Lesson 5: What Happens If You Ignore the GDPR?

Ignoring the GDPR doesn’t just risk your reputation. It puts your project at risk of serious fines — up to €20 million or 4% of global turnover, whichever is higher. It can also result in orders to stop processing, delete data, or leave the EU market altogether.

For Web3, the risks are very real. The EDPB’s 2025 guidance even says that entire blockchains could be subject to deletion if personal data on them can’t be erased. That’s not a hypothetical — it’s a direct quote.

Builders often think that smart contracts are exempt. However, if a smart contract makes significant decisions about people, like triggering penalties or denying access, it’s likely subject to GDPR Article 22 on automated decision-making. That means you must provide ways to override or review those decisions.

Reading: Vyara Savova – “Navigating Privacy in Crypto” (UNIBIT Journal)

European Data Protection Board - Guidelines 02/2025 on processing of personal data through blockchain technologies