RGPD

Blockchain and GDPR: challenges and issues in 2025

On 8 April 2025, the European Data Protection Board (EDPB) published crucial guidelines on the use of blockchain in relation to the General Data Protection Regulation (GDPR). This text, regularly updated and open for consultation until 9 June 2025,

Contents
Schedule a discussion

Reading time:

7 min

On 8 April 2025, the European Data Protection Board (EDPB) published crucial guidelines on the use of blockchain in relation to the General Data Protection Regulation (GDPR). This text, regularly updated and open for consultation until 9 June 2025, highlights the importance of regulating emerging technologies while respecting the fundamental rights of individuals.

Indeed, the characteristics inherent to blockchain, such as its immutability and decentralisation, pose major challenges for GDPR compliance, particularly with regard to data retention and the right to erasure. Thus, the issue of data protection within this technical infrastructure also raises questions of digital sovereignty in Europe. The EDPB's ambition is to establish an ethical and practical framework allowing innovation without giving up citizens' rights.

In this article, we will explore the challenges that blockchain poses to data protection regulation, the EDPB's recommendations for ensuring GDPR compliance, and the interaction between digital sovereignty and technological advances.

If you wish to engage a GDPR lawyer, contact me!

What challenges does blockchain pose to the GDPR?

Blockchain is often celebrated for its technical features, such as decentralisation and immutability. Yet these very traits raise significant challenges for compliance with the General Data Protection Regulation (GDPR). The EDPB guidelines identify several major points of friction between blockchain and GDPR requirements.

First of all, the limitation of data retention constitutes a central challenge. Under Article 5(1)(e) of the GDPR, personal data must be kept for a period no longer than is necessary for the purposes for which they are processed. However, once data is recorded on a blockchain, its immutable nature makes its isolated erasure difficult, if not impossible. This directly contradicts this storage limitation requirement.

  • Rights to erasure and rectification: The immutability of transactions makes the exercise of the rights to erasure (right to be forgotten) and rectification particularly difficult. Inaccurate personal data recorded on the blockchain cannot be modified without compromising the integrity of the ledger.
  • Identification of the data controller: The decentralised nature of blockchain complicates the identification of a data controller. On so-called permissionless blockchains, can one define who makes the decisions concerning data processing? This raises significant questions.
  • Data minimisation and confidentiality: The very nature of blockchain, which operates with a high degree of transparency, can give rise to tensions with the principle of data minimisation, as prescribed by Article 5(1)(c) of the GDPR. Consequently, it is crucial to strictly control the information placed on-chain.
  • International data transfers: A blockchain network has, by definition, no borders. This characteristic poses serious compliance problems with the requirements for transferring data outside the EU established in Chapter V of the GDPR, especially in the case of public blockchains.

The EDPB stresses that the absence of an obvious controller or the technical irreversibility of data does not exempt blockchain actors from their responsibility towards the GDPR. The need to adopt technical and organisational solutions to manage these challenges therefore becomes essential.

The question thus arises as to how sector actors can navigate this complex environment and what recommendations can be implemented to achieve effective compliance with the GDPR while continuing to innovate.

Let's discuss your needs for 15 minutes!

What EDPB recommendations help reconcile blockchain and the GDPR?

In the context of the challenges mentioned above, the European Data Protection Board (EDPB) has formulated recommendations aimed at enabling compliance between blockchain and the GDPR. These guidelines, although still under consultation, offer valuable insights for sector actors seeking to navigate this complex legal landscape.

First of all, the EDPB emphasises the importance of integrating data protection principles into blockchain solutions from the design stage. This approach, known as Privacy by Design, requires systematic consideration of how personal data is collected, processed and stored. For example:

Blockchain and GDPR
What EDPB recommendations help reconcile blockchain and the GDPR?
RecommendationDetail
Minimal collectionCollect only the data strictly necessary for the intended purposes.
Explicit consentObtain clear and unambiguous consent before any processing.
Information noticeInform users about the use of their data and their rights.
Advanced encryptionProtect sensitive data through encryption against any unauthorised access.
Smart contractsAutomate compliance processes while preserving the integrity of the blockchain.
Identification of responsibilitiesAppoint a GDPR compliance officer within the organisations involved.
Audit and documentationRegular audit mechanisms to assess the compliance of blockchain solutions.
Provided for information purposes only; does not constitute legal advice.

In addition, the EDPB recommends the use of emerging technologies to strengthen data protection, such as:

  • Advanced encryption: Protect sensitive data through encryption methods, thereby ensuring that even in the event of unauthorised access, the data remains unintelligible.
  • Smart contracts: Use smart contracts to automate compliance processes, thereby making the management of individuals' rights more efficient while preserving the integrity of the blockchain.

It is also essential to maintain good data governance. This involves:

  • Identification of responsibilities: Appoint a person within the organisations involved in the blockchain to manage GDPR compliance.
  • Audit and documentation: Put in place regular audit mechanisms to assess the compliance of blockchain solutions with legal data protection requirements.

These recommendations, although technical, address crucial issues relating to digital sovereignty and fundamental rights. As Europe strives to balance innovation and the protection of individuals, it is imperative that blockchain actors adopt these guidelines.

We will now explore how digital sovereignty shapes the future of blockchain technologies in Europe and the implications that follow.

I want reliable legal documents!

