA guidelines on blockchain
No storage of personal data on-chain
As a basic rule, the EDPB recommends not storing personal data directly in a blockchain at all. The reason for this is that entries cannot usually be changed after a transaction has been completed. If no personal data is stored in the blockchain, the GDPR does not apply. Consequently, data subjects’ rights do not pose any difficulties.
Instead of storing personal data in the blockchain, the blockchain should refer to data stored outside the blockchain in the company’s information systems.
If the storage of personal data in the blockchain is unavoidable, appropriate techniques such as encryption, hashing with secret salt or cryptographic commitments should be used. Nevertheless, encrypted or hashed data remains personal and the GDPR continues to apply.
Preference for private or permissioned blockchains
Open, public blockchains entail particular risks, especially due to the global accessibility of the data. The EDPB therefore recommends using private or permissioned networks wherever possible, where there are clear rules about who is allowed to read or write transactions. This allows responsibilities to be assigned more clearly and compliance risks to be better controlled.
Clarity of roles and responsibilities
The distribution of tasks in a blockchain network makes it complex to determine who is controller and who is a processor. Organisations must clarify at an early stage who determines the purposes and means of processing and is therefore the controller within the meaning of the GDPR.
Data subject rights
The EDPB emphasises that technical impossibility is not a justification for disregarding the rights of data subjects. It is the responsibility of the controllers to design the technical means and processes in such a way that the law can and will be complied with.
If processing is carried out on the basis of consent, it must be possible to delete or irreversibly anonymise the data if consent is withdrawn. Restrictions on data subject rights are only possible to the extent provided for in Art. 23 GDPR.
Conducting a data protection impact assessment (DPIA)
Since blockchain-based processing of personal data regularly entails high risks for data subjects, a comprehensive DPIA is imperative. In particular, this should highlight the immutability of data, the risks of international transfers and the possibilities for enforcing data subjects’ rights. The EDPB recommends that the DPIA be designed as a living process, as blockchain infrastructures evolve over time.
Smart contracts and automated decisions
Smart contracts can lead to automated decisions. Such processing must meet the requirements of Art. 22 GDPR, such as allowing for human intervention. Users must be informed when decisions are made solely by automated processes.
Technical measures and data protection principles
The EDPB guidelines deal in detail with how classic data protection principles such as purpose limitation, data minimisation and storage limitation can be implemented in blockchain applications. Important points to note are:
- Prefer off-chain storage: Wherever possible, sensitive content should be stored outside the blockchain and only references or cryptographic evidence should be kept on-chain.
- Effective anonymisation and pseudonymisation: Advanced cryptographic techniques in particular can be used to protect personal data.
- Observe retention periods: The principle of storage limitation pursuant to Art. 5(1)(e) GDPR also applies to identifiers stored on-chain.
Special security requirements in blockchain
Protecting the integrity and confidentiality of personal data remains a top priority, even with blockchain solutions. The EDPB recommends:
- regular security assessments of the entire infrastructure,
- use of up-to-date encryption methods,
- maintaining contingency plans in case of cryptographic vulnerabilities,
- documented governance processes, for example for updates.
Recommendations for practice
Overall, the EDPB gives organisations the following advice:
- Critically review the use of blockchain technologies.
- Choose architecture and procedures that ensure compliance with data protection principles at all times.
- Document all decisions and assessments in a comprehensible manner.
- Ensure that data subjects are informed about data processing in a clear and understandable manner.
- Promote data protection-friendly governance within the blockchain network.
Conclusion
The new EDPB guidelines make it clear that blockchain and data protection are not incompatible opposites, but they do pose a challenge for organisations. GDPR-compliant design requires careful planning, documented decisions and the conscious use of technical protection mechanisms.
Anyone who is unsure should seek legal and technical advice at an early stage. This is because violations of the GDPR in blockchain applications can result in heavy fines and damage to reputation.
It remains to be seen how these requirements will be implemented in practice. One thing is certain: Anyone who wants to use blockchain technologies must be aware that data protection cannot be an afterthought but must be an integral part of the technical and organisational design.
