Share This Article
The European Data Protection Board (“EDPB“) adopted Guidelines 02/2025 on processing of personal data through blockchain technologies (the “Guidelines“), addressing the delicate and complicated intersection of distributed ledger technology with the EUโs General Data Protection Regulation (“GDPR“).
These Guidelines, currently open for public consultation until June 9, 2025, provide a thorough analysis for organizations processing personal data through blockchain technologies, clarifying expectations and compliance pathways for a sector long entangled in legal uncertainties.
The Guidelines focus on the application of GDPRโs strict requirements to blockchainโs decentralized, immutable, and often borderless nature. By doing so, the EDPB highlighted the importance of assessing the characteristics of different blockchain architectures, distinguishing between public permissionless blockchains (such as Bitcoin and Ethereum) and private permissioned blockchains (which are a more common choice within companies). While public permissionless blockchains are decentralized, meaning that all participants have equal rights and capacities and can read, write, or being candidates for creating new blocks, private permissioned generally blockchains present a a small group of entities with the authority to give permission to participate: only selected nodes can read, write, or being candidates for creating newย blocks, depending on the rules that apply to the blockchain.
Defining roles and responsibilities
In accordance with the principle of accountability defined by the GDPR, the Guidelines stress the need for clear governance and defined roles and responsibilities in blockchain operations. According to the EDPB position, all actors involved in blockchain-based processing must define and document their roles, particularly distinguishing between data controllers and processors. This is especially challenging in public, permissionless blockchains, where participants may have varying degrees of influence over the network. To address this issue, the EDPB encourages the formation of consortia or legal entities among nodes, which can act as the controller for GDPR purposes.
Data protection by-design and by-default
As noted by the EDPB, data protection by design and by default approach is very important in the context of blockchain as the technology is particularly challenged by data protection principles. Controllers must implement effective technical and organizational measures from the outset, minimizing data exposure and ensuring that personal data is not accessible to an indefinite number of people by default. This also includes careful selection of blockchain architectures, with permissioned or private blockchains being preferred over public blockchains, which according to the EDPB should only be used when their openness is strictly necessary for the processing purpose.
International data transfers: the challenge of global nodes
Among the most complex issues addressed is the international transfer of personal data. Blockchains, particularly public ones, generally involve nodes located in multiple jurisdictions that are neither necessarily chosen nor vetted, thus triggering GDPR’s compliance concerns. The Guidelines clarify that participation by nodes outside of the European Economic Area (EEA) constitutes an international transfer of personal data, requiring suitable safeguards such as Standard Contractual Clauses.
Based on the analysis contained in the Guidelines, controllers should map the locations of all nodes and assess the legal implications of cross-border data flows. For public blockchains, where node locations may be unknown or constantly changing, this presents a significant compliance challenge.
Data retention and data subject rights: reconciling immutability with storage limitation
GDPR’s storage limitation principle requires that personal data not be kept longer than necessary for the purposes for which it was collected. However, as immutability is one of blockchainโs core features, data, once written on it, can hardly be deleted or modified.
The Guidelines address this tension by acknowledging the technical impossibility to comply with erasure, objection and rectification obligations on the blockchain, concluding that when deletion has not been taken into account by design, this may require deleting the whole blockchain. This radical proposition has sparked concern in the blockchain community, who fear that the prevalence of interests linked to data protection compliance could undermine the advantages associated with the adoption of blockchain technology itself. However, the EDPB suggests that, if the combination of on-chain and off-chain data is taken into account by design, the erasure of off-chain data may render the on-chain transaction no longer related to an identified or identifiable person, thus ensuring the integrity of the blockchain while allowing for the compliance with GDPR principles.
The EDPB also considered that, in cases where processing does not require a retention period equal to the lifetime of the blockchain, personal data should not be written to the blockchain unless it is done in a way that allows for the effective prevention of identification of the data subjects. Moreover, the EDPB emphasized that controllers must justify any retention period that extends for the lifetime of the blockchain, demonstrating necessity and proportionality.
The Data Protection Impact Assessment (DPIA) as a mandatory step
The Guidelines reminds that a DPIA is mandatory for any processing likely to result in high risks to individualsโ rights and freedoms,a threshold almost always met considering the criticalities of the interrelation between blockchain technology and GDPR principles. The DPIA should:
- Assess necessity and proportionality: Clearly articulate why blockchain is necessary for the intended processing, and whether less intrusive alternatives exist.
- Evaluate immutability risks: Analyze the impact of blockchainโs immutability on data subject rights, especially the rights to rectification and erasure.
- Review Privacy-Enhancing Technologies (PETs): Examine the effectiveness of PETs (e.g., zero-knowledge proofs, encryption) in mitigating risks.
- Consider international transfers: Detail the implications of cross-border data flows, especially in public chains with global nodes.
- Document mitigation measures: Propose technical and organizational safeguards, including access controls, off-chain storage, and governance structures.
- Describe the mechanism for the exercise of Data Subject Rights: Outline procedures for responding to data subject requests, including potential limitations and alternatives if technical erasure is not feasible.
If the DPIA concludes that compliance with data protection law cannot be realistically ensured with appropriate technical and organisational measures, the controller should instead rely on a different model of blockchain or another technology that reduces, or does not introduce, such risks.
The broader context: why now, and what comes next?
The EDPBโs decision to issue these Guidelines reflects the rapid expansion of blockchain applications beyond cryptocurrencies-into finance, supply chains, healthcare, and digital identity, all of which often involve the processing of personal data. So far, the lack of clear regulatory guidance has been a barrier to adoption of blockchain technology by many privacy-conscious organizations. The Guidelines aim to close this gap, ensuring that innovation does not come at the expense of fundamental rights.
Nonetheless, the Guidelinesโ emphasis on governance, accountability, and controllability set a high bar for GDPR compliance, raising the stakes for blockchain projects. This may accelerate the shift toward permissioned and private blockchains for any use case involving personal data, to the detriment of more decentralized and open architectures. Indeed, the fact that public, permissionless blockchains could be targeted for deletion if individual data cannot be erased amounts to an existential threat to decentralized systems.
A Regulatory Crossroads
The EDPBโs Guidelines mark a pivotal moment for blockchain in Europe. They were received with significant concern by blockchain experts, who often characterized the Guidelines as presenting more obstacles than solutions for blockchain practitioners. The EDPB’s strong discouragement of storing personal data on-chain, preference for permissioned blockchains over public ones, and the concerning position that nodes on public blockchains may qualify as joint controllers under GDPR – raise substantial legal exposure for participants who were previously considered neutral.
The public consultation period offers stakeholders an opportunity to influence the final text, but unless significant changes are made, the Guidelines are poised to reshape the European blockchain landscape-potentially favoring centralized models and raising existential questions for public, decentralized blockchains.
On a similar topic, you can read the article “What is the liability deriving from the blockchain? And how to handle it?“.
Authors: Andrea Pantaleo, Marianna Riedo