EDPB Releases Draft Blockchain Guidelines for Public Consultation

The European Data Protection Board (EDPB) has recently published its draft Guidelines 02/2025 on the processing of personal data through blockchain technologies, following its April 2025 plenary session. Recognizing the expanding adoption of blockchain technologies, these Guidelines offer a crucial framework for organizations considering its integration into their operations. By assessing various potential blockchain architectures and their implications for processing personal data, the Guidelines aim to ensure compliance with General Data Protection Regulations’ (GDPR) requirements, avoid potential legal risks, and enhance customer trust.

The EDPB considers these Guidelines vital in assisting organizations to align their practices with the GDPR. Currently open for public consultation, the document may undergo revisions before its final adoption.

A key focus of the Guidelines is the necessity of implementing Data Protection by Design and by Default, alongside adequate organizational and technical measures. The document also presents examples of different techniques for data minimization and for the appropriate handling and storage of personal data within blockchain environments.

Within the Guidelines, the EDPB offers an explanation of how blockchains function, evaluating different architectural models and their consequences for personal data processing. A significant emphasis is placed on the importance of integrating technical and organizational safeguards from the earliest stages of processing design.

Key takeaways from the draft guidelines include:

• Blockchain’s complexity creates GDPR challenges: The distributed and mathematically intricate nature of blockchain introduces uncertainties and compliance risks, particularly concerning the rights of data subjects.
• Data Protection by Design is essential: Features inherent to blockchain, such as immutability, can make it challenging to meet GDPR obligations like the right to erasure and storage limitation. This necessitates a strong emphasis on Data Protection by Design measures from the initial stages.
• Roles and architectures must be assessed early: The guidelines underscore the importance of evaluating different blockchain architectures and clearly defining the roles and responsibilities of all involved parties during the design phase to guarantee GDPR compliance.
• Avoid storing personal data on-chain: As a general principle, personal data should not be stored directly on the blockchain if it conflicts with fundamental data protection principles. In situations where on-chain storage is deemed necessary, advanced privacy-preserving techniques and robust safeguards must be implemented.
• DPIAs are critical for blockchain projects: Conducting a thorough Data Protection Impact Assessment (DPIA) is mandatory before utilizing blockchain for personal data processing. This assessment should specifically address blockchain-related risks and consider GDPR principles such as transparency, rectification, and erasure.

In conclusion, the draft Guidelines represent an important step towards providing clear guidance for organizations working or wishing to work with blockchain technologies to ensure they are GDPR compliant. The European Data Protection Board invites all stakeholders to take advantage of the open consultation period until June 9, 2025 to provide their valuable feedback that will contribute to the final version of these important guidelines.

Click here to read the draft Guidelines.  

In light of the new guidelines recently issued by the European Data Protection Board (EDPB), Shura Law Firm reaffirms its full commitment to staying abreast of the latest regulatory and technological developments. We are fully prepared to provide specialized legal consultations to ensure full compliance with personal data protection requirements, especially when utilizing blockchain technologies across various sectors.

As strategic partners to our clients, we bring to the table our advanced expertise in both law and technology, helping you mitigate potential legal risks and build trust with your stakeholders in a secure digital environment aligned with the General Data Protection Regulation (GDPR).

For tailored legal advice and support, please do not hesitate to reach out. Ms. Mahitab Ajlan will be glad to assist you at [email protected]