{"id":1600,"date":"2025-05-15T11:52:02","date_gmt":"2025-05-15T08:52:02","guid":{"rendered":"https:\/\/sgklegal.gr\/?p=1600"},"modified":"2025-05-15T15:31:39","modified_gmt":"2025-05-15T12:31:39","slug":"blockchain-and-personal-data-edpb-guidelines","status":"publish","type":"post","link":"https:\/\/sgklegal.gr\/en\/blockchain-and-personal-data-edpb-guidelines\/","title":{"rendered":"Blockchain &#038; Personal Data: EDPB Guidelines under Public Consultation"},"content":{"rendered":"<p>On 8 April 2025, the European Data Protection Board (hereinafter \u201cEDPB\u201d) published Guidelines 02\/2025 on the processing of personal data through blockchain technologies, which have been submitted for public consultation until 9 June 2025.<\/p>\n<p>The Guidelines acknowledge that the very nature of blockchains entails inherent risks for the rights and freedoms of natural persons, considering properties such as the inability to delete or modify data, as well as its decentralized governance and storing system, and the public accessibility of information. Further, they outline key GDPR compliance parameters, assessing the core principles of blockchain and the implications of its architecture on the protection of personal data. The Guidelines also include an annex with recommendations for organisations intending to implement blockchain-based processing activities.<\/p>\n<h1>1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 What is Blockchain Technology?<\/h1>\n<p>In Greece, Law 4961\/2022 was the first national legislative act to attempt to define the complexity of blockchain technology. According to Article 31(1):<\/p>\n<p>\u201c<em>Blockchain: a type of distributed ledger technology that records data in blocks, chronologically linked to form a chain of a consensual, decentralised and mathematically verifiable nature, which is mainly based on the science of cryptography<\/em>.\u201d<\/p>\n<p>In summary, blockchain is a <strong>Distributed Ledger Technology (DLT)<\/strong> where transactions are recorded in data blocks linked in chronological order and distributed across nodes in a peer-to-peer (P2P) network, thus achieving data dissemination. In the absence of any central intermediary, the technology functions through approval and verification methods such as <strong>Proof of Work<\/strong> or <strong>Proof of Stake<\/strong>.<\/p>\n<p>These transactions are recorded using <strong>asymmetric encryption methods<\/strong> and <strong>hash functions<\/strong>, thereby creating a tamper-resistant ledger which safeguards data integrity.<\/p>\n<h1>2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Key EDPB Observations in the Draft Guidelines<\/h1>\n<h2>2.1\u00a0\u00a0 Design and Architecture<\/h2>\n<ul>\n<li>Data controllers must assess the <strong>necessity and proportionality<\/strong> of using blockchain compared to alternative technologies.<\/li>\n<li>The EDPB recommends the use of <strong>permissioned blockchains<\/strong>, given that they allow clear designation of responsibilities and governance.<\/li>\n<li><strong>Storage of personal data<\/strong>: On-chain storage of personal data should be avoided unless strictly necessary. Alternatives such as <strong>off-chain storage<\/strong>, <strong>salted\/hashed identifiers<\/strong>, or <strong>cryptographic commitments<\/strong> are preferred.<\/li>\n<li>Roles of <strong>Controllers and Processors<\/strong> must be clearly defined for each processing activity within or outside the blockchain ecosystem.<\/li>\n<\/ul>\n<h2>2.2\u00a0\u00a0 Principles of Data Processing<\/h2>\n<ul>\n<li>Controllers must provide <strong>clear and accessible information<\/strong> to data subjects before committing personal data to the chain.<\/li>\n<li>Where <strong>consent<\/strong> is the legal basis, all requirements under Articles 4(11) and 7 GDPR must be met.<\/li>\n<li>The principles of <strong>data minimisation<\/strong> and <strong>storage limitation<\/strong> are crucial, as blockchain\u2019s technical structure may conflict with them.<\/li>\n<li>Controllers must ensure compliance with <strong>Article 5 GDPR<\/strong>, considering data dissemination and potential ambiguity in roles.<\/li>\n<li><strong>Standard contractual clauses (SCCs)<\/strong> should be added to agreements when accepting new nodes, to comply with Articles 44 et seq. GDPR on international data transfers.<\/li>\n<li>Implementation of <strong>data protection by design and by default<\/strong> under Article 25 GDPR, including <strong>privacy-enhancing technologies (PETs)<\/strong>.<\/li>\n<\/ul>\n<h2>2.3\u00a0\u00a0 Data Subject Rights<\/h2>\n<ul>\n<li>Controllers must adopt procedures to comply with <strong>data subject requests<\/strong>, especially <strong>erasure<\/strong> or <strong>objection<\/strong> rights. Given the inability to delete blockchain entries, data must be anonymised by erasing off-chain elements or destroying keys and also deleted from any off-chain sources.<\/li>\n<li><strong>Data rectification<\/strong> is limited. Corrections must be made through subsequent transactions or off-chain modifications, but the original error remains recorded.