Lesson 8: EDPB Guidelines 02/2025 and Public Blockchains

In April 2025, the EDPB published draft Guidelines that clarify how GDPR applies to blockchain. The message is clear: public blockchains are high-risk environments for personal data. If data can’t be deleted or corrected, that may mean the whole system is non-compliant and might even need to be deleted.

The EDPB recommends using permissioned blockchains for most use cases and avoiding public chains unless strictly necessary. They also stress that encrypted or pseudonymised data is still personal data if it’s linkable.

Node operators, especially those involved in governance, might be considered joint controllers. Smart contracts that affect users in significant ways may count as automated decision-making.

Reading: EUCI GDPR Booklet – Full Sections on EDPB Guidance (X–XII),

European Data Protection Board - Guidelines 02/2025 on processing of personal data through blockchain technologies