DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for NFT and Crypto Platforms: Blockchain, Wallet Data, and the Right to Erasure Problem

#gdpr #privacy #crypto #web3

Originally published at custodia-privacy.com

Blockchain's entire value proposition rests on immutability. Data written to a distributed ledger cannot be altered or deleted — that's the point. GDPR's right to erasure (Article 17) requires exactly the opposite: that organisations delete personal data on request.

This is not a theoretical conflict. It is a real, unresolved tension that every crypto exchange, NFT marketplace, and DeFi protocol operating in or accessible to EU residents must navigate right now.

This guide covers what GDPR actually requires of Web3 platforms, where the hardest problems sit, and what practical steps organisations can take.

When Blockchain Data Counts as Personal Data

The first question is whether blockchain data is personal data at all. The answer is: often yes.

GDPR defines personal data as "any information relating to an identified or identifiable natural person." A wallet address alone may look pseudonymous — a string of letters and numbers. But blockchain data is public and permanent. Transaction histories are linkable. With enough on-chain data and external reference points (exchange KYC records, public posts, IP logs), a wallet address can frequently be linked back to a specific individual.

The European Data Protection Board and several national DPAs have confirmed this position: wallet addresses can constitute personal data under GDPR where re-identification is reasonably possible. The test is not whether data is currently identified — it is whether identification is possible.

Practical implication: Treat on-chain data associated with users as personal data in your compliance analysis. The counterargument — that blockchain data is inherently anonymous — will not hold up to regulatory scrutiny.

Crypto Exchanges as Data Controllers

If you run a centralised crypto exchange, there is no ambiguity: you are a data controller under GDPR.

You collect names, addresses, dates of birth, government ID documents, proof of address, selfies, and in many cases source-of-funds documentation. You process transaction histories, login times, IP addresses, device fingerprints, and in some cases call recordings. You make automated decisions about account risk.

All of this is squarely within GDPR's scope. Your obligations include:

  • A lawful basis for every processing activity
  • A compliant privacy policy that is specific, not generic
  • Data subject rights fulfilment (access, erasure, portability, rectification)
  • Data processing agreements with sub-processors
  • Data breach notification (72 hours to the supervisory authority)
  • Records of processing activities (ROPA)

KYC data deserves special attention. You are required to collect it under AML/KYC regulations — typically 5 years minimum retention. This conflicts with erasure requests. GDPR provides an exemption: you can refuse erasure where retention is required by law (Article 17(3)(b)). Use it — but only for the data you are legally required to keep, and only for the lawful retention period. You cannot use legal retention obligations to justify keeping marketing data or preference data indefinitely.

NFT Marketplaces: What's On-Chain vs Off-Chain

NFT platforms operate in two layers simultaneously, and GDPR treatment differs between them.

On-chain data — the token itself, the smart contract, ownership history, transaction records — is immutable. You did not put most of this there; the blockchain did. You have limited control over it. Most DPAs acknowledge this practical reality, which is why on-chain erasure is generally not feasible in the strict sense.

Off-chain data — user accounts, profile information, email addresses, linked payment methods, purchase history in your platform's database, uploaded artwork metadata, communication records — is entirely under your control and subject to full GDPR obligations including erasure.

The mistake many NFT platforms make is treating the off-chain layer as a secondary concern because the product "lives on-chain." The off-chain layer is where most of your GDPR liability sits, and it is fully manageable.

Additionally, NFT metadata is often stored off-chain (IPFS, Arweave, your own servers). Where metadata contains personal data — an artist's real name, a photo, a location — you have processing obligations around it.

GDPR Lawful Bases for Web3 Platforms

Web3 platforms often collect and process data without being clear about why. Here is how lawful bases apply:

Contract (Article 6(1)(b)): Applies to data you need to provide the service — account data, transaction processing, KYC where it is a condition of the service. This is your primary basis for most operational data.

Legal obligation (Article 6(1)(c)): Applies to KYC/AML data, VASP registration requirements, and financial record-keeping mandates. Strong basis — but only for the data and retention period the law actually requires.

Legitimate interest (Article 6(1)(f)): Can apply to fraud prevention, security monitoring, and some analytics. Requires a legitimate interest assessment (LIA) and cannot override users' fundamental rights. Do not use this as a catch-all.

