//GDPR + crypto·National Data Protection Authorities
GDPR for EU Crypto Platforms — 2026 Compliance Guide
The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies fully to EU crypto-asset service providers and to non-EU CASPs offering services to EU residents. The intersection of GDPR with blockchain-immutability, KYC obligations under MiCA + AMLD, and on-chain transparency creates distinct compliance challenges that don't exist for traditional financial firms. This page covers the practical implications for CASPs and platform operators.
How does GDPR apply to EU crypto-asset service providers and platforms?
The General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) applies fully to EU crypto-asset service providers and to non-EU CASPs offering services to EU residents. The intersection of GDPR with blockchain-immutability, KYC obligations under MiCA + AMLD, and on-chain transparency creates distinct compliance challenges that don't exist for traditional financial firms. Framework: GDPR (Regulation (EU) 2016/679) + ePrivacy Directive 2002/58/EC + national implementations (DSGVO in Germany, LIL in France, etc.). Scope: EU CASPs + non-EU CASPs targeting EU residents + EU-resident users of any CASP. Key authority: National Data Protection Authorities (BfDI in Germany, CNIL in France, AEPD in Spain, Garante in Italy, AP in Netherlands) + EDPB coordination.
GDPR (Regulation (EU) 2016/679) + ePrivacy Directive 2002/58/EC + national implementations (DSGVO in Germany, LIL in France, etc.)
Scope
EU CASPs + non-EU CASPs targeting EU residents + EU-resident users of any CASP
Key Authority
National Data Protection Authorities (BfDI in Germany, CNIL in France, AEPD in Spain, Garante in Italy, AP in Netherlands) + EDPB coordination
KYC data under GDPR
CASPs collect substantial personal data under MiCA + AMLD requirements: name, address, ID documents, transaction history, IP addresses, device identifiers, beneficial-owner information for businesses. GDPR requires a lawful basis for each processing purpose (typically Article 6(1)(c) legal obligation for AML, Article 6(1)(b) contract for service provision, Article 6(1)(f) legitimate interest for fraud prevention). KYC data should be minimal, accurate, retained only as long as legally required (typically 5-7 years under AMLD), and subject to data-subject rights.
The blockchain-immutability problem
On-chain transaction data is immutable by design. GDPR Article 17 (right to erasure) cannot delete on-chain data. This creates a tension that has been the subject of significant DPA guidance: when does on-chain data qualify as "personal data" under GDPR? CNIL's 2018 guidance and EDPB's 2024 opinions have provided some answers — typically wallet addresses linked to identified individuals are personal data, and CASPs should architect systems to minimise on-chain personal-data exposure (off-chain identification, hashing, etc.).
Cookie consent and analytics
CASPs and crypto platforms typically use analytics, advertising, and customer-engagement cookies. ePrivacy Directive (implemented as TTDSG in Germany, ePR proposed at EU level) requires opt-in consent for non-essential cookies. The standard pattern: cookie banner with explicit consent for analytics/marketing, essential-only fallback. Many DACH-focused platforms now use cookie-less analytics (e.g., Plausible) specifically to avoid consent overhead. ChainChoice itself uses cookieless Plausible analytics.
Data-subject rights for crypto users
GDPR data-subject rights apply: right of access (Art. 15), rectification (Art. 16), erasure (Art. 17 — limited by AMLD retention), restriction (Art. 18), portability (Art. 20), objection (Art. 21). CASPs must operate processes for each. The right to portability is particularly nuanced for crypto data — transaction history can be exported but linked on-chain references cannot be "ported" in the traditional sense.
Cross-border data transfers
Many CASPs use third-party services (KYC providers, analytics, customer-support tools) that may transfer data outside the EU. Each transfer requires an adequate-protection mechanism: adequacy decision (UK post-Brexit, etc.), Standard Contractual Clauses (SCCs), Binding Corporate Rules, or specific Article 49 derogations. Schrems II (2020) and EDPB guidance have made transfers to the US particularly fraught; the EU-US Data Privacy Framework (2023) restored some basis but legal uncertainty remains.
Key dates
2018-05-25
GDPR enters into force
2020-07-16
Schrems II invalidates Privacy Shield
2023-07-10
EU-US Data Privacy Framework adequacy decision
2024-12-30
MiCA application creates new KYC processing scenarios
2026-01-01
DAC8 adds new tax-data sharing requirements
FAQs
Are wallet addresses personal data under GDPR?
Generally yes when linked to an identified or identifiable person — which is the typical case for CASP-held wallets. EDPB opinions and CNIL guidance treat user-linked wallet addresses as personal data under Article 4(1) GDPR. Pseudo-anonymous addresses (no known link to a person) are a grey area; treatment depends on the realistic risk of re-identification.
How does GDPR's right to erasure interact with blockchain immutability?
It doesn't directly. On-chain data cannot be deleted. CASPs cannot guarantee Article 17 erasure for on-chain records. The practical approach: architect systems so personal data lives off-chain wherever possible, use hashes or commitments on-chain that don't expose personal information directly, and document the limitation transparently in privacy notices.
Do non-EU CASPs need to comply with GDPR for EU customers?
Yes if they "monitor the behaviour" of EU residents (Article 3(2)(b)) or offer goods/services to them (Article 3(2)(a)). Most non-EU CASPs serving EU users fall under one or both. Compliance requires lawful basis, data-subject rights, breach notification, and (for many) an EU representative (Article 27).
Related coverage
⚖ChainChoice provides informational content only. Nothing on this site constitutes financial, investment, legal, or tax advice. Always do your own research and consult a qualified professional before making financial decisions.
//Analytics consent·GDPR · ePrivacy · TTDSG
ChainChoice uses anonymous, first-party analytics to measure how the engine is used (page views, conversions, referrer). No third-party trackers, no advertising cookies, no data resale. Rankings are identical whether you accept or decline.