New EDPB Draft Guidelines: Personal Data on the Blockchain

Earlier this month, the European Data Protection Board (EDPB) issued draft guidelines on the processing of personal data through blockchain technologies. The guidelines aim to clarify how blockchain systems can be reconciled with the requirements of the EU General Data Protection Regulation (GDPR).

Blockchain Meets Privacy

Blockchain and similar technologies are increasingly leveraged across industries for their capacity to ensure integrity, availability, and transparency. However, many of blockchain’s defining features, like immutability, decentralization, and transparency, may directly conflict with core GDPR principles, including storage limitation, data minimization, and the rights to erasure and rectification.

Some examples of such a clash may include:

• A blockchain-based registry system may prevent data subjects from exercising their right to rectification when errors are discovered.
• Public blockchain platforms (like those used for credential verification etc.) make it virtually impossible to comply with erasure requests, as the information is permanently visible to all network participants.
• In decentralized finance (DeFi) applications, wallet addresses, which are often tied to pseudonymous identities, can still lead to re-identification, especially when paired with transaction metadata.
• The immutable storage of smart contracts containing personal data, such as digital wills or health-related consent records, poses legal risks under the GDPR’s storage limitation principle when the data is no longer relevant or lawful to retain.

While blockchain may enhance data integrity, its use does not exempt organizations from their GDPR obligations.

Considering the de-centralized nature of blockchain technology, the GDPR may be applicable to many actors, since data processing, including personal data, is done at least in part, in the EU. The guidelines may serve as an indication for upcoming regulatory action, calling on companies to ensure GDPR compliance.

What can you do to ensure your use of personal data on the blockchain is GDPR compliant?

The guidelines contain some practical recommendations to assist organizations in navigating GDPR compliance in the blockchain context. Among the key points, it is recommended to:

• Avoid storing personal data on-chain wherever possible and minimize data on-chain. It is stressed that even hashed or encrypted data on a blockchain may qualify as personal data under the GDPR.
• Use off-chain storage and cryptographic techniques (e.g., commitments, keyed hashes, or zero-knowledge proofs) to reduce the risks associated with on-chain personal data.
• Perform Data Protection Impact Assessments (DPIAs). These are mandatory for high-risk blockchain use cases and should take into consideration governance models, international transfers, and technical safeguards.
• Clarify roles and responsibilities. The decentralized nature of blockchain does not obviate the need for accountability under the GDPR. Entities must determine whether they act as controllers, processors, or joint controllers, especially in permissionless public blockchains, and detail their roles when relevant.
• Ensure exercise of data subject rights. According to the guidelines, blockchain design must account for access, rectification, and erasure rights. This may be achieved through architectural mechanisms such as off-chain references or de-identification protocols, as well as additional ledger publications, where relevant.
• Assess security risks. Given the immutable nature of blockchain, the guidelines stress the importance of secure key management, vulnerability management, and clear procedures for managing software evolution.

Technology Is Not a Justification for Non-Compliance

The EDPB underscores that technical impossibility, such as the inability to delete data stored immutably on-chain, cannot be used to justify GDPR non-compliance. Organizations are expected by the EDPB to adapt their architecture or consider alternative technologies if blockchain prevents compliance with data protection requirements.

The draft guidelines are open for feedback and may be updated following the public consultation.

We recommend that organizations leveraging blockchain:

1. Proactively review their use cases considering the GDPR requirements and assess their compliance.
2. Identify their role in relation to privacy laws, particularly the GDPR.
3. Document their position and analysis and perform a detailed DPIA where necessary.
4. Ensure that data subject rights can be executed on their systems.

Companies that implement these recommendations early on will be better positioned to handle enforcement actions and mitigate regulatory risk, building trusted, resilient systems.

 ****

Dr. Avishay Klein is the Head of the Privacy, Artificial Intelligence and Cybersecurity Department.

Adv. Masha Yudashkin is an associate in the Privacy, Artificial Intelligence and Cybersecurity Department.

Our Privacy, Cybersecurity and AI Department at our firm offers clients tailored legal advice on a broad range of issues, including data protection, compliance with local and international regulations (such as the GDPR and CPRA), responsible implementation of AI technologies, and legal support in response to cybersecurity incidents. Led by Dr. Avishai Klein, the department provides strategic guidance to help organizations operate with legal certainty in an increasingly complex and rapidly evolving regulatory environment. Our team remains at your service at all times.