Considering Using Blockchain With Personal Data? The EDPB Has Provided Guidance, Open For Public Consultation Until 9 June 2025

On 14 April 2025, the EDPB published guidelines for public consultation on the processing of personal data through blockchain technologies (the "Guidelines")¹. The Guidelines highlight the challenges and risks that arise in this space and note that such risks need to be carefully assessed. The Guidelines provide practical advice on matters relating to GDPR compliance, emphasising the importance of data protection by design and default and the need to carry out a DPIA prior to processing using blockchain technology.

What are the main data protection risks that arise with blockchain?

The Guidelines provide a detailed technical consideration of the various elements and properties of blockchain technology. The Guidelines note that, while blockchain comes with some potential benefits, its properties also give rise to unique data protection non-compliance risks where personal data is involved. For example:

• difficulty deleting a transaction which is recorded on chain can impact the effective exercise of data subject rights such as the right to rectification or erasure;
• difficulties may arise with the application of the principles of data minimisation and storage limitation; and
• a decentralised approach may trigger risks in connection with international transfers, multiple stakeholders and the allocation of responsibilities, and governance and management issues.

What are the key areas of GDPR compliance to consider?

1. Roles and responsibilities: The Guidelines emphasise that while decentralised governance used by blockchain can lead to a number of actors and roles, this is not a reason not to comply with the GDPR. The Guidelines note that a factual assessment must be carried out of the roles and responsibilities for each processing activity, taking into account the separate EDPB guidelines on the concepts of controller and processor in the GDPR². The EDPB notes that the governance mechanism of the blockchain system is often key in this respect. The Guidelines consider the nuances of permissioned and permissionless blockchains, and how the different approaches may impact on the designation of controllers and processors.
2. Evaluation of processing: The Guidelines stress that a proper evaluation of the proposed processing must be carried out prior to implementing blockchain (to be included in a Data Protection Impact Assessment ("DPIA")), as it is necessary to document why blockchain technology has been chosen (as opposed to an alternative technology which may create less risk of non-compliance). Key questions to consider include: (i) will the data on the blockchain contain personal data; (ii) if so, why is a blockchain necessary for the processing; (iii) what type of blockchain is used (i.e. public/private, permissioned/permissionless); and (iv) what technical and organisational measures are used. The Guidelines consider the various approaches to storing personal data on or off the blockchain, with potential measures to reduce risks to data subjects including encryption, hashing, and cryptographic commitments (with the Guidelines assessing the potential benefits of these measures).
3. Data protection principles: The Guidelines consider the various issues that should be taken into account when assessing compliance with the data protection principles contained in Article 5 of the GDPR. The EDPB sets out a detailed consideration of the impact of blockchain technology on the principles of (i) fairness and transparency; (ii) purpose limitation; (iii) data minimisation; (iv) accuracy; (v) storage limitation; and (vi) integrity and confidentiality.
4. Legal basis: The Guidelines note that for each processing of personal data, the legal basis most appropriate for the processing purpose and the specific context must be determined. The EDPB provides consent under Article 6(1)(a) and legitimate interests under Article 6(1)(f) of the GDPR as potential options.
5. Data protection by design and default, DPIAs and other key considerations: The Guidelines highlight the importance of data protection by design and default in the context of blockchain technology, and provide guidance as to issues which should be considered in any DPIA (including a consideration of common risks that arise with the use of blockchain technology). Other key compliance areas which are considered by the EDPB relate to retention periods and security focused technical and organisational safeguards.
6. Data subject rights: The Guidelines note the importance of complying with data subjects' rights, including the right to receive certain information; the right to access; the right to data portability; the right to erasure; the right to object; the right to rectification; and the right to object to a solely automated decision. While the EDPB states that the rights to information, access and data portability can be compatible with blockchain as long as the controller fulfils all GDPR requirements regarding the exercise of those rights, the EDPB notes that the rights to erasure, objection and rectification must be complied with by design and be considered by controllers early in the design phase.

EDPB recommendations

As a further practical guide to organisations who are considering the use of blockchain where personal data is involved, the Guidelines also contain a set of 16 concise recommendations which should be taken into account prior to engaging in any such processing.

Timeline for consultation

The EDPB Guidelines were published on 14 April 2025 and are open for consultation 9 June 2025. See link here.

Footnotes

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.