This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Our privacy statement:

Blogs / 

How to Protect Personal Data When Using Blockchain

IT, Privacy & Cybersecurity

28 April 2025

Written by

Natascha van Duuren

Blog Image

The roots of modern privacy law lie in the 1970s when it became clear how easily computer systems could store and process large amounts of data. The General Data Protection Regulation (GDPR) is intentionally technology-neutral. New technologies should, in principle, be able to fit within these existing legal frameworks. However, blockchain presents us with challenges. On the one hand, it offers a new and interesting data processing model where individuals have more control over their personal data. On the other hand, some of its unique characteristics seem difficult to reconcile with the core principles of privacy law. My colleague Jeroen van Helden wrote an interesting chapter about this in the KNVI bundle "Multidisciplinary Aspects of Blockchain".

Consultation Version of EDPB Guidelines on Privacy and Blockchain

In 2019, Jeroen van Helden concluded that although privacy legislation is formulated to be technology-neutral, it implicitly seems designed for central databases managed by easily identifiable players. This creates a certain tension between privacy legislation on the one hand and the processing of personal data within dynamic information networks on the other. He also noted that the GDPR has the necessary flexibility and that early signs indicated that regulators were willing to use this flexibility.

Six years have passed since the publication of the KNVI bundle, and the European Data Protection Board (EDPB) has established new guidelines for the use of blockchain technology. These guidelines help organizations understand how to protect personal data when using blockchain. The key points of the EDPB are:

  • Organizations must conduct a Data Protection Impact Assessment (DPIA) before processing personal data via blockchain technologies if the processing is likely to result in a high risk to the rights and freedoms of individuals.
  • Organizations must apply the principle of data minimization when processing personal data in a blockchain.
  • It must be possible to exercise your privacy rights if your personal data is in the blockchain, such as the right to access and the right to rectify (modify) your personal data. If it is technically not feasible for organizations, such as with the right to delete data, the EDPB recommends looking at other ways to protect data before processing, such as anonymizing data or using another tool instead of blockchain.

These guidelines are not yet final. Comments can be submitted via the EDPB website until June 9, 2025.

Questions?

Do you want to know how to concretely apply the guidelines within your blockchain application? Contact us via n.vanduuren@declercq.com or j.vanhelden@declercq.com.

If you want to read more about the social, technical, and legal approach to blockchain, order the book “Multidisciplinary aspects of blockchain”, Mr. Natascha van Duuren and Mr. Victor de Pous (red.), uitgeverij deLex

Newsletter

Would you like a monthly overview of updates and blogs in your mailbox? Click here to subscribe to the newsletter!