Brussels, 14 April - During its April 2025 plenary, the European Data Protection Board (EDPB) has adopted guidelines on processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions  and  establish  who  owned  a  digital  asset  (such  as cryptocurrency)  at  a  given  time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.

As the use of blockchain technologies is expanding, the Board considers it important to help organisations using these technologies to comply with the GDPR. 
In its guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for the processing of personal data.

The guidelines highlight the importance of implementing technical and organisational measures at the earliest stages of the design of the processing. The EDPB also clarifies that the roles and responsibilities of the different actors in a blockchain-related processing of personal data should be assessed during the design of the processing.
In addition, organisations should carry out a Data Protection Impact Assessment (DPIA) before processing personal data through blockchain technologies, where the processing is likely to result in a high risk to the rights and freedoms of individuals.

According to the Board, organisations should also ensure the highest protection of individuals’ personal data during the processing so that they are not made accessible to an indefinite number of persons by default.

The guidelines provide examples of different techniques for data minimisation, as well as for handling and storing personal data. As a general rule, storing personal data in a blockchain should be avoided if this conflicts with data protection principles.

Finally, the Board highlights the importance of the rights of individuals especially regarding transparency, rectification and erasure of personal data. 

The guidelines will be subject to public consultation until 9 June 2025, providing stakeholders with the opportunity to comment.

During its latest plenary, the EDPB also decided to closely cooperate with the AI Office in relation to the drafting of the guidelines on the interplay between the AI Act and EU data protection legislation.
 

With our involvement in this fourth Coordinated Enforcement Action, we walk the talk by continuously advocating for a coherent application of EU data protection law, and the consistent protection of individuals’ personal data, across the EU/EEA. 

Read Press Release

Brussels, 14 March - During its March 2025 plenary meeting, the European Data Protection Board (EDPB) adopted a statement on the implementation of the Passenger Name Record Directive (PNR) in light of the Court of Justice of the EU (CJEU) judgment C-817/19*. 

In its second statement on the implementation of the PNR Directive, which follows the one of 15 December 2022, the Board gives further guidance to the Passenger Information  Units (PIUs)** on the necessary adaptions and limitations to the processing of PNR data, following the PNR judgment. PNR data is personal information provided by passengers, and collected and held by air carriers that includes the names of the passengers, travel dates, itineraries, seats, baggage, contact details and means of payment.

The statement includes practical recommendations for the national laws transposing the PNR Directive in order to give effect to the findings of the CJEU in the PNR judgment. The recommendations cover some of the key aspects of the PNR judgement such as how European countries should select the flights from which PNR data is collected, or how long PNR data should be retained. According to the Board, the retention period of all PNR data should not exceed an initial period of six months. After this period, European countries may only store PNR data as long as needed and proportionate to the objectives of the PNR Directive.

EDPB Chair Anu Talus said: “The EDPB recognises the importance of the PNR Directive in improving the security of passengers across Europe and in helping prevent, detect and prosecute terrorist offences and serious crime. The transfer of PNR data in Europe should take place in a harmonised way and in full respect of data protection principles.”

The Board is aware that some European countries have already started the adaptation process, but there is still a substantial lack of implementation efforts throughout the Member States. Therefore, in its statement, the EDPB outlines the urgent need to implement the necessary changes and to amend national laws by taking into account the PNR judgment as soon as possible.

Note to editors
* On 21 June 2022, on a referral from the Belgian Constitutional Court, the CJEU rendered its judgment C-817/19 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, under the PNR Directive 2016/681. While the Court found that the validity of the PNR Directive was not affected, it ruled that, in order to ensure compliance with the EU Charter of Fundamental Rights (the Charter), the PNR Directive needs to be interpreted as including important limitations to the processing of personal data. Some of these limitations are the application of the PNR system only to terrorist offences and serious crime, having an objective link with the carriage of passengers by air, and the non-indiscriminate application of the general retention period of five years to all passengers’ personal data.
** The PIUs are specific entities in European countries which are responsible for the collection, storage, and processing of PNR data.