Blockchain and GDPR: new EDPB guidelines

Data Protection | Blockchain

On April 8, 2025, the European Data Protection Board (EDPB) adopted Linee Guida 02/2025 sul trattamento di dati personali tramite tecnologie blockchain, which are now open for public consultation until June 9. This document serves as a key reference for clarifying the main points of friction between the immutable, decentralized architecture of blockchain and the principles of the GDPR.

Key topics addressed include:

• data subject rights and immutability: the EDPB tackles the complex issues surrounding the rights to erasure, rectification, and objection, proposing alternative techniques such as off-chain data segregation, de-referencing, and key revocation;
• automation and smart contracts: the guidelines highlight Article 22 of the GDPR with regard to automated decision-making via smart contracts, reiterating the necessity of human intervention and the right to contest such decisions;
• architecture choices and data protection by design: a mindful and proportionate approach is promoted in selecting blockchain technologies (public vs. permissioned), based on the risk to data subject rights;
• updating privacy documentation: the EDPB recommends revising records of processing activities, Data Protection Impact Assessments (DPIAs), and privacy notices, with a focus on on/off-chain data flows, adopted mitigation measures, and governance frameworks;
• roles and responsibilities: the document calls for clarification of controller and joint-controller roles even in decentralized contexts, in order to ensure accountability.

Finally, the EDPB announces an upcoming collaboration with the European AI Office aimed at developing joint guidelines on the AI Act and GDPR. The goal is to harmonize safeguards within complex digital systems integrating both blockchain and artificial intelligence.

For an in-depth analysis, read our full article here >

AI and Privacy: EDPB’s analysis of risks associated with large language models (LLMs)

Data Protection & Artificial Intelligence

On April 10, 2025, the Support Pool of Experts of the European Data Protection Board (EDPB) published a document entitled “AI Privacy Risks & Mitigations – Large Language Models (LLMs)”, which examines the management of privacy risks related to the use of large-scale AI models capable of understanding, generating, and manipulating natural language—commonly referred to as LLMs.

The report’s first key contribution lies in the systematic classification of the main categories of privacy risk across the entire lifecycle of an LLM. Among the most critical risks identified are:

• unintentional storage of personal data (data leakage);
• indirect processing of data through user prompts;
• challenges in ensuring data subject rights;
• lack of transparency regarding underlying algorithms.

The EDPB document proposes a structured methodology for privacy risk assessment, primarily grounded in Article 35 of the GDPR concerning Data Protection Impact Assessments (DPIAs). The DPIA is framed as a dynamic tool that must be continuously updated. The EDPB’s methodology includes a privacy risk classification matrix (low/medium/high risk, based on probability and impact), which can be integrated with the AI Risk Assessment under the AI Act.

A particularly complex issue addressed in the report concerns the identification of privacy roles, especially in the context of LLM-as-a-Service (e.g., GPT-4 integrated via API in web applications). The EDPB identifies three main stakeholders: the provider, the deployer, and the end user. While case-by-case assessment remains essential, the report advocates for a structured, shared accountability framework with clear, verifiable, and proportionate obligations according to risk levels.

Lastly, the EDPB outlines a set of mitigation measures: technical (e.g., data filtering and machine unlearning), organisational (e.g., internal policies and audits), and contractual (e.g., formalisation of privacy roles).

This document represents a significant European benchmark, to be considered within a broader international context marked by diverse regulatory approaches, notably from the United States, the United Kingdom, and Canada.

To explore the topic of privacy risks in LLMs further and access the full EDPB report, please read our full article here >

NIS 2: second compliance phase launched for essential and important entities

Cybersecurity

The National Cybersecurity Agency (ACN) has officially initiated the second implementation phase of Legislative Decree No. 138/2024 (“NIS Decree”), which transposes Directive (EU) 2022/2555 (“NIS 2”). With the publication of Determination No. 164179 dated 14 April 2025 and its related technical annexes, the ACN has defined the obligations—particularly those set out in Articles 23, 24, 25, and 29 of the NIS Decree.

The first implementation phase, which concluded with the certified notification received in April 2025, led to the establishment of the national list of “essential” and “important” entities for the purposes of applying the regulation. The second phase—initiated by the ACN Determination of 14 April 2025 and in line with the deadlines already indicated in the NIS Decree—operationalises the minimum cybersecurity requirements for risk management and the notification obligations for incidents with a significant impact on service provision by NIS entities.

The technical annexes to the determination were developed following consultations with sectoral authorities and trade associations, within the framework of the working groups envisaged by the NIS Decree. The definition of the security measures took into account contributions that emerged during these discussions.

Regarding security measures, within 18 months (approximately by October 2026) from the receipt of the communication of inclusion in the national NIS list:

• important entities must implement the security measures set out in Annex 1 of the ACN Determination dated 14 April 2025;
• essential entities must implement the security measures set out in Annex 2 of the same Determination.

To further facilitate the implementation of baseline security measures by NIS entities, the ACN has provided Excel files to support compliance activities. Each security measure is identified by a code, a description, and one or more associated requirements. To adopt a given measure, all related requirements must be implemented.

By way of example, Annex 1 specifies that, in order to comply with the security measure regarding staff awareness (Code PR.AT.-01) applicable to important entities, a training plan on cybersecurity for personnel must be implemented and documented, including details on its format, documentation methods, and periodic updates.

With respect to incident notification, within 9 months (approximately by January 2026) from the receipt of the communication of inclusion in the national NIS list, NIS entities must notify the following incidents to CSIRT Italia:

• important entities must notify the significant incidents listed in Annex 3 of the aforementioned Determination;
• essential entities must notify the significant incidents listed in Annex 4 of the same Determination.

Additional specific obligations are also established for top-level domain name registry operators and domain name registration service providers in relation to the security, stability, and resilience of domain name systems.

It is therefore of paramount importance to establish a compliance plan that meets the deadlines set by the NIS Decree, combining technical, organisational, and legal expertise to ensure a consistent and methodical approach.

The Data & Technology Innovation team at LEXIA is available to support NIS entities throughout the compliance process, offering tailored legal advice, hands-on assistance, and targeted training.

Ubisoft under investigation: when offline mode breaches the GDPR

Data Protection & Gaming

NOYB, the well-known privacy advocacy organization, has filed a complaint against Ubisoft with the Austrian Data Protection Authority for alleged violations of the GDPR. At the heart of the issue is the requirement for users to maintain an active internet connection even during single-player gaming sessions—such as in Far Cry Primal, which includes no online features.

A technical analysis revealed that in just ten minutes of use, the game generated approximately 150 DNS requests to servers operated by Ubisoft, Amazon, Google, and Datadog, without the user’s explicit consent. All traffic is encrypted, making the content and purpose of the data processing opaque.

The complaint is based on Article 6(1) of the GDPR. According to NOYB, the internet connection is not technically necessary to verify the legitimate ownership of the game, and the data collection is allegedly carried out without a valid legal basis—effectively rendering the offline mode unusable.

If the violations are confirmed, Ubisoft could face fines of up to €92 million. The case could set an important precedent for the tech and gaming industries, highlighting the need for genuine transparency, data minimization, and respect for consent—even in digital services that appear to operate “offline.”

For companies, this serves as a strong reminder of the importance of reviewing their data processing practices. Every function, collection, and transfer to third parties must be justified, documented, and clearly communicated to users.

The Data & Technology Innovation team at LEXIA is available to assist businesses in ensuring privacy compliance across digital environments.