The European Data Protection Board (EDPB) has finalized new guidelines clarifying how the General Data Protection Regulation (GDPR) applies to blockchain technologies, providing long-awaited regulatory direction for organizations processing the personal data of European Union residents. The guidance, adopted on July 8, 2026, was released alongside updated anonymization standards that collectively redefine how blockchain operators are expected to comply with EU privacy rules.
The EDPB confirmed that blockchain operators cannot avoid GDPR obligations simply because blockchain records are immutable or because personal data has been encrypted or hashed on-chain. According to the regulator, organizations remain responsible for protecting data subject rights regardless of the technical architecture they choose.
The guidelines address three principal blockchain models: public permissionless networks, private permissioned blockchains, and consortium chains. The EDPB stated that private and consortium blockchains are generally better suited for GDPR compliance because they allow clearly identifiable organizations to act as data controllers and processors. In contrast, the regulator noted that assigning these responsibilities on public permissionless networks remains extremely difficult due to the decentralized nature of their participants.
The board also emphasized that the GDPR’s right to erasure continues to apply even when blockchain technology makes deleting records technically challenging. According to the guidance, technical limitations do not exempt organizations from compliance obligations. The EDPB advised companies to determine whether blockchain technology is necessary before deploying it and, where possible, avoid storing personal data directly on-chain.
Another major aspect of the guidance concerns encryption and hashing. The EDPB stated that encrypted or hashed personal data generally remains subject to GDPR because it can potentially be linked back to an identifiable individual through wallet addresses, external databases, decryption keys, or future advances in cryptographic analysis. The accompanying anonymization guidance establishes that data can only be considered anonymous if it cannot be isolated, linked, or used to infer an individual’s identity.
The regulator also acknowledged the long-term risks associated with encryption, noting that technological advances, including quantum computing, could eventually make currently encrypted blockchain records readable. As a result, organizations are expected to consider future re-identification risks when designing blockchain systems that permanently retain information.
The guidance recommends that organizations keep personal data off-chain whenever possible, using blockchain primarily to store cryptographic references while maintaining deletable personal information in conventional databases. According to the EDPB, this architecture offers the most practical method of satisfying GDPR erasure requirements while preserving blockchain functionality.
🤝During its latest plenary, the #EDPB adopted guidelines on anonymisation, web scraping in the context of generative AI, and blockchain technologies (post-public consultation version).
Find out more: https://t.co/sw5zJVKtLa pic.twitter.com/0AGvNxYktj
— EDPB (@EU_EDPB) July 8, 2026
Where storing personal data on-chain cannot be avoided, the regulator outlined limited alternatives. These include encrypting blockchain data with securely managed off-chain encryption keys that can later be destroyed when an erasure request is received, or using hashed data secured with confidential off-chain salts that may also be destroyed. The board indicated that while these methods may serve as practical substitutes for deletion, they do not convert personal data into anonymous information.
The guidelines further highlight challenges associated with international data transfers on public blockchains. Because transactions are automatically replicated across nodes located in multiple countries, organizations may unintentionally transfer personal data outside the European Union without the safeguards required under GDPR. The EDPB warned that satisfying international transfer requirements on permissionless blockchain networks could prove particularly difficult due to the inability to identify or contract with anonymous node operators.
The regulator also addressed smart contracts, explaining that automated blockchain-based decision-making may trigger GDPR Article 22 when decisions produce legal or similarly significant effects for individuals. Organizations deploying smart contracts for financial services, identity verification, lending, insurance, or access management may therefore need to provide transparency regarding automated processing while ensuring affected individuals have opportunities to request human review.
The guidance affects a broad range of sectors using blockchain technology, including financial institutions, healthcare providers, supply chain platforms, digital asset custodians, NFT marketplaces, and tokenized asset providers. Existing blockchain deployments containing personal data may require technical modifications, architectural redesigns, or migration toward off-chain storage to improve compliance.
The EDPB stressed that the guidance does not introduce new legal obligations but instead clarifies GDPR requirements that have applied since 2018, meaning organizations processing personal data on blockchain networks should review their existing systems without delay. While the regulator incorporated stakeholder feedback during public consultations, it declined requests to exempt public blockchains from controller obligations or to relax anonymization standards, reinforcing a stricter compliance framework for blockchain-based data processing across the European Union.