Consent (Article 6(1)(a)): Required for marketing, non-essential analytics, and tracking cookies. Must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and "by using this site you agree" language are not valid.

The Right to Erasure Problem

This is the crux of the blockchain/GDPR conflict.

Article 17 grants data subjects the right to request deletion of their personal data. The right is not absolute — it has exceptions — but it is meaningful. For Web2 companies, this means deleting database records, purging logs, and deactivating accounts. Manageable.

For blockchain-native data, true deletion is technically impossible on most public chains. Data written to Ethereum, Solana, or any major blockchain cannot be removed.

The practical answer has three parts:

  1. Pseudonymisation as partial compliance. If your platform stores user-to-wallet-address mappings off-chain, deleting that mapping breaks the link between on-chain data and the identified individual. The blockchain data remains, but it is no longer personal data from your perspective — the re-identification path through your systems is gone. This does not work if the wallet address is re-identifiable through other means, but it significantly reduces your exposure.

  2. Off-chain erasure is still required. Delete everything you can: account data, email addresses, uploaded profile information, off-chain transaction logs, marketing preferences. The inability to erase on-chain data does not excuse failure to erase off-chain data.

  3. Document the technical impossibility. GDPR's Recital 65 acknowledges that the right to erasure should not apply where retention is necessary for legitimate purposes including public interest. Most DPAs will accept a reasoned explanation of technical impossibility paired with evidence that you have minimised on-chain personal data collection and deleted everything within your control. This is not a permanent free pass — it is a defensible position that requires active risk management.

KYC/AML vs Data Minimisation

Anti-money-laundering regulations require extensive data collection from crypto platforms — identity verification, address proof, source of funds, ongoing transaction monitoring. GDPR's data minimisation principle says you should collect only what you need.

These obligations co-exist, they do not cancel each other out.

Collect what KYC/AML requires. Do not collect more. Run a data minimisation audit against your current onboarding flow — many platforms ask for data that no regulation requires, simply because "it might be useful." Remove it.

Retention is the bigger risk. KYC retention obligations typically run 5 years from the end of the business relationship. But platforms often retain this data indefinitely by default. Implement automated deletion schedules. When the legal retention period expires, delete — do not just archive.

Smart Contracts and Automated Decision-Making (Article 22)

Article 22 gives individuals the right not to be subject to decisions made solely by automated means that produce significant effects on them.

Smart contracts are automated. They execute conditions and produce outputs without human review. If your platform uses smart contracts to make credit decisions, eligibility determinations, or account restrictions that significantly affect users, Article 22 applies.

You need:

  • A lawful basis for the automated decision (usually contract or explicit consent)
  • Meaningful information about the logic involved
  • A way for users to request human review of decisions affecting them
  • The ability to contest and correct those decisions

Most DeFi platforms have not thought about this. If your smart contract determines whether a user qualifies for a loan, locks their funds, or restricts their access based on data inputs, you have Article 22 obligations.

DeFi Platforms and the "No Controller" Myth

A common position in DeFi: "We're a protocol. There is no company. There is no controller. GDPR doesn't apply."

This is wrong, and regulators know it.

The GDPR controller concept is purposefully broad. If a legal entity developed the protocol, operates the front-end interface, controls access to the platform, or profits from it, that entity is likely a controller. The absence of a traditional server does not eliminate processing — and the front-end website almost certainly uses analytics, tracking, and cookies that constitute personal data processing regardless of what happens on-chain.

The FATF Travel Rule also increasingly applies to DeFi protocols that facilitate transfers above certain thresholds, requiring originator and beneficiary information to be collected and transmitted. GDPR and VASP obligations do not disappear because your architecture is decentralised.

Cookie Consent and Trackers on Crypto Websites

Crypto and NFT websites are often heavily loaded with trackers: Google Analytics, Meta Pixel, Hotjar, Twitter/X conversion pixels, affiliate tracking. All of this requires compliant cookie consent under GDPR and the ePrivacy Directive.

"We're a crypto company" is not an exemption from cookie consent law.