How is digital sovereignty shaping the future of blockchain technologies in Europe?

The notion of digital sovereignty has become a central issue in European policy, directly affecting the development and application of blockchain technologies. As the world becomes increasingly interconnected, concerns about data protection, security and technological independence have soared. The EU aims to build a digital space that respects the fundamental values it promotes, and blockchain is envisaged as a key tool in this quest.

One of the major aspects of this digital sovereignty lies in data governance. The EU seeks to avoid leaving the data of European citizens exposed to external legislation. Consequently, blockchain infrastructures should be located and controlled by trusted entities within the EU. This framework is essential to ensure that the GDPR rules are fully respected, particularly with regard to the international transfer of data mentioned in Chapter V of the GDPR. A blockchain ledger located outside the EU could potentially expose the data to a risk of non-compliance.

  • Permissioned blockchains: The EDPB recommends the use of permissioned blockchains, where access and write rights are regulated. This makes it possible to maintain the accountability of the actors participating in the network, while facilitating the identification of the person responsible for processing the data.
  • Interoperability: Promoting interoperability between different blockchain solutions within the EU is also paramount. This would avoid the phenomenon of vendor lock-in and allow the flow of information while keeping the data under European control.
  • Transparency and traceability: Digital sovereignty comes with a requirement for transparency in data management. Blockchain-based solutions, by their nature, allow reliable traceability, which is essential for restoring users' trust.

Furthermore, initiatives such as the EBSI (European Blockchain Services Infrastructure) project aim to create reliable and secure digital services, thereby strengthening the foundations of digital sovereignty. By adopting a solid legal framework and promoting technologies that respect fundamental rights, Europe aspires to become a leader in the field of ethical blockchains. A digital law lawyer can support organisations in this transition towards compliant blockchain infrastructures.

In conclusion, the way in which the EU shapes its digital sovereignty will have a decisive impact not only on compliance with the GDPR but also on the future of blockchain technologies as a whole. In doing so, the EU could lay the foundations for a model to be followed worldwide, combining innovation with respect for human rights.

To learn more

What did the EDPB publish on blockchain and the GDPR?

On 8 April 2025, the European Data Protection Board published guidelines on the use of blockchain with regard to the GDPR. This text, open for consultation until 9 June 2025, aims to regulate this technology while respecting the rights of individuals.

Why does blockchain pose challenges with regard to the GDPR?

The characteristics of blockchain, such as its immutability and decentralisation, pose challenges for GDPR compliance, particularly regarding data retention and the right to erasure. Reconciling these technical properties with individuals' rights is complex.

Is the immutability of blockchain compatible with the right to erasure?

This is one of the main challenges. The immutability of blockchain makes the deletion of data difficult, whereas the GDPR guarantees a right to erasure. The EDPB guidelines aim to propose solutions to reconcile these two requirements.

Does the decentralisation of blockchain complicate compliance?

Yes. Decentralisation makes it difficult to identify a single data controller and to control the data. This complicates the application of the GDPR's obligations, which the EDPB guidelines seek to clarify.

What is the objective of the EDPB guidelines?

The EDPB aims to establish an ethical and practical framework allowing innovation with blockchain without giving up citizens' rights. The objective is to regulate this emerging technology while ensuring the protection of personal data.

Does blockchain raise an issue of digital sovereignty?

Yes. The protection of data within a blockchain infrastructure raises questions of digital sovereignty in Europe. Regulating this technology contributes to data control and to respect for fundamental rights within European territory.

How can blockchain be used in compliance with the GDPR?

Compliant use requires anticipating the difficulties related to immutability and decentralisation, limiting the personal data recorded on the chain, and following the EDPB guidelines. A case-by-case analysis is necessary for each project.

Is a lawyer useful for a blockchain and GDPR project?

A data protection lawyer helps reconcile blockchain and the GDPR, qualify responsibilities, limit the risks related to immutability, and apply the EDPB guidelines. This support secures projects using this technology.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

14 min

Selective distribution: can sales on marketplaces be prohibited?
The question is one of the most debated in distribution law over the past decade: can a manufacturer or supplier validly prohibit its approved distributors from selling its products on platforms such as Amazon, Cdiscount or Fnac Marketplace? The answer is yes, subject to condi

14 min

Recruiting and legally framing commercial agents: the complete guide to securing your commercial development
Using a commercial agent is one of the most effective strategies for developing a distribution network without increasing the payroll. As an independent representative, the commercial agent negotiates and concludes contracts in the name and on behalf of a company, in exchange for commissions. T

7 min

Legal grey areas of IT outsourcing: decoding the hidden risks
IT outsourcing is now a cornerstone of corporate strategy, yet it conceals hidden legal risks.

6 min

Service level in a consumer contract
In our increasingly digital world, the contractual service level and software updates have become essential aspects of consumption.

6 min

Acceptance report & software: signing the acceptance report does not release the provider from liability
In the field of service contracts, the question of releasing the provider from liability is of paramount importance, particularly where an unconditional acceptance report is involved. This situation raises questions as to the legal scope of that document and as to the obli

6 min

Online gambling: main legal risks and how to guard against them in 2025
The online gambling sector is undergoing constant change, both technologically and from a regulatory standpoint. In France, the legislation governing this activity has been considerably strengthened, in particular with the entry into force of the SREN law of May 2024.
Prendre rendez-vous
Book an appointment