The European Data Protection Board Releases Guidance on GDPR Compliance for Blockchain Technologies

During its April 2025 plenary, the European Data Protection Board (“EDPB”) has adopted new guidelines regarding the processing of personal data through blockchain technologies. Currently under public consultation, the document offers a framework to guide organizations exploring blockchain technologies, outlining key General Data Protection Regulation (“GDPR”) compliance requirements to support their responsible and lawful use.

As a general definition, blockchain is a distributed ledger that allows for the chronological and immutable recording of data, shared among multiple nodes in a network. It is characterized by the absence of a central authority, the use of consensus mechanisms to validate transactions and an inherent transparency that enables each participant to access all or part of the data recorded on-chain. However, these features can be difficult to reconcile with core GDPR principles, such as data minimization, purpose limitation and the rights of data subjects. 

Acknowledging these tensions, EDPB proposes targeted strategies centered on Data Protection by Design and by Default⁽¹⁾ (Article 25 GDPR), while cautioning that blockchain may be unsuitable for certain use cases involving personal data. Below are the EDPB’s key recommendations:

1. Organizations must assess the necessity of using blockchain and evaluate the risks to data subject rights and freedoms before deploying it

Organizations must first determine whether the use of blockchain technology is truly necessary to achieve their intended purposes. This assessment should begin at the design phase, as recommended by the EDPB. If the same objectives can be met using alternative technologies that offer stronger data protection guarantees, those alternatives should be preferred over blockchain.

Once blockchain is chosen as the appropriate technology, organizations must conduct a thorough evaluation of its impact on data subject rights and freedoms. This evaluation should be part of a Data Protection Impact Assessment (DPIA), when applicable, and address critical questions such as:

• What kind of blockchain will be used—private, permissioned⁽²⁾, or zero-knowledge?

• What safeguards will be implemented? For example, will personal data be stored off-chain? Which privacy-enhancing technologies will be employed to protect data privacy?

‍

2. Controllers should store any additional personal data off-chain, beyond the identifiers already present on-chain in transaction metadata, to mitigate data protection risks.

Whenever possible, personal data should not be stored directly on the blockchain to prevent conflicts with data protection principles.​

When the controller decides to store additional personal data on-chain, robust technical measures must be implemented to mitigate associated risks. Common approaches include encryption, hashing, or other cryptographic techniques, though each method has its limitations⁽³⁾ and may not fully eliminate data protection concerns.

‍

3. Data controllers must inform data subjects in clear terms on the rationale of the processing, the existence of their rights and the modalities to exercise them.

This information notice should be provided at key moments, such as before a data subject submits personal data to the blockchain or when the blockchain is first set up. Additionally, the information notice should always remain easily accessible, for example, through the controller’s website.

‍

4. Controllers should assure that only data that is relevant and limited to what is necessary in relation to the purposes are processed.

As noted by the Panel for the Future of Science and Technology of the European Parliamentary Research Service⁽⁴⁾, there is a clear tension between blockchain technology and the GDPR’s principles of data minimisation and purpose limitation. The study notes that while the GDPR requires personal data processing to be kept to a minimum and only for specified purposes, these requirements are difficult to apply to blockchain systems. This is because distributed ledgers are append-only databases that continually expand as new data is added, and this data is replicated across many different computers, both of which present challenges for data minimisation. 

In its guidelines, the European Data Protection Board emphasizes that controllers must thoroughly assess the level of public accessibility of any personal data stored or referenced on a blockchain. Viewed in this context, the data minimization principle obliges controllers to demonstrate that the chosen technological solution limits data processing to the absolute minimum amount of information required and restricts its exposure to the lowest possible level of publicity.

5. The choices of implementation should include mechanisms for assuring trust including in software and nodes’ identities. 

Blockchain integrity is ensured by its protocol, relying on trust in the consensus mechanism and participating nodes. While trust cannot be enforced directly, it can be fostered through incentives such as certified software for interacting with the blockchain, node identification methods and the use of permissioned blockchains.

‍

6. Legal provisions must be established when the use of blockchain is mandated by law.

Where the use of a blockchain is mandated by Union or Member State law, legislators should include provisions regarding the acceptable level of publicity and discourage any breach of confidentiality⁽⁵⁾.

‍

7. Software vulnerabilities should be addressed through clear technical and organizational procedures.

The EDPB recommends setting out technical and organizational procedures to disclose software vulnerabilities to all participants.

This may include:

• A process to disclose vulnerabilities to all relevant stakeholders

• An emergency plan that allows algorithms to be changed when a vulnerability is identified

• Protocols to notify security incidents and data breaches to supervisory authorities 

• Protocols to communicate the incident to the involved data subjects

‍

8. The governance of changes to the software used to create transactions and to create and validate blocks should be documented.

Technical and organizational procedures should be set out to ensure an alignment between planned permissions and practical application.

