Skip to main content
Your journey
//GDPR + cryptoNational Data Protection Authorities

GDPR for EU Crypto Platforms — 2026 Compliance Guide

The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies fully to EU crypto-asset service providers and to non-EU CASPs offering services to EU residents. The intersection of GDPR with blockchain-immutability, KYC obligations under MiCA + AMLD, and on-chain transparency creates distinct compliance challenges that don't exist for traditional financial firms. This page covers the practical implications for CASPs and platform operators.

Mathias Siemonsmeier ↗Editor-in-Chief, ChainChoiceVerified by: ChainChoice Engine v4
Last reviewed2026-06-04
AUDIT RECEIPT#cc-COMPLIANCE-GDPR_CRYPTO_PLATFORMS-2026.06 ↗methodology §3 ↗affiliate economics did not influence this ranking
Direct answer

How does GDPR apply to EU crypto-asset service providers and platforms?

The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies fully to EU crypto-asset service providers and to non-EU CASPs offering services to EU residents. The intersection of GDPR with blockchain-immutability, KYC obligations under MiCA + AMLD, and on-chain transparency creates distinct compliance challenges that don't exist for traditional financial firms. Framework: GDPR (Regulation (EU) 2016/679) + ePrivacy Directive 2002/58/EC + national implementations (DSGVO in Germany, LIL in France, etc.). Scope: EU CASPs + non-EU CASPs targeting EU residents + EU-resident users of any CASP. Key authority: National Data Protection Authorities (BfDI in Germany, CNIL in France, AEPD in Spain, Garante in Italy, AP in Netherlands) + EDPB coordination.

Framework summary

Legal Basis
GDPR (Regulation (EU) 2016/679) + ePrivacy Directive 2002/58/EC + national implementations (DSGVO in Germany, LIL in France, etc.)
Scope
EU CASPs + non-EU CASPs targeting EU residents + EU-resident users of any CASP
Key Authority
National Data Protection Authorities (BfDI in Germany, CNIL in France, AEPD in Spain, Garante in Italy, AP in Netherlands) + EDPB coordination

KYC data under GDPR

CASPs collect substantial personal data under MiCA + AMLD requirements: name, address, ID documents, transaction history, IP addresses, device identifiers, beneficial-owner information for businesses. GDPR requires a lawful basis for each processing purpose (typically Article 6(1)(c) legal obligation for AML, Article 6(1)(b) contract for service provision, Article 6(1)(f) legitimate interest for fraud prevention). KYC data should be minimal, accurate, retained only as long as legally required (typically 5-7 years under AMLD), and subject to data-subject rights.

The blockchain-immutability problem

On-chain transaction data is immutable by design. GDPR Article 17 (right to erasure) cannot delete on-chain data. This creates a tension that has been the subject of significant DPA guidance: when does on-chain data qualify as "personal data" under GDPR? CNIL's 2018 guidance and EDPB's 2024 opinions have provided some answers — typically wallet addresses linked to identified individuals are personal data, and CASPs should architect systems to minimise on-chain personal-data exposure (off-chain identification, hashing, etc.).

Cookie consent and analytics

CASPs and crypto platforms typically use analytics, advertising, and customer-engagement cookies. ePrivacy Directive (implemented as TTDSG in Germany, ePR proposed at EU level) requires opt-in consent for non-essential cookies. The standard pattern: cookie banner with explicit consent for analytics/marketing, essential-only fallback. Many DACH-focused platforms now use cookie-less analytics (e.g., Plausible) specifically to avoid consent overhead. ChainChoice itself uses cookieless Plausible analytics.

Data-subject rights for crypto users

GDPR data-subject rights apply: right of access (Art. 15), rectification (Art. 16), erasure (Art. 17 — limited by AMLD retention), restriction (Art. 18), portability (Art. 20), objection (Art. 21). CASPs must operate processes for each. The right to portability is particularly nuanced for crypto data — transaction history can be exported but linked on-chain references cannot be "ported" in the traditional sense.

Cross-border data transfers

Many CASPs use third-party services (KYC providers, analytics, customer-support tools) that may transfer data outside the EU. Each transfer requires an adequate-protection mechanism: adequacy decision (UK post-Brexit, etc.), Standard Contractual Clauses (SCCs), Binding Corporate Rules, or specific Article 49 derogations. Schrems II (2020) and EDPB guidance have made transfers to the US particularly fraught; the EU-US Data Privacy Framework (2023) restored some basis but legal uncertainty remains.

Key dates

2018-05-25
GDPR enters into force
2020-07-16
Schrems II invalidates Privacy Shield
2023-07-10
EU-US Data Privacy Framework adequacy decision
2024-12-30
MiCA application creates new KYC processing scenarios
2026-01-01
DAC8 adds new tax-data sharing requirements

FAQs

Are wallet addresses personal data under GDPR?
Generally yes when linked to an identified or identifiable person — which is the typical case for CASP-held wallets. EDPB opinions and CNIL guidance treat user-linked wallet addresses as personal data under Article 4(1) GDPR. Pseudo-anonymous addresses (no known link to a person) are a grey area; treatment depends on the realistic risk of re-identification.
How does GDPR's right to erasure interact with blockchain immutability?
It doesn't directly. On-chain data cannot be deleted. CASPs cannot guarantee Article 17 erasure for on-chain records. The practical approach: architect systems so personal data lives off-chain wherever possible, use hashes or commitments on-chain that don't expose personal information directly, and document the limitation transparently in privacy notices.
Do non-EU CASPs need to comply with GDPR for EU customers?
Yes if they "monitor the behaviour" of EU residents (Article 3(2)(b)) or offer goods/services to them (Article 3(2)(a)). Most non-EU CASPs serving EU users fall under one or both. Compliance requires lawful basis, data-subject rights, breach notification, and (for many) an EU representative (Article 27).

Related coverage

ChainChoice provides informational content only. Nothing on this site constitutes financial, investment, legal, or tax advice. Always do your own research and consult a qualified professional before making financial decisions.

Methodology
6-dimension rubric. Weights published.
Data freshness
Live data, refreshed hourly. Independent rankings. We show our work.
Disclosure
Educational analysis, not investment advice. Affiliate links may contribute to operations but never alter rankings.
ChainChoice · The decision layer for crypto · Not financial advice180+ providers · 13 categories · Computed, not voted · © 2026
Where we’re positionedChainChoice is currently positioned for European Union · United Kingdom · Switzerland. Recommendations and risk warnings are tuned for these jurisdictions. The site is reachable globally, but provider availability, regulatory framing, and tax guidance only fully apply in the listed regions. Expanding to United States, Canada, Australia, Singapore, Japan, UAE, India, and Brazil through 2026 — pick your region from the radar to see what currently applies.