EDPB guidelines no. 02/2025, version 1.1 (April 8, 2025)
The European Data Protection Board (EDPB) has just published, on 8 April 2025, a draft version of its guidelines on the processing of personal data through blockchain technologies. The document, currently subject to public consultation, proposes a framework for analyzing GDPR compliance issues when a processing operation is based – in whole or in part – on so-called blockchain technology. The EDPB notes that certain fundamental characteristics of blockchains are difficult to reconcile with the requirements of the GDPR, but endeavors to propose suitable avenues of compliance – while recalling that, in some cases, the use of this technology will simply have to be ruled out.
A multifaceted technology with specific characteristics
Blockchain is, in principle, a distributed ledger that allows for the chronological and immutable recording of data, shared among multiple nodes in a network. It is characterised by the absence of a central authority, the use of consensus mechanisms to validate transactions, and an inherent transparency that enables each participant to access all or part of the data recorded on-chain.
The EDPB nevertheless stresses that this general definition covers a wide variety of technical models. Depending on the context, a blockchain may be public or private, open or restricted, with very different rules regarding participation and governance. These distinctions directly impact the nature of the processing operations that may be carried out and the ability of data controllers and processors to ensure compliance with the GDPR.
Various categories of personal data may appear on a blockchain: pseudonymous identifiers (such as public keys), IP addresses, content data associated with transactions (e.g. documents, contracts, or payment information), and even biometric or sensitive data in certain use cases. Some of these data may be stored directly within the blocks (on-chain), while others are merely referenced on-chain by means of pointers or hashes, with the actual data hosted off-chain.
Clear points of friction with GDPR principles
The EDPB identifies several structural tensions between blockchain’s technical features and GDPR requirements. In particular:
- Storage limitation (Article 5(1)(e) GDPR): Once recorded, data in a blockchain can generally no longer be deleted, which conflicts with the principle of limited retention.
- Right to erasure and rectification: The immutability of blockchain entries makes it inherently difficult—if not impossible—to ensure the effective exercise of these rights.
- Qualification of actors: Decentralisation complicates the identification of a clearly defined data controller (or controllers), especially in so-called permissionless blockchains. The EDPB notably raises the question of whether, in some cases, blockchain nodes might assume the role of data controller.
- Data minimisation: The functioning of blockchains—based on the sequential and irreversible addition of new data with no deletion possible—raises serious issues under the minimisation principle. These are further exacerbated by the indefinite persistence and widespread replication of recorded data, as well as by the a priori transparency of many blockchain systems, which may allow anyone to access the data.
- International data transfers: Blockchain technology often leads to data transfers outside the EU, especially when nodes located in third countries participate in the network. In public blockchains, these nodes are neither selected nor governed, creating significant challenges in terms of visibility and, consequently, compliance.
The EDPB repeatedly stresses that the specific or innovative nature of blockchain technology cannot serve as a justification for bypassing data protection obligations. The absence of centralised control or the impossibility of erasure cannot, on their own, exempt actors from complying with the law.
EDPB recommendations for aligning data protection and blockchain
To address the tensions between GDPR principles and the nature of blockchain, the EDPB offers a set of recommendations for organisations considering the use of this technology. These recommendations are structured around the rigorous application of the privacy by design and by default principle (Article 25 GDPR), which must guide all technical and organisational choices related to blockchain adoption.
- First step: assess the necessity of using blockchain in the first place. The EDPB invites organisations to determine, from the design phase, whether blockchain is truly required in light of the intended purposes. Where the same objectives can be achieved using alternative technologies that provide better data protection guarantees, those alternatives should be preferred.
- Choose a blockchain model compatible with data protection requirements. Among the different configurations available, the EDPB recommends opting for permissioned blockchains, where reading and writing rights are restricted to a limited number of identified actors. This model, according to the Board, enables clearer governance, better attribution of responsibilities, and more effective mechanisms for upholding data subject rights.
- Avoid, as far as possible, storing unencrypted personal data on-chain. The EDPB considers that directly storing personal data on a blockchain—without safeguards—almost systematically infringes GDPR principles. It therefore recommends:
- storing data off-chain wherever possible (with only a non-identifying reference stored on-chain);
- and at the very least, using techniques such as encryption, hashing, commitments, or zero-knowledge proofs, while being mindful of their limitations.
The EDPB points out that implementing such measures is a necessary precondition for complying with the principles of storage limitation and enabling the exercise of data subjects’ rights—especially rectification, erasure and objection.
- Minimise data and define purposes from the outset. In accordance with the principle of data minimisation, only strictly necessary data should be processed. This requirement is especially critical in a blockchain context, since once data is recorded, it cannot be modified or erased.
- Establish a robust governance framework. Choosing blockchain as a processing infrastructure requires putting in place clear technical, organisational and legal rules. These must allow for the designation of data controllers and processors, management of access and incidents, and oversight of system updates. Governance must also anticipate technological developments and ensure that the algorithms securing the blockchain do not become unreliable over time.
- Ensure the effective exercise of data subject rights. Blockchain projects must incorporate, from the design stage, mechanisms to facilitate the exercise of data subjects’ rights. The EDPB notes that while some technical solutions may help to mitigate the inherent limitations of the technology, they are insufficient if not part of a broader compliance approach.
- Treat data protection impact assessments as a central compliance tool. In most cases, using blockchain technology entails a high risk for the rights and freedoms of data subjects. As such, conducting a Data Protection Impact Assessment (DPIA) will be necessary in nearly all scenarios.
In an annex to the guidelines, the EDPB provides a concise summary of its key recommendations and best practices for actors wishing to process personal data using blockchain technology.
The draft guidelines are open for public consultation until 9 June 2025. Their content may still evolve, although the core principles set out by the EDPB are unlikely to change substantially.
