GDPR Compliance Challenges in Blockchain-Based Systems
DOI:
https://doi.org/10.63345/sjaibt.v1.i3.104Keywords:
GDPR, Blockchain, Right to Erasure, Pseudonymization, Anonymization, Data Protection by Design, Controller/Processor, Cross-Border Transfers, Off-Chain Storage, Zero-Knowledge ProofsAbstract
Blockchain’s decentralization, transparency, and tamper‐resistance are celebrated properties for auditability and trust, yet they collide with core data protection duties under the EU General Data Protection Regulation (GDPR). This manuscript analyzes the principal compliance challenges that arise when blockchain processes personal data and proposes a practical, design-oriented framework to address them. First, we synthesize legal and regulatory positions on what counts as “personal data,” the difference between anonymization and pseudonymization, and the implications of the right to erasure, data protection by design and by default, allocation of controller/processor roles, and international data transfers. We then map these requirements to blockchain architectures (public permissionless, public permissioned, and private permissioned) and data patterns (on-chain, off-chain, hybrid). Building on recent guidance from the European Data Protection Board (EDPB) and national authorities, we outline concrete technical and governance controls—off-chain storage and on-chain commitments, keyed hashing, encryption/key-revocation strategies, chameleon-hash/redactable-ledger designs, selective-disclosure credentials/zero-knowledge proofs, and robust consortium governance—to reduce risk and improve demonstrable compliance. Applying a six-step assessment methodology to three realistic use cases (NFT profile registry, supply-chain provenance, and consortium KYC), we show that while no single pattern fully reconciles immutability with erasure, practicable combinations can align processing with GDPR’s principles of minimization, purpose limitation, storage limitation, and accountability. The paper concludes with a prioritized checklist for engineering “compliance-by-design” blockchains, and delineates scope and limitations for practitioners and researchers.
Downloads
References
• Arthur Cox. (2025, May 29). Personal data on the chain: EDPB guidelines for blockchain technologies. https://www.arthurcox.com/knowledge/personal-data-on-the-chain-edpb-guidelines-for-blockchain-technologies/
• CNIL. (2018, October 29). Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data. https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data
• CNIL. (2018). Blockchain and the GDPR (English PDF guidance). https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf
• Dechert LLP. (2023, May 25). EU General Court examines data anonymisation and pseudonymisation (SRB v EDPS). https://www.dechert.com/knowledge/onpoint/2023/5/eu-court-examines-data-anonymisation-and-pseudonymisation.html
• ENISA. (2019). Pseudonymisation techniques and best practices. https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices
• ENISA. (2021). Deploying pseudonymisation techniques: Guidance and use cases. https://collab.dpa.gr/wp-content/uploads/2023/07/enisa_DEPLOYING-PSEUDONYMISATION-TECHNIQUES_en.pdf
• EDPB. (2025, April 8). Guidelines 02/2025 on processing of personal data through blockchain technologies (Version for public consultation). https://www.edpb.europa.eu/system/files/2025-04/edpb_guidelines_202502_blockchain_en.pdf
• EDPB. (2025, April 14). EDPB adopts guidelines on processing of personal data through blockchains (News release). https://www.edpb.europa.eu/news/news/2025/edpb-adopts-guidelines-processing-personal-data-through-blockchains-and-ready_en
• European Parliament & Council. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
• GDPR-Text.com. (n.d.). Article 17 GDPR: Right to erasure (right to be forgotten). https://gdpr-text.com/en/read/article-17/
• GDPR-Info.eu. (n.d.). Article 25 GDPR: Data protection by design and by default. https://gdpr-info.eu/art-25-gdpr/
• GDPR-Info.eu. (n.d.). Article 4 GDPR: Definitions. https://gdpr-info.eu/art-4-gdpr/
• GDPR-Info.eu. (n.d.). Article 44 GDPR: General principle for transfers. https://gdpr-info.eu/art-44-gdpr/
• ICO. (2025, March 28). Anonymisation and pseudonymisation guidance (About this guidance). https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/anonymisation/about-this-guidance/
• ICO. (n.d.). Pseudonymisation. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/anonymisation/pseudonymisation/
• Lyons, T., Courcelas, L., & Timsit, K. (2018). EU Blockchain Observatory & Forum: Blockchain and the GDPR (Workshop report). https://afyonluoglu.org/PublicWebFiles/Reports/Blockchain/EU/20180608-EU%20Blockchain%20Forum-GDPR%20Report.pdf
• Oxford Business Law Blog. (2018, April 20). Blockchains and the right to be forgotten. https://blogs.law.ox.ac.uk/business-law-blog/blog/2018/04/law-and-autonomous-systems-series-blockchains-and-right-be-forgotten
• Pinsent Masons. (2025, April 15). ICO anonymisation guide aids UK data protection compliance. https://www.pinsentmasons.com/out-law/analysis/ico-anonymisation-guide-uk-data-protection-compliance
• Zafar, A. (2025). Reconciling blockchain technology and data protection laws: A closer look at the GDPR. Journal of Cybersecurity, 11(1). https://academic.oup.com/cybersecurity/article/11/1/tyaf002/8024082
• Belen-Saglam, R., Altuncu, E., Lu, Y., & Li, S. (2023). A systematic literature review of the tension between the GDPR and public blockchain systems. Digital Communications and Networks, 9(4), 1223–1246. https://www.sciencedirect.com/science/article/pii/S2096720923000040
Downloads
Published
Issue
Section
License
Copyright (c) 2024 Scientific Journal of Artificial Intelligence and Blockchain Technologies
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
The license allows re-users to share and adapt the work, as long as credit is given to the author and don't use it for commercial purposes.
