In brief
- The EDPB has published draft guidelines on how personal data should be stored and accessed on blockchains, aiming to align with GDPR rules.
- Storing personal data on-chain should be avoided if it risks breaching core data protection principles, the board warns.
- Experts are split on the impact—some see the rules as overdue guardrails, while others argue they threaten decentralization and privacy innovation.
The European Data Protection Board has approved draft rules governing how personal data is stored and shared on blockchains, marking another step toward aligning decentralized technology with existing standards.
The new guidelines limit access to stored information and comply with the General Data Protection Regulation (GDPR) protections, according to the EDPB, which ratified the rules this month and opened public comment until June 9.
“Blockchains have certain properties that can lead to challenges when dealing with the requirements of the GDPR,” the EDPB said in a version of the guidelines available online. “The guidelines highlight the need for Data Protection by Design and by Default and adequate organizational and technical measures.
The document added: “As a general rule, storing personal data on a blockchain should be avoided if this conflicts with data protection principles.”

European Central Bank Takes Step Toward Blockchain-Based Payments System
The European Central Bank is expanding its efforts to establish a payments system built on blockchain technology, a move that could lead to Europe’s largest monetary policymaker issuing a central bank digital currency, or CBDC. The digital payments infrastructure initiative, announced Thursday by the ECB, will roll out in two phases. In the first stage, the eurozone’s monetary authority will develop and implement a payments platform for settlements in central bank money through an interoperabil...
The guidelines come amid ongoing concerns about the security of blockchain technology. GDPR outlines a list of rights for individuals to protect their personal information.
The guidelines advised organizations to implement technical and structure-wide measures early in the design stages of data processing, and emphasized the importance of transparency, rectification, and erasure of personal data.
This includes accounting for the various roles of actors involved in separate stages of blockchain processing of personal data.
The EDPB said that organizations should conduct Data Protection Impact Assessments (DPIAs) before processing any personal data using blockchain technology. This is presuming that processing is likely to result in a high risk to the rights and freedoms of individuals.
The board urged organizations to focus on ensuring individuals' personal data is not made available to an "indefinite number of persons by default."

Europe Needs Digital Euro, Central Bank Says After Trump Order Barring US CBDC
A digital euro could remedy President Donald Trump’s anti-central bank digital currency—or CBDC—agenda, a leader of the European Central Bank has said. European Central Bank executive board member Piero Cipollone told a conference that Europe “needs” a digital euro to counter Trump’s plans for stablecoins, according to a Friday report from Reuters. The ECB press office confirmed the comments to Decrypt, and said that the bank was “experimenting with different technologies—both centralized and d...
Data privacy experts have mixed opinions about blockchain’s role in data privacy and the new guidelines.
Bryn Bennett, Senior BD at Hacken, a Ukrainian Web3 security firm, told Decrypt that "the EDPB’s guidelines are a timely reminder that decentralization doesn't mean deregulation.”
“We see privacy as part of core infrastructure—not a post-launch add-on,” Bennet said. “Projects that treat user data casually risk both legal blowback and security breaches. Privacy-by-design, off-chain storage, and proper governance aren't just best practice—they're survival tools.”
However, in an interview with Decrypt, Harry Halpin, the founder and CEO of decentralized privacy firm Nym Technologies, said that “it's a mistake to put personal data on the blockchain.”
“The use-cases I have seen, such as digital identity systems, or worse, COVID passports, inherently violate privacy and lead to authoritarianism,” Halpin said. “Personal data should use zero-knowledge proofs off-chain and have network privacy via mixnets, as we use with payment information on Nym."
He added: "It is also a mistake to apply data protection laws to data on the blockchain, as the 'right to be forgotten' would effectively require decentralized blockchains to be mutable and censored by regulators. If this is the goal, then just use normal centralized databases.”
Edited by Sebastian Sinclair
Daily Debrief Newsletter