‍

9. Consent must only be used as a legal basis when data erasure is technically possible.

Where consent is used as the legal basis for processing, it must fully comply with the requirements set out in Articles 4(11) and Article 7 of the GDPR⁽⁶⁾. This means that consent must be freely given, specific, informed and unambiguous. Moreover, consent can only be considered as freely given if the data subject has a genuine and free choice and is able to refuse or withdraw consent without detriment.

Therefore, consent should not be used as a legal ground of a personal data processing which requires transactions with individuals if the blockchain architecture does not provide a way to delete the personal data regarding the parties in a transaction⁽⁷⁾. 

‍

10. Controllers should implement data protection by design and by default

All data protection principles should be included by design and by default in any processing from the outset and throughout the processing life cycle. All processing operations need to be necessary and proportionate in relation to the purposes of processing. By default, personal data should not be made accessible on a public blockchain without the data subject’s intervention.

‍

11. The data retention period for metadata, including users' identifiers and payloads, should be determined in accordance with Article 17 and Article 25(1) of the GDPR⁽⁸⁾. 

In cases where processing does not require a retention period equal to, or longer than the lifetime of the blockchain, personal data should not be written to the blockchain unless it is done in a way that allows for the effective prevention of identification of the data subjects with reference to that data employing means reasonably likely to be used.

If the data retention period is the lifetime of the blockchain, the controller must be able to justify that this retention period is necessary and proportionate to the purpose.

‍

12. Controllers should assess and implement security safeguards

Controllers are advised to conduct a comprehensive assessment of the security measures necessary to protect blockchain systems, taking into account the specific risks associated with their operations. The outcomes of this assessment should be documented within the DPIA. Furthermore, it is essential to establish technical and organizational procedures to mitigate the effects of potential algorithmic failures, such as vulnerabilities in the cryptographic primitives employed by the blockchain.

‍

13. Controllers should ensure the effective exercise of data subjects' rights.

Data subjects' rights under the GDPR cannot be limited or overridden by technical design choices or by the consent of the data subject.  Technical choices for the implementation of the processing should ensure that all data subject rights under the GDPR can be fully exercised.

‍

‍

⁽¹⁾ “Data protection by design must be implemented both at the time of determining the means of processing and at the time of processing itself. It is at the time of determining the means of processing that controllers shall implement measures and safeguards designed to effectively implement the data protection principles. To ensure effective data protection at the time of processing, the controller must regularly review the effectiveness of the chosen measures and safeguards. The EDPB encourages early consideration of data protection by design when planning a new processing operation.” European Data Protection Board, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, Version 2.0, adopted on 20 October 2020, p. 7. Available at: https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en

⁽²⁾ Among the different configurations available, the EDPB recommends opting for permissioned blockchains, where reading and writing rights are restricted to a limited number of identified actors. This model, according to the Board, enables clearer governance, better attribution of responsibilities, and more effective mechanisms for upholding data subject rights. As the EDPB notes: “The focus should be on confining the data being unduly processed by any other non-blockchain-related parties. The content confidentiality would rely on the mechanisms used (encryption, commitment, etc.) and on classical measures assuring the security of any off-chain data.” See EDPB, Guidelines 05/2024 on the use of personal data in the context of blockchain technology, version for public consultation, 8 April 2025, p.14, available on https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-022025-processing-personal-data_en

⁽³⁾ Regarding encryption, the EDPB recalls “that encrypted personal data is still personal data and encryption does not remove the need for GDPR compliance. Further, even state-of-the-art encryption perfectly implemented will be overtaken by time if the blockchain is retained indefinitely. This needs to be taken into consideration by the controller when deciding whether to store encrypted personal data on the chain.” Concerning hashing, the EDPB points out that “It should also be noted that the use of unsalted or unkeyed hashes should, in general, not be considered sufficient to guarantee the necessary level of confidentiality protection for storing personal data on a public blockchain.” As for cryptographic techniques, the EDPB remarks that “If the commitment has been computed using a perfectly hiding state-of-the art scheme, then once the original data and its witness are deleted, the commitment persisting in the blockchain is useless. It will be neither possible to recover nor to recognise the original personal data.” See EDPB, Guidelines 05/2024 on the use of personal data in the context of blockchain technology, version for public consultation, 8 April 2025, p.12, available on https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-022025-processing-personal-data_en

⁽⁴⁾ Panel for the Future of Science and Technology, European Parliamentary Research Service (EPRS). Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law. Scientific Foresight Unit (STOA), PE 634.445, July 2019, available on https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf

⁽⁵⁾ According to Article 6(3) of the General Data Protection Regulation, “The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by: (a) Union law; or (b) Member State law to which the controller is subject. The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued”

⁽⁶⁾ Article 4(11) of the General Data Protection Regulation (GDPR): “For the purposes of this Regulation, ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

Article 7 of the General Data Protection Regulation (GDPR): (1) Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. (2) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding. (3) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.(4) When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

⁽⁷⁾ For further details, see p. 62 of of Panel for the Future of Science and Technology, European Parliamentary Research Service (EPRS), Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law, Scientific Foresight Unit (STOA), PE 634.445, July 2019. Available at https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf

⁽⁸⁾Article 25 of the General Data Protection Regulation (GDPR): (1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.