Seville, Spain
Seville, Spain
+(34) 624 816 969
The European Data Protection Board (EDPB) published in July the long-awaited Guidelines on the processing of personal data using blockchain technologies, a document that seeks to reconcile decentralized innovation with the requirements of the General Data Protection Regulation (GDPR). The Spanish Data Protection Agency (AEPD) has led the drafting, contributing its expertise in the field.

Table of contents [Show]
The guidelines aim to clear up uncertainty about how to protect privacy in blockchain-based systems, reinforcing that technological innovation cannot lower the rights recognized by the GDPR. The EDPB argues that this architecture can be compatible with data protection if designed under a transparent, accountable, and privacy-oriented governance model. This approach recalls the need to integrate privacy by design, a principle that also applies in other emerging technologies, such as the Implementation of Generative AI in Workflows.
The document expressly cites the Proof of Concept on blockchain and the right to erasure published by the AEPD, which already explored how to guarantee this right in decentralized environments. The guidelines are structured around four key criteria:
The EDPB advises against storing personal data in plain text on the blockchain. It recommends keeping them in off-chain systems and recording only cryptographic proofs of existence, such as keyed hash functions or cryptographic commitments. This practice minimizes the risks of mass exposure, a problem also addressed in the analysis of Packages with Zero Vulnerabilities: The Hidden Risk in Your Supply Chain.

Blockchain-based projects must incorporate advanced minimization, encryption, and data protection measures from their conception. This means organizations must carefully assess what data is strictly necessary and how to protect it, similar to lessons learned in AWS Lessons: Managing Zonal Failures in Kubernetes at Million-Cluster Scale.
The rights of access, rectification, objection, and erasure must be fully guaranteed. The EDPB proposes technical solutions such as destroying decryption keys or deleting off-chain stored data to achieve irreversible anonymization of records. This approach is especially relevant for companies handling sensitive data, such as those adopting IBM's Compact Mainframes.
Before implementing blockchain-based processing, a Data Protection Impact Assessment (DPIA) will be mandatory due to the risks arising from mass replication and international data transfers. This requirement aligns with data governance best practices also applied in environments of Internal Chat: Real-Time Communication and Boards for Your Team.

The EDPB guidelines represent a paradigm shift for companies already using or planning to adopt blockchain. The need to keep personal data off-chain and implement mechanisms guaranteeing user rights will force many current architectures to be redesigned. Additionally, the mandatory nature of DPIAs adds a compliance layer that should not be taken lightly, as evidenced in the case of Accenture Under the Microscope.
In summary, the EDPB has charted a clear roadmap for blockchain and GDPR to coexist, but only if organizations adopt a proactive approach to data protection by design. Innovation is not at odds with privacy, but it requires a firm commitment to transparency and accountability.
Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.