On April 14, 2025, the European Data Protection Board (EDPB) published directives detailing how to process personal data using blockchain technologies in accordance with the general data protection regulations (RGPD) (02/2025 directives on the processing of personal data via blockchain technologies). These directives highlight certain challenges of confidentiality and provide practical recommendations.
Challenges under the GDPR
The immutability of blockchain conflicts with the rights of data rectification and deletion (articles 16 and 17 GDPR). Its decentralized nature makes it difficult to respect the principles of the GDPR such as data minimization, storage limitation (article 5) and data protection by design (article 25). International data transfers are also complicated, which has prompted EDPB to recommend the use of standard contractual clauses for the participation of nodes to ensure the compliance of Chapter V.
Key recommendations for organizations
In order to minimize risks and ensure the processing of data compliant with the GDPR when using blockchain, EDPB establishes certain rules that organizations must follow.
Roles and responsibilities
Roles must be clearly defined according to the nature of service, governance and relations. The EDPB makes a special mention of nodes in blockchains without public authorization. Nodes in public blockchains can be considered data controllers. A legal entity (for example, a consortium) is encouraged when the nodes jointly determine the treatment objectives.
Technical and organizational measures
Organizations must assess:
- If personal data will be stored
- If so, why is the blockchain necessary
- The type of blockchain to use (public only if necessary)
- Adequate technical guarantees to implement
Public blockchains must be avoided unless they are essential. Personal data should only be identifiable if necessary and justified via an impact assessment on data protection (DPIA). The techniques that EDPB suggests limiting the identifiability of personal data include:
- Encryption – Protects the data, but remains personal under the GDPR.
- Chopping – offers security, but risks remain if the keys are compromised.
- Cryptographic commitments – Dark data securely when the original inputs are deleted.
Principles of the GDPR and data of data subjects
- Deletion and objection – Due to the permanence of the blockchain, erasure may require delete parts of the chain or anonymization data. Outside chain storage of personal data is preferred.
- Data storage – If the data is not necessary for the life of the blockchain, it should not be stored on the chain unless anonymized.
- Security – suggested guarantees include emergency protocols, violation notifications and protections against 51% of attacks and thug participants.
- Correction – If rectification requires deletion, standard erasure methods apply. Otherwise, the new transactions must correct the previous data without modifying the old entries.
- Automated decisions – Controllers must meet the requirements of the RGPD 22 even if an intelligent contract has been executed.
Following steps
The public consultation is open until June 9, 2025. The final version should remain largely in line with the project, offering essential advice for the use of the blockchain compliant with the GDPR.
This article was co-written by Damian Perez-Taboada
