The Clash Between Blockchain and the EU Data Protection Regulation: EDPB's 2025 Guidelines Offer New Solutions

The European Data Protection Board (EDPB) adopted Guidelines 02/2025 on processing of personal data through blockchain technologies on April 8, 2025, highlighting serious compliance issues between blockchain and GDPR principles. The immutable nature of blockchain fundamentally conflicts with GDPR principles on storage limitation, accuracy and the right to erasure, which according to the guidelines can only be reconciled with appropriate technical and organisational measures. The EDPB unambiguously states that storing personal data directly on-chain is "really bad" practice and particularly problematic for Privacy by Design compliance.

For GDPR-compliant application of blockchain technologies, the guidelines propose specific technical approaches, including off-chain storage, encryption, and use of salted hash functions. The EDPB explicitly favours permissioned blockchains for clearer allocation of responsibilities. The Board emphasises that controllers must demonstrate the necessity and proportionality of using blockchain, especially when personal data is involved, and document alternatives considered. A Data Protection Impact Assessment (DPIA) is mandatory before implementing any blockchain-based processing if the processing is likely to result in high risk to the rights and freedoms of natural persons.

Reconciling GDPR and blockchain is primarily possible at the design stage, as modifying blockchain retroactively is technically extremely difficult. The EDPB guidelines emphasise that technical impossibility cannot be invoked to justify non-compliance with GDPR requirements, and justification for using blockchain may be necessary for Data Protection Authorities. Fulfilling a request for erasure of personal data stored on a blockchain is particularly problematic, as deletion may be technically impracticable due to blockchain's immutable nature. Therefore, the EDPB recommends that controllers ensure at the design phase that any personal data stored on the blockchain can be effectively rendered anonymous if an erasure request or objection is received.

Sources:

1.

Blockchain and data protection (GDPR)

Protecting personal data when using blockchain technology is tricky, may be full of surprises, and cumbersome.

Lukasz Olejnik on Cyber, Privacy and Tech Policy CritiqueLukasz Olejnik

2.

Blockchain vs Data protection | International Network of Privacy Law Professionals

At first sight, blockchain technology and the General Data Protection Regulation (GDPR) seem to be intrinsically incompatible. The convergence of personal data protection and blockchain technology raises therefore complex issues surrounding data privacy and data protection issues.

International Network of Privacy Law Professionals

3.

Guidelines 02/2025: Processing of Personal Data Through Blockchain Technologies