When Decentralisation Meets Regulation: How Blockchain and GDPR Can Coexist

We have prepared a more detailed client briefing on this topic. Read our full client briefing here.

The European Data Protection Board (EDPB) has released its long-awaited draft Guidelines on processing of personal data through blockchain technologies. 

In our 2019 publication, we noted that while blockchain offers innovative alternatives to traditional databases, it also introduces serious data protection challenges. Key tensions arise between blockchain’s features — decentralisation, immutability, transparency — and GDPR principles like purpose limitation, data minimisation, and data subject rights. We argued that, with collaboration between regulators and the blockchain community, privacy-conscious innovation was possible. The EDPB’s new guidelines offer a framework for how blockchain and GDPR obligations can, with careful design, coexist.

Key Themes from the Guidelines

• Assess Necessity First: Controllers must critically assess whether blockchain is the most appropriate solution for their processing needs. If a centralised database can achieve the purpose with fewer risks to data protection, it should be preferred. Documenting the necessity assessment is crucial for demonstrating accountability.
• Choose Private, Permissioned Systems Where Possible: Public, permissionless blockchains (like Bitcoin or Ethereum) raise significant GDPR challenges. The EDPB suggests that private, permissioned blockchains — where access and roles are controlled — offer a better path to compliance.
• Minimise On-Chain Personal Data: Immutability makes deletion and rectification difficult. To mitigate risks, personal data should, where possible, be kept off-chain. Only proofs of existence, such as cryptographic commitments or salted hashes, should be recorded on-chain.
• Clarify Roles and Responsibilities: Blockchain ecosystems often blur the lines between controller and processor. The EDPB advises that governance structures should be put in place to clearly define participants' roles, responsibilities, and liabilities.
• Design with Data Minimisation, Storage Limitation, and Security in Mind: Blockchain projects must integrate GDPR principles from the outset, ensuring that only necessary data is processed and that security measures address blockchain-specific risks.
• Consider Legal Grounds: Each processing activity must have a valid legal basis under Article 6 GDPR. Consent must be specific, informed, freely given, and revocable. Other bases such as legitimate interests may also apply, and restrictions under Article 23 may be relevant in limited cases (e.g., anti-money laundering).
• Consider Cross-Border Transfers: Public blockchains often involve nodes outside the EEA. Organisations must ensure appropriate safeguards are in place, such as the use of Standard Contractual Clauses.
• Embed Data Subject Rights: The guidelines underline that GDPR rights — including access, rectification, erasure, and objection to automated decision-making — must be respected even when blockchain's technical features make them challenging to implement.

A Step Forward — But Questions Remain

While the draft Guidelines are a step forward, some areas would benefit from additional clarification. In particular, it would be helpful to see more concrete examples of GDPR-compliant use cases for public blockchains, and more guidance on how techniques like encryption or hashing might, in some cases, achieve effective anonymisation.

Similarly, the EDPB’s acknowledgment that the right to rectification may require erasure (and not simply correction via additional transactions) raises important legal and technical implications that may warrant further discussion.

Conclusion: Privacy by Design Is Non-Negotiable

The EDPB's message is clear: blockchain innovation is not inherently at odds with GDPR compliance — but privacy must be integrated from the start. Organisations considering blockchain solutions must conduct rigorous assessments, adopt privacy-preserving architectures, and design governance frameworks that uphold GDPR standards.

We have prepared a detailed client briefing analysing the EDPB’s draft Guidelines, including key takeaways and considerations for organisations exploring blockchain-based solutions.

Read our full client briefing here.