Brussels, 14 April - During its April 2025 plenary, the European Data Protection Board (EDPB) has adopted guidelines on processing of personal data through blockchain technologies. A blockchain is a distributed digital ledger system that can confirm transactions and establish who owned a digital asset (such as cryptocurrency) at a given time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.
As the use of blockchain technologies is expanding, the Board considers it important to help organisations using these technologies to comply with the GDPR.
In its guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data.
The guidelines highlight the importance of implementing technical and organisational measures at the earliest stages of the design of the processing. The EDPB also clarifies that the roles and responsibilities of the different actors in a blockchain-related processing of personal data should be assessed during the design of the processing.
In addition, organisations should carry out a Data Protection Impact Assessment (DPIA) before processing personal data through blockchain technologies, where the processing is likely to result in a high risk to the rights and freedoms of individuals.
According to the Board, organisations should also ensure the highest protection of individuals’ personal data during the processing so that they are not made accessible to an indefinite number of persons by default.
The guidelines provide examples of different techniques for data minimisation, as well as for handling and storing personal data. As a general rule, storing personal data in a blockchain should be avoided if this conflicts with data protection principles.
Finally, the Board highlights the importance of the rights of individuals especially regarding transparency, rectification and erasure of personal data.
The guidelines will be subject to public consultation until 9 June 2025, providing stakeholders with the opportunity to comment.
During its latest plenary, the EDPB also decided to closely cooperate with the AI Office in relation to the drafting of the guidelines on the interplay between the AI Act and EU data protection legislation.