
Personal Data on the Chain: EDPB Guidelines for Blockchain Technologies
Implementing blockchain technology in a GDPR compliant manner requires careful assessment, consideration and planning. To assist organisations in navigating the risks and challenges in doing so, the European Data Protection Board (EDPB) has adopted guidelines on processing personal data through blockchain (Guidelines).
The concept of blockchain referred to in the Guidelines addresses a technology that implements a distributed and consistent database without centralised management and the coordinated use of that technology by an open or predefined set of participants according to an agreed upon set of rules. The technology gives rise to several specific challenges from a data protection perspective. For example, because of their decentralised nature (involving multiple stakeholders, in multiple locations), blockchain technologies can trigger international data transfers and give rise to challenges in determining data protection roles and responsibilities, as well as management and governance issues. Data protection by design and default pursuant to Article 25 of the General Data Protection Regulation (GDPR) is particularly important for blockchain given the challenges arising from implementation of the data protection principles under Article 5 GDPR.
Recommendations
Analysing the interplay of the technical characteristics of blockchain technology with data protection principles, the Guidelines set out essential GDPR compliance factors to consider and include 16 recommendations for organisations planning to set up a blockchain based processing. These address: architecture (documentation and off-chain storage); information; minimisation; trust; legal provisions if use of blockchain is mandated by law; software vulnerabilities; governance; consent; data protection by design and default; data retention (duration); security (evaluation, limit the impact of algorithm failure, governance of evolution and confidentiality); and data subjects’ rights.
Many of the 16 recommendations reflect existing data protection principles, such as processing only the minimum amount of personal data required, providing information to data subjects with regards to their rights, and ensuring appropriate consents for processing are obtained from data subjects. However, in addressing the specific risks presented by blockchain technologies, the recommendations offer a practical framework for organisations to navigate the complexities of GDPR compliance. Stakeholders have an opportunity to comment on the Guidelines throughout the public consultation period until 9 June 2025.
Key Considerations for Organisations
Data Protection Impact Assessments (DPIAs)
Organisations will need to carry out a DPIA to appropriately evaluate the risk presented by the processing of personal data using blockchain and identify mitigation measures. Prior to deploying blockchain technologies, organisations should consider whether blockchain is the appropriate mechanism to achieve a particular aim and whether its implementation would support or hinder GDPR compliance.
The Guidelines specify that the DPIA should include:
- a systematic description of the blockchain processing operations;
- an assessment of the necessity and proportionality of the processing operations that are carried out which depend on the blockchain, including why the use of the blockchain is necessary to achieve the objective of the processing;
- an assessment of the risks to the rights and freedoms of data subjects of the processing, including the risks that are specific to the use of blockchain; and
- a precise identification and assessment of the specific measures required to address the risks stemming from the use of blockchain technology.
Public or Private Blockchains?
The choice between private and public blockchains should be made with careful consideration. Public blockchains pose significant GDPR compliance challenges due to their immutable and decentralised nature. For example, it is difficult for data subjects to exercise the right to be forgotten in circumstances where data cannot be altered or deleted once added to a public blockchain. Organisations are reminded that technical inability is not an excuse for non-compliance with the GDPR. Public blockchains also pose challenges with respect to international data transfers. Such challenges are compounded by blockchain’s decentralised nature which means the accountability of controllers and processors is difficult to establish. Public blockchains should only be used where it is absolutely necessary, and organisations are certain that compliance with the GDPR can be ensured.
Private blockchains are more favourable for private organisations as they offer more control over data management, accountability, and compliance with data subject rights. However, a private blockchain is not automatically GDPR compliant. Organisations must still conduct appropriate risk assessments and ensure that adequate technical and organisational measures are in place.
Regardless of whether the blockchain is public or private, only the minimum amount of personal data should be stored on-chain, with any additional personal data stored off-chain. The storage of personal data as plain text data is strongly discouraged given potential conflicts with data protection principles under Article 5 GDPR. While it is technically feasible to modify blockchain to alter or delete the personal data, it is not often possible in practice. Encrypting data before storing it on-chain, or using salted or keyed hashes or cryptographic commitments, is recommended. Organisations should consider that even when implementing state-of-the-art measures, the adequacy of such methods will eventually be challenged where blockchains are retained indefinitely.
Technical and Organisational Measures
Controllers and processors must ensure that appropriate technical and organisational measures are in place to uphold the principles of data protection. These measures should meet the specific challenges that blockchain technology presents and should include:
- putting in place procedures to deal with software vulnerabilities and incidents as they occur;
- putting in place procedures to limit the impact of a potential algorithm failure;
- documenting the evolution of software and protocol governance; and
- implementing verified and documented measures which limit accessibility of the blockchain and ensure the blockchain’s confidentiality.
Smart Contracts
The Guidelines consider blockchain technology which facilitates smart contracts. The concept of a smart contract, although not unique to blockchain environments, arises frequently in the context of blockchain technology. Article 2(39) of Regulation 2023/2854 (the Data Act) defines a smart contract as “a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering”. When a smart contract is created, it is automatically recorded on the blockchain. As smart contracts can be executed without human intervention, their operation may be an automated decision under Article 22 GDPR.
The Guidelines emphasise that data controllers must ensure that Article 22 safeguards are in place when smart contracts are used with blockchain technology. This includes allowing the data subject to contest a decision, regardless of whether the smart contract has been performed and irrespective of what data is registered on the blockchain. Controllers deploying blockchain that enables smart contracts should have due regard to the requirements under Article 22 GDPR.