Blockchain and GDPR: what do the new EDPB guidelines say?

On April 8, 2025, the European Data Protection Board (EDPB) adopted Guidelines 02/2025, which provide new insights into the processing of personal data using blockchain technology. This document aims to support organisations planning to use this technology to process personal data in compliance with the GDPR.

The Guidelines outline fundamental principles of blockchain operation, require a clear definition of the roles and responsibilities of entities involved in data processing, and analyse the interplay between technical aspects and data protection principles under Article 5 of the GDPR.

Furthermore, the document provides practical recommendations on reconciling blockchain’s characteristics (including immutability of records, decentralisation, and global reach) with GDPR requirements.

Blockchain Challenges vs. GDPR Requirements

Blockchain technology presents several challenges for personal data protection.

The immutability of blockchain records conflicts with the right to rectification and erasure (Articles 16 and 17 GDPR).

Meanwhile, the infrastructure’s decentralised and distributed nature complicates the implementation of principles such as data minimisation and storage limitation (Article 5 GDPR) and the concept of Privacy by Design under Article 25 GDPR.

In practice, this results in challenges in identifying who acts as the data controller in a distributed ledger and ensuring the fundamental rights of data subjects in an environment where information is permanent and publicly accessible to numerous participants.

Cross-Border Blockchain: Legal Risks and Organisational Duties

Another challenge is the cross-border nature of many public blockchains. Personal data recorded on the chain can end up on nodes outside the European Economic Area (EEA), leading to transfers to third countries. Such circumstances require compliance with the strict requirements of Chapter V of the GDPR regarding international data transfers.

The EDPB emphasises that organisations should identify these data flows at the design stage of a solution and implement appropriate legal mechanisms – for instance, standard contractual clauses (SCCs) signed with entities outside the EU participating in the network – before allowing those entities to act as blockchain nodes.

Key Points and Recommendations of the EDPB Guidelines

• Privacy by Design & Default
  The GDPR requirements should be integrated from the blockchain system’s design stage, ensuring that data processing is necessary and proportionate and that personal data is not accessible to an unlimited audience by default.
• Clear Definition of Roles and Responsibilities
  Organisations must define the roles and relationships of blockchain participants precisely.
  In public blockchains, each validating node might be deemed a data controller, so it is advised to establish a dedicated legal entity (e.g., a consortium) as the controller or joint controllers.
• Data Minimisation and Off-Chain Storage
  In line with data minimisation, only essential data should be written to the blockchain.
  Personal data should preferably be stored off-chain, such as in encrypted databases, while the blockchain contains only hashes or references to that data.
• Ensuring Data Subject Rights
  Controllers must ensure data subjects’ rights under the GDPR are not compromised by using blockchain.
  Procedures for deletion, rectification, or anonymisation must be in place, and participants must be clearly informed about data processing, associated risks, and their rights.
• Security and Infrastructure Management
  The EDPB stresses robust security measures, including:
  • encryption,
  • access control,
  • participant authentication,
  • anomaly monitoring.

Organisations should also prepare contingency plans for attacks or errors and report data breaches in line with GDPR requirements.

Blockchain Innovation Meets GDPR – Why Compliance Requires Extra Vigilance

In conclusion, blockchain technology can be beneficial for innovative projects but does not relieve organisations of their GDPR obligations.

On the contrary, additional caution and the implementation of unconventional data protection measures are required. The key is conscious system design (in line with the Privacy by Design principle), avoiding storing excessive personal data on an immutable ledger, and being prepared to uphold individuals’ rights despite technical limitations.

Businesses should closely follow the guidance of authorities such as the EDPB and implement their recommendations in blockchain solutions so that innovation is accompanied by respect for privacy and legal requirements.

Unsure how to align your blockchain project with GDPR?
Contact our law firm! We will help you assess legal risks, implement practical compliance procedures, and ensure your blockchain solutions are secure, lawful, and future-proof. Let’s make innovation work hand in hand with data protection.