We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

EDPB guidelines on blockchain and GDPR
03 Jun 2025 data law Print

EDPB guidelines on blockchain and GDPR

Lawyers at Arthur Cox have highlighted the recent publication of guidelines on using blockchain technology in a way that complies with the EU’s GDPR data-privacy rules. 

The European Data Protection Board (EDPB) defines blockchain as a technology that implements a distributed and consistent database without centralised management and its coordinated use by an open or predefined set of participants according to an agreed upon set of rules. 

In a note on the firm’s website, the Arthur Cox lawyers say that the technology gives rise to several specific challenges from a data-protection perspective. 

“For example, because of their decentralised nature (involving multiple stakeholders, in multiple locations), blockchain technologies can trigger international data transfers and give rise to challenges in determining data-protection roles and responsibilities, as well as management and governance issues,” they write. 

Recommendations 

The EDPB guidelines make 16 recommendations for organisations planning to use blockchain-based processing. 

Arthur Cox says that many of these reflect existing data-protection principles, such as processing only the minimum amount of personal data required, providing information to data subjects with regards to their rights, and ensuring appropriate consents for processing are obtained from data subjects. 

The firm’s lawyers note, however, that the recommendations also address specific GDPR-linked risks presented by blockchain technologies. 

The EDPB urges organisations to carry out Data Protection Impact Assessments (DPIAs) before deploying blockchain technology and examine whether its use is appropriate to achieve a particular aim. 

Public or private 

The Arthur Cox lawyers say that the choice between private and public blockchains should be made with careful consideration, with public blockchains posing GDPR challenges, due to their immutable and decentralised nature. 

They note that, while private blockchains offer more control over data management, accountability, and compliance with data-subject rights, they are not automatically GDPR-compliant. 

The EDPB guidelines also look at blockchain technology that facilitates smart contracts – where a computer program is used for the automated execution of an agreement or part of an agreement. 

The guidelines emphasise that data controllers must ensure that safeguards under article 22 of the GDPR, which covers automated decisions, are in place when smart contracts are used with blockchain technology. 

A public consultation period on the guidelines is open until 9 June. 

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Content related to data law

data law
Monitor British data rules, commission urged

EDPB welcomes ‘continuing alignment’ on frameworks
data law
Clarity on ‘excessive’ requests for data – WF

Threshold for proving abuse high, AG opinion finds

data law
Data bodies see risks in EU’s GDPR proposals

'Change goes further than recent CJEU case law'

data law
Microsoft faces ICCL data complaint on Gaza

Tech ‘enables mass surveillance of Palestinians’

Copyright © 2025 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.