On 8th April, the European Data Protection Board (EDPB) published draft guidelines on the processing of personal data through blockchain technologies. These guidelines aim to help controllers use blockchain technology while complying with the General Data Protection Regulation (GDPR). Stakeholders can comment on these guidelines until 9th June 2025. This article summarises the key points relevant to the data controllers using blockchain.
This article is the second part of our article series on this topic. You can read part 1 here.
Data retention periods on blockchain: forever and beyond?
Controllers must establish data retention periods based on the specific purpose of the processing activity, ensuring that data is deleted once the processing activity concludes, in accordance with data processing principles. Although blockchain data is inherently tamper-proof, the immutable nature of blockchain should not dictate the retention periods for personal data. This highlights the importance of differentiating between data on the actual blockchain (which cannot be deleted) and data that is related to the blockchain, but stored outside the blockchain itself (processed by the computer nodes, but outside the blockchain or just referencing external databases, distributed or not). The first approach is about “blockchain as a specific digital record” and the second is about “blockchain as an ecosystem or a branch of technologies” (as clarified in part 1).
It is essential to evaluate techniques to mitigate risks associated with data retention, and these retention periods should apply to all types of personal data, including metadata and payload data. Identifiers, such as public signature verification keys, must also comply with the specified retention periods. If the processing activity does not necessitate retention for the entire lifetime of the blockchain, personal data should not be written to the blockchain unless measures are in place to prevent the identification of data subjects.
In cases where the retention period aligns with the blockchain's lifetime, controllers must justify the necessity and proportionality of this decision in relation to the processing purpose. This justification should include a thorough analysis, which must be documented to demonstrate compliance with data protection principles. No further detail is mentioned in the guidelines on what this justification should entail.
How can data subjects exercise their data protection rights on blockchain?
Controllers must provide clear information that is easily accessible and formulated to data subjects before submitting personal data to blockchain nodes. Rights to erasure, objection, and rectification must be integrated by design, considering the technical challenges of deleting personal data stored on a blockchain.
The right to erasure must be complied with by design. It may be technically impracticable to grant the request for actual deletion when personal data is stored directly on a blockchain as true deletion of on-chain data is not possible. Therefore, controllers should design their systems to ensure that, if a request for erasure or objection is received, the data can be rendered anonymous - meaning it can no longer be linked to an identifiable individual, either directly or indirectly. This typically involves ensuring that any off-chain data or keys that could enable identification are deleted, so that the on-chain data becomes useless from a personal data perspective.
Data controllers must inform data subjects in clear terms on the rationale of the processing, the existence of their rights, and the modalities to exercise them. Suitable times to provide such information are when a data subject is about to commit data to the blockchain and on the creation of the blockchain itself. The information should also be available for data subjects to find at other times, e.g., on the controller's website.
In some cases, the right to rectification can be met by a subsequent transaction, which announces the cancellation of an earlier transaction, even though the first transaction will still appear in the chain. In other cases, where the right to rectification requires the erasure of the data, the same solutions as those applied following a request for deletion of personal data could be applied to erroneous data.
Data subjects' rights cannot be restricted – neither by choice of technical implementation nor by the data subjects' consent. They must be fulfilled in accordance with the GDPR. Technical choices for the implementation of the processing should ensure this.
Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is not automatically mandatory for every blockchain-based processing of personal data. However, the EDPB guidelines make it clear that the use of blockchain technology often introduces specific risks to the rights and freedoms of individuals, such as the immutability of data, the distributed nature of the network, and the potential for international data transfers. These factors frequently mean that blockchain processing is "likely to result in a high risk" to the rights and freedoms of data subjects, which is the threshold for a mandatory DPIA under Article 35 GDPR.
The guidelines also reference the Working Party 29 criteria for determining when a DPIA is required and note that blockchain processing will often meet these criteria due to its inherent characteristics. The guidelines state that the risk assessment and management should consider the processing as a whole, including blockchain-related risks.
Controllers should assess if the blockchain's accountability and governance mechanisms can handle processing risks. This includes access control, traceability, audit, and data breach management. Additionally, controllers should ensure GDPR principles are applied, such as data minimisation, access control, and transparency.
The guidelines further clarify that, particularly in blockchain contexts where the infrastructure is not under the control of the data controller, is permissionless, involves international transfers, or could be used for other high-risk processing activities, the DPIA may need to be an ongoing process. This is to ensure that new risks are identified and managed as the technology or its use evolves. Consultation with the Data Protection Authority (DPA) is not automatically required for every DPIA. However, under Article 36 GDPR, if the DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, and those risks cannot be sufficiently addressed, the controller must consult the DPA before proceeding with the processing.
The EDPB guidelines do not introduce a blockchain-specific obligation to consult the DPA, but they do emphasise that if, after conducting the DPIA, high risks remain that cannot be mitigated, the controller is required to consult the DPA. This is consistent with the general GDPR requirements.
International Transfers
The EDPB guidelines explicitly address the issue of international transfers in the context of blockchain. Due to the distributed nature of blockchain networks, it is common for nodes to be located outside the European Economic Area (EEA). This means that personal data processed on a blockchain may be transferred internationally, often to jurisdictions that may not provide an equivalent level of data protection as the EU.
Controllers are reminded that any transfer of personal data outside the EEA must comply with Chapter V of the GDPR. This includes ensuring that appropriate safeguards are in place, such as the use of standard contractual clauses or other transfer mechanisms recognised under the GDPR. The guidelines note that, particularly in public blockchains, nodes are not necessarily chosen or vetted, which can raise compliance concerns regarding international transfers. Controllers are advised to address these obligations from the design phase of blockchain activities and to consider incorporating standard contractual clauses into any contracts with nodes, where applicable.
Location of Data Storage
The guidelines highlight that blockchain technology inherently involves the replication of data across multiple nodes, which may be geographically dispersed. This distributed storage model means that the physical location of data is often outside the direct control of the data controller. As a result, data may be stored in multiple jurisdictions, including outside the EEA, further emphasising the importance of compliance with international transfer requirements.
Controllers are encouraged to carefully assess the architecture of the blockchain they intend to use, including the location of nodes and the potential for data to be stored or accessed in third countries. The guidelines recommend that, where possible, permissioned blockchains should be used, as these allow for greater control over the location and management of nodes, and thus over the location of data storage.
Cloud Computing and Blockchain
The guidelines acknowledge that many blockchain solutions involve the use of cloud computing, especially when nodes or supporting infrastructure are hosted by third-party cloud service providers. This is particularly relevant for organisations that do not operate their own physical infrastructure but instead rely on cloud-based nodes or services.
Controllers are reminded that the use of cloud computing does not exempt them from GDPR obligations. When cloud services are used in conjunction with blockchain, the controller must ensure that the cloud provider offers sufficient guarantees regarding the implementation of appropriate technical and organisational measures to meet GDPR requirements. This includes ensuring that any international transfers of personal data via the cloud are compliant with Chapter V of the GDPR.
Key Takeaways for Clients
- Conduct a DPIA before processing personal data through blockchain technologies, where the processing is likely to result in a high risk to the rights and freedoms of individuals.
- Facilitate data subject rights and integrate them into the design of blockchain systems.
- Ensure all transfers outside the EEA comply with Chapter V of the GDPR, using appropriate safeguards such as standard contractual clauses.
- When using cloud-based nodes or infrastructure, ensure that cloud service providers offer sufficient guarantees regarding technical and organisational measures to meet GDPR requirements, including compliance with international transfer rules.
The article was co-authored by Helena Siebenrock
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.