Since its emergence in the landscape of digital innovation, blockchain technology has represented one of the most fascinating and, at the same time, controversial phenomena: distributed, disintermediated, immutable, it has positioned itself as a tool for ensuring transparency and integrity. However, when this technology intersects with the processing of personal data — and, consequently, with the complex system of safeguards established by Regulation (EU) 2016/679 («GDPR») — significant and, in many respects, still unresolved challenges arise.
It is within this context that the recent «Guidelines 02/2025 on the Processing of Personal Data through Blockchain Technologies,» adopted on April 8 by the European Data Protection Board («EDPB») and open for public consultation until June 9, 2025 (the «Guidelines»), have been published. This initiative is particularly significant in a technological landscape where blockchain-based applications are rapidly expanding: from decentralized finance (DeFi) to NFTs, from supply chain management platforms to digital identity solutions.
At the same time, the EDPB has announced the launch of a structured collaboration with the AI Office — the authority responsible for overseeing the implementation of the AI Act — aimed at developing joint guidelines on the interaction between artificial intelligence, the AI Act, and the European framework for personal data protection.
The regulatory framework and structural frictions
The GDPR framework is built upon core principles that are independent of the technology employed but must inevitably interact with it. The lawfulness, fairness, and transparency of processing; the limitation of purposes pursued; the minimization of collected data; the accuracy and updating of information; and the temporal limitation of data retention — all of these principles come into conflict with the very nature of blockchain, which is based on the immutability and persistence of records.
This structural antinomy reaches its peak when it comes to the rights granted to data subjects: if blockchain is founded on the unalterable permanence of information recorded on the chain, how can this characteristic be reconciled with the rights to rectification, erasure, or objection to processing?
The paradox of immutability and the challenge data subjects’ rights
The conflict becomes particularly critical in public (permissionless) blockchains, where:
- each node stores the entire chain of transactions;
- the «append-only» model is a fundamental element of the architecture;
- transactions, once validated and added to the blocks, become an integral and immutable part of the chain.
In such contexts, the ability for a data subject to obtain the rectification of inaccurate data, the erasure of information that is no longer necessary, or to object to processing based on the controller’s legitimate interests is significantly compromised in practice.
Even in private or permissioned blockchains, characterized by more defined governance structures and restricted node access, the immutability of records demands sophisticated technical and organizational solutions. These should allow, if not the physical removal of data, at least the impossibility of its further use through techniques such as de-referencing, revocation of cryptographic keys, or the segregation of identifying information in off-chain environments.
The issue of automated decision-making: smart contracts under the test of Article 22 GDPR
Another critical aspect, often underestimated in the design of blockchain-based solutions, concerns automated decision-making. Article 22 of the GDPR protects data subjects against decisions based solely on automated processing that produce legal effects or similarly significantly affect them.
Many blockchain implementations incorporate smart contracts — self-executing protocols that trigger specific actions upon the occurrence of predefined conditions. For example, contracts that automatically block access to digital resources or transfer assets without human intervention upon detecting a breach.
In such scenarios, it becomes essential to assess whether the automation qualifies as a «decision» under Article 22 GDPR and, if so, whether the safeguards required by the regulation are met: the data subject’s right to human intervention, the possibility to express their point of view, and the right to contest the decision.
The absence of effective mechanisms allowing for human intervention or review of automated decisions exposes blockchain systems to significant risks of non-compliance, making it essential to rethink the technical architecture to better protect fundamental rights.
Informed choice of blockchain architecture
One of the key points of the EDPB’s Guidelines 02/2025 is the recommendation that the adoption of blockchain technologies should result from a conscious assessment based on an analysis of necessity, proportionality, and suitability with respect to the purposes of the processing.
The principle of data protection by design and by default (Article 25 GDPR) indeed requires that, from the earliest stages of designing a technological solution, all technical and organizational measures be implemented to minimize the exposure of personal data, limit its dissemination, and ensure compliance with the principles of data minimization and purpose limitation.
The choice of architecture: public, private, permissioned
The correct selection of blockchain architecture is one of the most critical decisions for ensuring compliance.
The guidelines emphasize the need to carefully assess the type of blockchain to be used based on:
- the characteristics of the intended processing;
- the nature and sensitivity of the data involved;
- the rights and freedoms of the data subjects potentially affected.
In particular, it is useful to distinguish between:
A) Public (permissionless) blockchains:
These allow anyone to participate as a validating node and to consult the contents of the blockchain. This is the typical model for cryptocurrencies like Bitcoin and Ethereum, NFTs, and many DeFi applications. In such contexts, control over access to data is limited, and transparency often results in the potential unlimited exposure of information. Consequently, using public blockchains for personal data processing presents significant challenges regarding compliance with the principle of data minimization and the protection of data subject rights.
B) Private or permissioned blockchains:
These implement access control mechanisms for node participation. Access may be restricted to a selected group of entities or subject to compliance with specific governance rules. This type is often used for real estate registries, agri-food supply chain traceability, supply chain systems, and the management of academic or healthcare credentials.
The adoption of permissioned blockchains facilitates the identification of participants’ responsibilities and allows for greater flexibility in implementing security and data protection measures.
