The EDPB has issued draft guidelines to clarify how the GDPR applies to blockchain technologies.
The European Data Protection Board (EDPB) has issued draft Guidelines to provide clarity on the application of the GDPR to blockchain-based processing operations. While blockchain technologies offer benefits in transparency, decentralisation, and resilience, their technical characteristics pose considerable challenges to compliance with EU data protection law. The EDPB’s guidance serves as a framework for assessing the lawfulness of personal data processing in blockchain environments and for identifying the responsibilities of data controllers and processors in such contexts. These guidelines are particularly relevant for public and permissioned blockchains where the architecture may result in complex governance structures and difficulties in enforcing data protection rights.
Identifying the data controller remains essential, even in decentralised blockchain systems.
Controllers must begin by correctly identifying their role within the blockchain ecosystem. The EDPB reiterates the importance of applying existing criteria under the GDPR to assess whether an entity qualifies as a controller, joint controller, or processor. As with any other processing operation, this assessment is functional and fact-based. The existence of decentralised decision-making or technical innovation does not eliminate the need to comply with basic obligations under the Regulation. Where multiple actors determine the purposes and means of processing, joint controllership may apply, and controllers should enter into agreements clearly setting out their respective responsibilities under Article 26 GDPR.
A valid legal basis for processing is required regardless of blockchain architecture.
The lawfulness of processing remains a central consideration. Controllers must establish an appropriate legal basis under Article 6 GDPR, such as consent, contract performance, or legitimate interests. Importantly, the technical execution of a smart contract or the immutability of blockchain data cannot serve as a substitute for a valid legal ground. The EDPB warns that relying on legitimate interests requires a balancing test and the implementation of appropriate safeguards to ensure that the interests or rights of data subjects are not overridden. Moreover, when smart contracts trigger automated processing activities, this must be assessed independently of the legal basis for the overall system.
Controllers must ensure purpose limitation and compatibility of further processing.
The principle of purpose limitation, as enshrined in Article 5(1)(b) GDPR, requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The EDPB notes that blockchain’s immutability can result in the replication or reuse of data beyond the originally defined context. Controllers must implement governance mechanisms to prevent unauthorised access or processing and ensure that any further use of the data remains compatible with the original purpose. Where compatibility is not evident, a new legal basis may be required.
International data transfers must be assessed for compliance even within blockchain networks.
International data transfers under Chapter V GDPR represent a particular challenge in blockchain networks, especially where nodes are operated in third countries. Even where data is only broadcast within the blockchain network, if personal data reaches a jurisdiction outside the EEA, this may constitute a transfer. The EDPB reminds controllers that appropriate safeguards, such as standard contractual clauses or binding corporate rules, must be implemented. If onboarding new nodes, contracts should contain adequate data protection guarantees and jurisdiction-specific clauses to ensure continued protection under EU standards.
Controllers must implement data protection by design and by default from the outset.
Controllers must also ensure compliance with the obligation to implement data protection by design and by default under Article 25 GDPR. The EDPB emphasises that the mere use of privacy-enhancing technologies (PETs) is insufficient; their actual effectiveness must be assessed in practice. Systems must be designed so that data minimisation, purpose limitation, and storage limitation principles are respected. In blockchain contexts, this often requires ensuring that directly identifiable personal data is stored off-chain, with only non-identifiable or pseudonymised references placed on-chain where strictly necessary.
Blockchain immutability cannot justify indefinite retention of personal data.
Retention of personal data is another area of concern. The permanence of blockchain records conflicts with the storage limitation principle set out in Article 5(1)(e) GDPR. Data should not be stored indefinitely simply because the blockchain allows it. The EDPB notes that even pseudonymised data may be subject to retention limitations, and controllers must define and justify retention periods in line with their stated purposes. Where erasure is requested or where data is no longer necessary, appropriate off-chain deletion measures or effective anonymisation techniques should be implemented.
Efficient technical and organisational security measures are required for blockchain processing.
The requirement to ensure the security of processing, as provided in Article 32 GDPR, must be fulfilled through appropriate technical and organisational measures. These include mechanisms to address threats such as 51% attacks, vulnerabilities in smart contracts, and inadequate key management. The EDPB recommends implementing strong access controls, algorithmic resilience measures, and governance structures for protocol updates. Controllers should carry out regular security assessments, including for off-chain components such as APIs and key storage services, which may introduce new vectors of risk.
A data protection impact assessment will often be necessary for blockchain-based processing.
Given the high risk to data subjects’ rights and freedoms often associated with blockchain-based processing, the EDPB advises that a data protection impact assessment (DPIA) will likely be required under Article 35 GDPR. DPIAs should provide a detailed description of the system, the roles of various actors, the nature of on-chain and off-chain processing, and the technical and legal safeguards in place. Risks stemming from the distributed nature of blockchain must be clearly identified, and mitigation measures must be demonstrably effective. The EDPB also suggests that DPIAs may need to be revisited as blockchain networks evolve or as new nodes are added.
Controllers must facilitate the exercise of all data subject rights despite blockchain constraints.
Controllers are further reminded of their obligation to facilitate the exercise of data subject rights under Chapter III GDPR. This includes the right to information, access, and data portability. Information must be provided to data subjects before their data is submitted to the blockchain and must be concise, accessible, and clear. Access and portability must be made possible even in decentralised settings, and controllers remain accountable for ensuring that appropriate mechanisms exist for enabling these rights.
Erasure and objection rights must be respected by design, with alternatives where deletion is impossible.
The rights to erasure and to object must also be respected, despite the technical constraints associated with blockchain immutability. The EDPB acknowledges that actual deletion of on-chain data may not be feasible. Therefore, personal data should be rendered anonymous from the outset, and any off-chain data that permits re-identification must be deleted upon request. If these solutions cannot be implemented, alternative technologies should be considered, as GDPR compliance must not be sacrificed in favour of blockchain’s inherent properties.
Rectification rights can be fulfilled with corrective transactions or off-chain deletion.
The right to rectification may, in some cases, be fulfilled by appending a correcting transaction to the blockchain, which references and supersedes the erroneous entry. However, the original data will remain visible. If rectification requires deletion, the same methods as those used for erasure must be applied. For systems using smart contracts that result in automated decision-making, controllers must also ensure compliance with Article 22 GDPR. This includes guaranteeing the possibility of human intervention, review mechanisms, and the ability for the data subject to contest decisions, even after the contract has executed.
