- The EDPB has released new guidelines clarifying how blockchain technology must comply with the GDPR
- Organisations have been urged to avoid storing personal data on-chain and adopt “privacy by design” principles
- The guidance stresses that technical limitations cannot justify non-compliance with EU data protection rules
The European Data Protection Board (EDPB) has issued fresh guidance on how blockchain technologies must be aligned with the General Data Protection Regulation (GDPR). The guidelines, adopted on 8 April 2025 and now open for public consultation, address rising concerns over the compatibility of decentralized data systems with fundamental data protection principles. The EDPB stresses that the immutability and decentralised nature of blockchain cannot be an excuse to ignore rights such as rectification, erasure, or data minimisation.
Blockchain vs. GDPR: An Ongoing Tension
Blockchain’s promise of tamper-proof, decentralised data has long clashed with the GDPR’s core requirements, especially around the right to be forgotten and the principle of data minimisation. “While blockchain offers integrity and availability, these benefits come with unique privacy risks,” the EDPB states in its report. Notably, it warns that “technical impossibility cannot be invoked to justify non-compliance with GDPR requirements.”
The guidelines caution against storing personal data directly on-chain, even in encrypted or hashed form, due to the challenges of deleting such data later. Instead, organisations are advised to store personal data off-chain and use on-chain references such as cryptographic commitments or hashes that do not enable identification.
Practical Steps and Governance
The EDPB sets out 16 key recommendations, including the need for a Data Protection Impact Assessment (DPIA) before any blockchain deployment that involves personal data. Controllers are urged to justify the use of blockchain as “necessary and proportionate,” and to document their choices regarding architecture, storage, and governance.
Permissioned blockchains—where access is restricted and roles are clearer—are preferred over public, permissionless ones like Bitcoin or Ethereum. This structure allows better allocation of GDPR responsibilities among participants and helps maintain security and trust. “Organisations should only explore public blockchains if there are well-justified reasons,” the report advises.
A Call for Technological Restraint
In cases where the GDPR and blockchain are fundamentally misaligned, the EDPB is clear: don’t use blockchain. The report concludes that “if it is not possible to achieve the necessary level of security appropriate to the risk while using blockchain, controllers should not utilise blockchain solutions.”
With the increasing adoption of blockchain in sectors like finance, logistics, and health tech, the EDPB’s guidelines may serve as a turning point—reminding developers and businesses that technological innovation must still operate within the legal framework of human rights and data protection.