It should also be noted that even within permissioned blockchains, the degree of decentralization can vary considerably; governance — that is, the way decisions are made within the network, including the selection of validators, protocol updates, and key management — thus plays a central role in ensuring privacy compliance.
Privacy-enhancing technologies and design alternatives
In addition to choosing the type of blockchain, the Guidelines encourage the adoption of Privacy-Enhancing Technologies (PETs) that allow for the limitation of personal information disclosure without compromising the functionality of the system. Some of the most relevant solutions include:
Zero-Knowledge Proofs (ZKPs): cryptographic techniques that allow proving the truthfulness of information without revealing its content. For example, they can be used to prove a person’s eligibility to perform a transaction without exposing their identity or other sensitive information.
Salted hashing or secret key hashing, commitment schemes, and advanced pseudonymization techniques: methods that enable storing only digital fingerprints (hashes) or references to data on the blockchain, while keeping the actual identifying data off-chain and reducing the risk of exposure.
Decentralized Identifiers (DID) and Verifiable Credentials: emerging approaches in the field of digital identity, which can help reconcile the need for verification with the principles of minimization and control by the data subject.
The need to document choices
The EDPB recommends accurately documenting the reasons that led to the selection of a specific architecture or technical solution, within the broader accountability framework required by the GDPR (Article 5, paragraph 2 and Article 24). In particular, it is suggested to specify: the reasons why blockchain is considered the most suitable technology for the specific use case; the alternatives considered and the reasons why they were rejected; the risk mitigation measures in place.
This documentation will be essential both in case of audits by authorities and to ensure transparency towards data subjects.
Updating corporate privacy documentation
In light of the guidance provided by the EDPB in the new Guidelines, organizations that use or intend to implement blockchain solutions are faced with the need for a significant update to their documentation on personal data protection. This revision, far from being a mere formal compliance, represents a strategic imperative to ensure GDPR compliance and mitigate the risks associated with the use of emerging technologies. Corporate privacy documentation is, in fact, the backbone of the accountability required by the Regulation, serving as the tool through which the data controller can demonstrate that adequate technical and organizational measures have been implemented to ensure, and be able to prove, that the processing is carried out in accordance with the law (Article 5, paragraph 2, GDPR).
In the specific context of blockchain, the documentation update should cover several levels, each requiring a distinctive and specialized approach.
The record of processing activities
The Record of Processing Activities (Article 30 GDPR) is the starting point for a systematic review of data flows within the organization. In the case of blockchain implementations, it should be integrated with specific sections that describe in detail: the type of blockchain adopted (public/private, permissioned/permissionless), including the reasons behind the choice and its implications in terms of data accessibility; the categories of personal data processed on-chain and off-chain, specifying for each category the legal basis for processing, the purposes pursued, and the retention period; the nodes in the network and their role in processing, including any transfers to third countries and the related safeguards adopted pursuant to Articles 44-50 GDPR; the technical and organizational measures implemented to ensure data security and the effective exercise of data subjects’ rights, with particular attention to solutions adopted to reconcile the immutability of the blockchain with the right to rectification and erasure.
Reviewing the Record is not merely a formal requirement, but an opportunity to rethink the overall architecture of processing activities in light of the specificities of blockchain technology, identifying potential issues in advance and implementing appropriate mitigation measures.
Impact assessment: anticipating and managing risks
The DPIA (Data Protection Impact Assessment) is essential in blockchain contexts, serving as a key tool for the proactive analysis of risks and the identification of the most appropriate measures to mitigate them.
The update of this document should include: an in-depth analysis of the necessity and proportionality of using blockchain in relation to the pursued objectives, highlighting the expected benefits in terms of transparency, integrity, and decentralization of transactions, as well as the reasons why alternative solutions would not be equally effective; a detailed mapping of the specific risks arising from the blockchain architecture, with particular attention to the issues of immutability, transparency, and decentralization that may impact the rights and freedoms of data subjects; a description of the technical and organizational measures adopted to mitigate these risks, including solutions such as salted hashing, zero-knowledge proofs, commitment schemes, or data segregation in off-chain environments; an evaluation of the residual risk and, where necessary, documentation of prior consultation with the supervisory authority under Article 36 GDPR.
The DPIA should not be conceived as a static document, but rather as a dynamic process that accompanies the evolution of the blockchain solution, requiring periodic reviews based on changes in the technological, regulatory, or organizational context.
It is worth noting that the guidelines on blockchain are consistent with the general criteria for DPIAs already established by the WP29, but introduce specific elements related to the decentralized nature of DLT (Distributed Ledger Technologies).
WP29/EDPB criteria for DPIA | Specificities in the blockchain context |
New technologies | Blockchain is, by definition, an innovative technology |
Difficulties in the exercise of rights | «On-chain» immutability can prevent direct rectification or deletion |
International transfers | The global distribution of nodes can lead to uncontrollable data flows |
Large-scale processing | DLTs can involve extensive processing across large populations of users or transactions |
This comparison confirms that, in the context of blockchain, a DPIA is not only recommended but, in most cases, necessary to ensure the proper management of risks related to the protection of personal data.
