On 8 April 2025, the European Data Protection Board (hereinafter “EDPB”) published Guidelines 02/2025 on the processing of personal data through blockchain technologies, which have been submitted for public consultation until 9 June 2025.

The Guidelines acknowledge that the very nature of blockchains entails inherent risks for the rights and freedoms of natural persons, considering properties such as the inability to delete or modify data, as well as its decentralized governance and storing system, and the public accessibility of information. Further, they outline key GDPR compliance parameters, assessing the core principles of blockchain and the implications of its architecture on the protection of personal data. The Guidelines also include an annex with recommendations for organisations intending to implement blockchain-based processing activities.

1.       What is Blockchain Technology?

In Greece, Law 4961/2022 was the first national legislative act to attempt to define the complexity of blockchain technology. According to Article 31(1):

“Blockchain: a type of distributed ledger technology that records data in blocks, chronologically linked to form a chain of a consensual, decentralised and mathematically verifiable nature, which is mainly based on the science of cryptography.”

In summary, blockchain is a Distributed Ledger Technology (DLT) where transactions are recorded in data blocks linked in chronological order and distributed across nodes in a peer-to-peer (P2P) network, thus achieving data dissemination. In the absence of any central intermediary, the technology functions through approval and verification methods such as Proof of Work or Proof of Stake.

These transactions are recorded using asymmetric encryption methods and hash functions, thereby creating a tamper-resistant ledger which safeguards data integrity.

2.       Key EDPB Observations in the Draft Guidelines

2.1   Design and Architecture

• Data controllers must assess the necessity and proportionality of using blockchain compared to alternative technologies.
• The EDPB recommends the use of permissioned blockchains, given that they allow clear designation of responsibilities and governance.
• Storage of personal data: On-chain storage of personal data should be avoided unless strictly necessary. Alternatives such as off-chain storage, salted/hashed identifiers, or cryptographic commitments are preferred.
• Roles of Controllers and Processors must be clearly defined for each processing activity within or outside the blockchain ecosystem.

2.2   Principles of Data Processing

• Controllers must provide clear and accessible information to data subjects before committing personal data to the chain.
• Where consent is the legal basis, all requirements under Articles 4(11) and 7 GDPR must be met.
• The principles of data minimisation and storage limitation are crucial, as blockchain’s technical structure may conflict with them.
• Controllers must ensure compliance with Article 5 GDPR, considering data dissemination and potential ambiguity in roles.
• Standard contractual clauses (SCCs) should be added to agreements when accepting new nodes, to comply with Articles 44 et seq. GDPR on international data transfers.
• Implementation of data protection by design and by default under Article 25 GDPR, including privacy-enhancing technologies (PETs).

2.3   Data Subject Rights

• Controllers must adopt procedures to comply with data subject requests, especially erasure or objection rights. Given the inability to delete blockchain entries, data must be anonymised by erasing off-chain elements or destroying keys and also deleted from any off-chain sources.
• Data rectification is limited. Corrections must be made through subsequent transactions or off-chain modifications, but the original error remains recorded.

2.4   Data Protection Impact Assessment (DPIA)

The EDPB highlights the mandatory conduct of a DPIA where high risks exist, especially if the following apply:

• Use of public blockchains
• International data transfers
• Smart contracts

The DPIA must include at a minimum:

• Justification of blockchain necessity
• Assessment of its architecture
• Role/risk mapping
• Evaluation of technical safeguards

2.5   Technical and Organisational Measures

Technical and organisational measures must be implemented to limit accessibility and ensure compliance with Article 25(2) GDPR. For example, Proof of Existence methods should store only verification data on-chain, keeping original data off-chain.

Use state-of-the-art encryption and keyed hashing with strong salts.

A formal governance framework must be in place to address protocol changes, vulnerability disclosures, and breach handling.

The EDPB stresses that technical limitations stemming from blockchain architecture cannot justify GDPR non-compliance (see EDPB ChatGPT Taskforce Report, 2024). Organisations must either adapt their blockchain architecture or choose alternative technologies.

3.       What Are the Next Steps for Organisations Exploring or Already Using Blockchain?

The EDPB provides specific recommendations. Organisations that adopt these early, will gain a strategic compliance advantage and reduce their exposure to sanctions.

Importantly, blockchain technology itself does not constitute data processing per se. However, the choice and deployment of such technology impacts the corresponding data processing activities and thus influences organisations’ compliance with Article 24 GDPR.

Indicatively, organisations are encouraged to:

• Clearly document the necessity and proportionality of using blockchain;
• Avoid storing personal data on-chain;
• Define their roles under data protection law (controller or processor);
• Implement internal policies and safeguards by design through operation;
• Ensure data subject rights are respected despite architectural constraints;
• Apply privacy by design and by default;
• Evaluate alternative technologies when blockchain cannot meet GDPR standards;
• Favour permissioned blockchains with clear allocation of responsibilities;
• Document processing activities and conduct a Data Protection Impact Assessment (DPIA);

The draft Guidelines are subject to public consultation and may be amended following the consultation period.

For the «Stergios Konstantinou & Associates – SGKLegal» Law Office