EDPB Guidance: Processing Personal Data via Blockchain under GDPR

by Anika Shah - Technology
0 comments

The European Data Protection Board (EDPB) has issued final guidance on processing personal data through blockchain technologies to resolve the inherent tension between the EU’s General Data Protection Regulation (GDPR) and the immutable nature of distributed ledgers. According to the EDPB, the core challenge lies in reconciling the “right to erasure” (Article 17) with a technology designed to prevent the deletion of data.

The Conflict Between Immutability and the Right to Erasure

Blockchain’s primary value is its permanence. However, the GDPR requires that personal data be deleted when it’s no longer necessary or when a user withdraws consent. The EDPB notes that traditional “deletion” is technically impossible on a public blockchain because blocks are cryptographically linked; altering one block would require altering all subsequent blocks.

To address this, the EDPB suggests that “erasure” doesn’t always require the physical destruction of data. According to the board’s framework, if data is rendered inaccessible or permanently anonymized such that the individual can no longer be identified, it may satisfy the spirit of the law. This includes techniques like hashing or encryption, provided the keys are destroyed, effectively making the data unrecoverable.

Identifying Data Controllers in Decentralized Networks

A major hurdle in blockchain regulation is determining who is responsible for GDPR compliance. In a centralized system, the company owning the server is the “data controller.” In a decentralized network, this is rarely the case.

The EDPB identifies several potential controllers depending on the blockchain’s architecture:

  • Developers: If they define the purpose and means of processing, they may be controllers.
  • Miners/Validators: Those who verify transactions and maintain the ledger.
  • Node Operators: Entities that store a copy of the entire chain.
  • Users: In some specific peer-to-peer interactions, the users themselves may act as controllers.

The board emphasizes that “joint controllership” is common in these environments, meaning multiple parties may share the legal burden of ensuring data protection.

Public vs. Private Blockchains: Compliance Differences

The regulatory burden varies significantly based on the type of ledger used. The EDPB distinguishes between permissionless (public) and permissioned (private) chains.

Will GDPR kill blockchains?
Feature Public Blockchains Private/Permissioned Blockchains
Access Control Open to anyone; no central authority. Restricted to authorized users.
GDPR Risk High; data is replicated globally. Lower; easier to manage access and deletion.
Erasure Method Heavy reliance on hashing/encryption. Can utilize centralized deletion tools.

Strategies for GDPR-Compliant Blockchain Design

To avoid legal friction, the EDPB recommends “Privacy by Design” (Article 25). This means building privacy into the technology from the start rather than attempting to fix it after deployment.

Recommended technical strategies include:

  • Off-chain Storage: Keeping personal data in a traditional database and storing only a “hash” (a unique digital fingerprint) on the blockchain. If the off-chain data is deleted, the on-chain hash becomes a pointer to nothing.
  • Zero-Knowledge Proofs (ZKPs): Allowing a party to prove a statement is true (e.g., “I am over 18”) without revealing the actual underlying data.
  • Transient Data: Designing systems where personal data is only stored temporarily before being purged.

Frequently Asked Questions

Is a hash considered personal data?

Yes. According to the EDPB and previous rulings by the European Court of Justice, hashes are generally considered “pseudonymized data” rather than “anonymized data.” Because the original data can potentially be reconstructed or linked back to an individual, hashes fall under the scope of the GDPR.

Is a hash considered personal data?

Can a blockchain be fully GDPR compliant?

It is difficult but possible. The EDPB suggests that while a purely immutable public chain may struggle with Article 17, a hybrid approach—combining off-chain storage with a blockchain for integrity verification—provides a viable path to compliance.

As EU regulators move toward stricter enforcement of the GDPR, blockchain developers must shift from a “code is law” mentality to a “law is law” framework, prioritizing user rights over absolute data permanence.

Related Posts

Leave a Comment