Information notice to data subjects: transparency and clarity
The information notice to data subjects (Articles 13–14 GDPR) represents the primary tool through which the data controller communicates the essential features of the data processing, enabling individuals to exercise effective control over their personal data.
In the blockchain context, this document should be updated to include: a clear and comprehensible description of the specific characteristics of blockchain-based processing, avoiding excessive technical jargon while providing sufficient information to understand the implications of this technology for data protection; an indication of the data processed on-chain and off-chain, specifying the relevant purposes, legal bases, and retention periods; the practical modalities for exercising rights in a technologically complex environment, explaining how the data subject can request the rectification, erasure, or restriction of processing of their data in a context characterized by the immutability of records; the recipients or categories of recipients of the data, with particular attention to the nodes of the network and their geographical locations, as well as any safeguards adopted for transfers to third countries.
Determination of responsabilities
One of the most complex and debated aspects regarding the application of the GDPR to blockchain technologies concerns the allocation of responsibilities among the various participants in the network. Decentralization, a distinctive feature of many DLT architectures, cannot and must not be interpreted as an exemption from the obligations established by the Regulation. On the contrary, the GDPR is based on the principle of accountability, requiring the clear identification of who, among the involved parties, determines the purposes and means of personal data processing.
The Guidelines recall the previous EDPB guidelines on the concepts of controller, joint controller, and processor (WP29, Version 2.0, 2021), emphasizing that the distributed nature of a technology does not relieve the obligation to define legal roles and responsibilities. The technical complexity of a blockchain cannot result in a de facto exemption from responsibility.
The challenge of role identification: controller, joint controller, processor
In the context of a blockchain, the party that determines the purposes and essential means of the processing (for example, the type of data stored on the chain, the access modalities, and the rules governing network participation) must be qualified as the data controller.
However, in many blockchain applications, these decisions are the result of a shared determination among multiple parties (e.g., consortia, groups of validators), making the configuration of joint controllership under Article 26 GDPR a frequent occurrence. Such joint controllership requires the transparent definition, through agreements among the parties, of their respective responsibilities and cooperation modalities, as well as the obligation to adequately inform data subjects about the key elements of such agreements.
Where, instead, a participant acts on behalf of the controller and under binding instructions, the role of data processor (Article 28 GDPR) is established, with the consequent obligation to execute a contract that complies with legal requirements.
Permissioned vs. permissionless: governance as a compliance tool
The definition of governance plays a central role in the correct identification of the roles of the various actors. In permissioned or private blockchains, the existence of a coordinating authority (such as a consortium or a promoting entity) facilitates the distribution of responsibilities and the conclusion of agreements between participants. In this context, it is often possible to:
- clearly define who determines the purposes and means of the processing;
- establish which nodes have access to personal data and under what conditions;
- regulate the procedures for exercising data subjects’ rights and handling requests.
Conversely, in public (permissionless) blockchains, the lack of formal governance and a central organization makes it more difficult to identify who holds effective control over data processing. In such cases, the EDPB suggests considering the establishment of consortia or ad hoc legal entities that can perform coordination and representation functions, also in order to ensure an effective channel for the exercise of data subjects’ rights.
The issue of international data transfers
Another critical aspect, closely linked to the allocation of responsibilities, concerns international data transfers. In many blockchain implementations, nodes may be located in non-EU countries, including those that do not offer a level of data protection deemed adequate by the European Commission pursuant to Article 45 GDPR.
In such scenarios, the adoption of a blockchain potentially involves the transfer of personal data to these countries, with all the resulting consequences:
- the need to implement appropriate safeguards (e.g., standard contractual clauses, binding corporate rules, derogations under Article 49);
- the obligation to conduct a transfer impact assessment (TIA) to evaluate the level of risk associated with the transfers;
- the obligation to adequately inform data subjects about the potential transfers and the safeguards adopted.
Cooperation between the EDPB and the AI Office: towards joint guidelines on the AI Act and GDPR
The decision of the EDPB to collaborate with the AI Office — the authority tasked with overseeing the implementation of the new AI Act — represents a significant step towards interpretative harmonization between the two main pillars of European digital regulation: the framework for artificial intelligence and the framework for personal data protection.
The implications of personal data processing within AI systems — particularly regarding systems classified as high-risk under the AI Act — make coordination between these two regulatory domains crucial. In particular, the risk of misaligned approaches could undermine the effectiveness of the safeguards provided by the GDPR, especially with regard to:
- accountability of AI system providers and users;
- guaranteeing data subjects’ rights, including the right to information, the right to an explanation, and the right to contest automated decisions;
- risk assessment and DPIA, with particular focus on ethical and data protection aspects.
The EDPB and the AI Office have committed to developing joint guidelines that clarify how the GDPR should be applied in relation to AI systems regulated under the AI Act, providing businesses with guidance for designing solutions that are compliant by design, both in terms of data protection and AI security and ethics.
In this context, the cooperation between the EDPB and the AI Office represents a fundamental step to avoid interpretative fragmentation between regulatory fields which, while distinct, share a common objective: the effective protection of individuals’ rights in the digital economy.