The interplay between data protection and blockchain is not a novel concern. We have previously explored how the immutable and decentralised nature of most distributed ledger technologies (“DLT”) often runs counter to the core data protection principles enshrined in the General Data Protection Regulation (“GDPR”). In the said earlier commentary, we had already posed the view that data protection law is to form a “central loop” in any viable DLT deployment, shaping its architecture from its design.
On the 8th April 2025, the European Data Protection Board (“EDPB”) adopted Guidelines 02/2025 on the processing of personal data through blockchain technologies and issued the same for public consultation, marking a significant step forward in clarifying how blockchain-based solutions can comply with the GDPR.
As blockchain technologies continue to gain traction across various industries, including but not limited to financial services, logistics, healthcare, art and collectibles, the GDPR’s rigorous requirements around data minimisation, erasure, and accountability present unique challenges when crossed with the immutable nature of blockchain-based DLTs. The EDPB’s guidance sheds critical direction to developers, legal teams, and data controllers and this article explores some key takeaways from the EDPB’s guidance and how they align with, or challenge, the GDPR principles that have long been highlighted as essential for blockchain’s lawful and responsible evolution.
1. Not an Automatic Exemption
As expected, the EDPB reiterated that GDPR fully applies to blockchain processing activities. The use of DLT, regardless of whether public or private, permissioned or permission-less, does not exempt actors from data protection obligations. A technology’s permanence and decentralisation introduce specific compliance risks.
In turn, it should not be assumed that decentralisation limits accountability. Roles and responsibilities under the GDPR (i.e. controller / processor) must still be clearly established based on factual influence and governance.
2. Data Minimisation
A recurring theme is undoubtedly data minimisation. The EDPB strongly discourages storing personal data directly on-chain unless absolutely necessary and justified via a Data Protection Impact Assessment.
The EDPB advises the use cryptographic commitments, keyed hashes, or references rather than having data in the clear. Sensitive data or otherwise identifiable data should be stored off-chain, with proper access controls.
3. Data Subject Rights
The immutable nature of blockchain-based DLTs conflicts with amongst others the data subjects’ rights to erasure, rectification, and restriction of processing as well as right to withdraw consent. While technical deletion may not be feasible, the EDPB recommends rendering data effectively unidentifiable, such as by erasing off-chain components or destroying encryption keys. When data subjects withdraw consent or exercise their other rights under the GPDR, the on-chain data must essentially become non-linkable. Alternative architectures will have to be considered if the exercise of rights cannot be properly ensured.
4. Choosing the Right Architecture
The EDPB specify that controllers must document their rationale for using blockchain and evaluate whether a private or permissioned blockchain could suffice. Public blockchains should only be used if the public nature is necessary for the processing purpose. Generally, governance models where roles are clearly defined and controller responsibilities are consolidated, are advisable.
5. Data Protection Impact Assessments
For the purposes of blockchain-based processing involving personal data, a DPIA is clearly required. The DPIA should aim to establish why processing on a DLT is necessary and proportionate, the impact of immutability (if applicable) on data subject rights, the effectiveness of proposed privacy-enhancing technologies and the implications of international data transfers, especially within the context of public chains.
The EDPB does not attempt to prohibit the use of blockchain-based DLTs, however it remains adamant that privacy must be a core design principle and certainly not an afterthought, reflecting the GDPR principle of “data protection by design”. On this front, if compliance with data protection law cannot be realistically ensured, controllers should explore alternative technologies.
The end date of the public consultation is on 9 June 2025 and stakeholders can submit their comments here.
For support in applying these guidelines or conducting a blockchain-related DPIA, GTG is ready to assist! Kindly contact us at info@gtg.com.mt for your better guidance.
Authors: Dr Terence Cassar and Dr J.J. Galea