<\/li>\n<\/ul>\n<h2>2.4\u00a0\u00a0 Data Protection Impact Assessment (DPIA)<\/h2>\n<p>The EDPB highlights the <strong>mandatory conduct of a DPIA<\/strong> where high risks exist, especially if the following apply:<\/p>\n<ul>\n<li>Use of <strong>public blockchains<\/strong><\/li>\n<li><strong>International data transfers<\/strong><\/li>\n<li><strong>Smart contracts<\/strong><\/li>\n<\/ul>\n<p>The DPIA must include at a minimum:<\/p>\n<ul>\n<li>Justification of blockchain necessity<\/li>\n<li>Assessment of its architecture<\/li>\n<li>Role\/risk mapping<\/li>\n<li>Evaluation of technical safeguards<\/li>\n<\/ul>\n<h2>2.5\u00a0\u00a0 Technical and Organisational Measures<\/h2>\n<p>Technical and organisational measures must be implemented to <strong>limit accessibility<\/strong> and ensure compliance with Article 25(2) GDPR. For example, <strong>Proof of Existence<\/strong> methods should store only verification data on-chain, keeping original data off-chain.<\/p>\n<p>Use <strong>state-of-the-art encryption<\/strong> and <strong>keyed hashing with strong salts<\/strong>.<\/p>\n<p>A formal governance framework must be in place to address <strong>protocol changes<\/strong>, <strong>vulnerability disclosures<\/strong>, and <strong>breach handling<\/strong>.<\/p>\n<p>The EDPB stresses that <strong>technical limitations stemming from blockchain architecture cannot justify GDPR non-compliance<\/strong> (see EDPB ChatGPT Taskforce Report, 2024). Organisations must either adapt their blockchain architecture or choose alternative technologies.<\/p>\n<h1>3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 What Are the Next Steps for Organisations Exploring or Already Using Blockchain?<\/h1>\n<p>The EDPB provides specific <strong>recommendations<\/strong>. Organisations that adopt these early, will gain a <strong>strategic compliance advantage<\/strong> and reduce their exposure to <strong>sanctions<\/strong>.<\/p>\n<p>Importantly, <strong>blockchain technology itself does not constitute data processing per se<\/strong>. However, the <strong>choice and deployment<\/strong> of such technology impacts the corresponding data processing activities and thus influences organisations\u2019 compliance with <strong>Article 24 GDPR<\/strong>.<\/p>\n<p>Indicatively, organisations are encouraged to:<\/p>\n<ul>\n<li>Clearly <strong>document the necessity and proportionality<\/strong> of using blockchain;<\/li>\n<li><strong>Avoid storing personal data on-chain<\/strong>;<\/li>\n<li><strong>Define their roles<\/strong> under data protection law (controller or processor);<\/li>\n<li><strong>Implement internal policies and safeguards<\/strong> by design through operation;<\/li>\n<li>Ensure <strong>data subject rights<\/strong> are respected despite architectural constraints;<\/li>\n<li>Apply <strong>privacy by design and by default<\/strong>;<\/li>\n<li><strong>Evaluate alternative technologies<\/strong> when blockchain cannot meet GDPR standards;<\/li>\n<li><strong>Favour permissioned blockchains<\/strong> with clear allocation of responsibilities;<\/li>\n<li><strong>Document processing activities<\/strong> and conduct a <strong>Data Protection Impact Assessment (DPIA)<\/strong>;<\/li>\n<\/ul>\n<p>The draft Guidelines are subject to public consultation and <strong>may be amended following the consultation period<\/strong>.<\/p>\n<p>For the \u00ab<strong>Stergios Konstantinou &amp; Associates \u2013 SGKLegal<\/strong>\u00bb Law Office<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"277\"><strong>Stergios G. Konstantinou<\/strong><\/p>\n<p>Lawyer, Advanced LLM (IP &amp; ICT Law)<\/p>\n<p>CIPP\/E, CIPM, FIP<\/td>\n<td width=\"277\"><strong>Eva Pitsi<\/strong><\/p>\n<p>Trainee Laywer, LLM<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>On 8 April 2025, the European Data Protection Board (hereinafter \u201cEDPB\u201d) published Guidelines 02\/2025 on the processing of personal data through blockchain technologies, which have been submitted for public consultation until 9 June 2025. The Guidelines acknowledge that the very nature of blockchains entails inherent risks for the rights and freedoms of natural persons, considering [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":1608,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[267,268,269,122,117],"class_list":["post-1600","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en","tag-blockchain-personal-data","tag-blockchain-greece","tag-dpia-en","tag-edpb","tag-espd"],"_links":{"self":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/comments?post=1600"}],"version-history":[{"count":1,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1600\/revisions"}],"predecessor-version":[{"id":1601,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/posts\/1600\/revisions\/1601"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media\/1608"}],"wp:attachment":[{"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/media?parent=1600"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/categories?post=1600"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sgklegal.gr\/en\/wp-json\/wp\/v2\/tags?post=1600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}