ARTICLE
26 June 2025

New EDPB Guidelines: Processing Personal Data On Blockchain

KG
K&L Gates LLP

Contributor

K&L Gates LLP logo
At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices spanning across five continents, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, health care, energy, and more.
Explore Firm Details
The European Data Protection Board recently published its draft Guidelines 02/2025, which remain open to consultation until 09 June 2025
United States Technology
K&L Gates
K&L Gates LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring, Transport and Immigration topic(s)

The European Data Protection Board recently published its draft Guidelines 02/2025, which remain open to consultation until 09 June 2025. Stakeholders in the blockchain industry are encouraged to submit any observations before the finalization of these Guidelines.

The current key takeaways from this version include:

  • Avoid storing personal data directly on blockchain where possible;
  • Use encryption, hashing, and off-chain storage to protect data;
  • Implement data protection by design principles;
  • Ensure data subject rights can be exercised;
  • Conduct thorough DPIAs before implementation.

In addition, the Guidelines provide 16 practical recommendations for organizations considering blockchain adoption, balancing innovation with privacy protection:

1. Documentation: Organizations must document their rationale for using blockchain, type of blockchain needed, and technical measures used
2. Off-chain Storage: Personal data beyond necessary identifiers should be stored off-chain
3. Information:Clear communication to data subjects about processing rationale and their rights
4. Data Minimisation: Only process relevant and necessary data
5. Trust: Implement trust mechanisms through certification and independent verification
6. Legal Framework: When mandated by law, include provisions about acceptable publicity levels
7. Software Vulnerabilities: Establish procedures for handling and disclosing vulnerabilities
8. Governance: Document software changes and ensure alignment between specification and implementation
9. Consent: Ensure consent is freely given with ability to withdraw if it's the relevant legal basis
10. Data Protection by Design: Include protection principles from the outset
11. Data Retention: Establish clear retention periods and mechanisms for deletion. This is one of the major pain points as data deletion at the individual level in a blockchain can be challenging and requires ad-hoc engineered architectures. Where deletion has not been taken into account by design (see Recommendation #16), this may require the deletion of the whole blockchain.
12-15. Security Measures: Implement comprehensive security evaluations, handle algorithm failures, document evolution, and ensure confidentiality
16. Data Subject Rights: Ensure rights cannot be restricted by technical implementation

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
K&L Gates
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More