Brussels, 14 April – During its April 2025 plenary, the European Data Protection Board (EDPB) adopted guidelines on the processing of personal data through blockchain technologies. A blockchain is defined as a distributed digital ledger system capable of confirming transactions and establishing ownership of digital assets, such as cryptocurrency, at a specific time. These technologies also facilitate the secure handling and transfer of data, ensuring integrity and traceability.
Given the expanding use of blockchain technologies, the EDPB emphasizes the importance of assisting organizations in complying with GDPR requirements. The guidelines detail the functionality of blockchains, evaluating various architectural designs and their implications for personal data processing.
Key aspects highlighted in the guidelines include the necessity of implementing technical and organizational measures from the initial design stages of data processing. The EDPB further clarifies that the roles and responsibilities of various actors involved in blockchain-related personal data processing must be assessed during the design phase. Additionally, organizations are advised to conduct a Data Protection Impact Assessment (DPIA) before processing personal data via blockchain technologies, especially when there's a high risk to individuals' rights and freedoms.
The Board also stresses that organizations must ensure the highest level of protection for individuals' personal data during processing, preventing it from being made accessible by default to an indefinite number of persons. The guidelines offer examples of techniques for data minimization, handling, and storage. A general rule advises against storing personal data directly on a blockchain if it contradicts data protection principles.
Finally, the EDPB underscores the significance of individual rights, particularly concerning transparency, rectification, and erasure of personal data. These guidelines will be open for public consultation until June 9, 2025, allowing stakeholders to provide feedback.
In a separate development during its latest plenary, the EDPB resolved to collaborate closely with the AI Office. This cooperation will focus on drafting guidelines concerning the interplay between the AI Act and existing EU data protection legislation.