Your website needs:

  • A cookie consent banner that blocks non-essential trackers until consent is given
  • Granular consent categories (analytics, marketing, etc.)
  • The ability for users to withdraw consent as easily as they gave it
  • A cookie policy that lists what you use and why

Run a free scan on your site before assuming your consent implementation is compliant. Many crypto platforms have 15-30 trackers loading before any consent is recorded.

Privacy Coins and GDPR

Privacy-focused cryptocurrencies — Monero, Zcash, Dash in shielded mode — are designed to prevent transaction tracing. From a GDPR perspective, this is not inherently problematic; privacy-enhancing technologies are generally viewed positively by data protection authorities.

The problem is regulatory, not GDPR-specific. Many jurisdictions restrict or prohibit privacy coin listings on exchanges due to AML concerns. If you list privacy coins, ensure your compliance documentation covers why the listing is consistent with your AML obligations.

For GDPR purposes, handling privacy coins follows the same rules as any other cryptocurrency — wallet addresses may still constitute personal data in context, off-chain data is still fully regulated, and your VASP obligations still apply.

VASP Registration and Data Retention

Virtual Asset Service Providers (VASPs) in the EU and UK must register with national financial regulators. Registration requirements vary by jurisdiction but generally include:

  • Procedures for customer due diligence and enhanced due diligence
  • Record-keeping obligations (typically 5 years)
  • Suspicious transaction reporting
  • Travel Rule compliance for transfers above thresholds

These create minimum retention floors for KYC and transaction data. They do not create permission to retain data beyond those minimums or to use retained data for secondary purposes.

Your privacy policy must accurately reflect your VASP retention obligations. If you are required by law to keep KYC data for 5 years, say so — and explain that users cannot request deletion of this data during that period.

Cross-Border Data Transfers in DeFi

DeFi protocols typically run on globally distributed nodes. Transaction data may be processed across dozens of jurisdictions simultaneously. GDPR Chapter V restricts personal data transfers outside the EEA unless adequate safeguards exist.

For platforms with a clearly identified controller entity, this is manageable: use standard contractual clauses (SCCs) with sub-processors, ensure your infrastructure providers have appropriate transfer mechanisms, and document your data flows.

For truly decentralised protocols, it is more complex. If personal data (including wallet addresses linkable to EU residents) is effectively processed by nodes globally, the controller entity bears responsibility for ensuring that processing is lawful. "The network is decentralised" does not absolve the developing entity from its obligations.

10 Common GDPR Mistakes Crypto and NFT Companies Make

1. Assuming pseudonymity equals anonymity. Wallet addresses are not anonymous in most contexts. Treat them as personal data.

2. Using "by using this service you agree" as a consent mechanism. Not valid under GDPR. Consent requires a proactive, informed opt-in.

3. No cookie consent banner, or a broken one that loads all trackers before consent. Very common in the crypto space. Fix it — this is where most regulatory complaints start.

4. Keeping KYC data indefinitely. Legal retention obligations have end dates. Implement automated deletion.

5. No data processing agreements with sub-processors. If you use AWS, Stripe, Twilio, Sendgrid, or any third-party service that touches personal data, you need a DPA.

6. Treating Article 22 as irrelevant. Smart contracts that make significant decisions about individuals are automated decision-making under GDPR.

7. Assuming DeFi means no controller. If there is a company behind the front-end, there is a controller.

8. No privacy policy, or a policy copied from a Web2 company that does not address blockchain-specific processing.

9. Claiming the right to erasure does not apply without documenting why. You need a written justification, not just an assumption.

10. No breach notification process. If you suffer a data breach affecting EU residents, you have 72 hours to notify your supervisory authority. Many crypto platforms have no process for this.

What to Do Next

GDPR compliance for crypto and NFT platforms is more achievable than it appears. The technical constraints around on-chain data are real but manageable. The off-chain obligations are standard and fully within your control.

Start with what you can fix immediately: cookie consent, privacy policy accuracy, KYC retention schedules, and DPA agreements with your sub-processors. Then document your on-chain data posture and the technical constraints that limit erasure.

A free website scan will show you everything currently loading on your site — every tracker, cookie, and third-party connection — before any consent is recorded. That is the fastest way to find your highest-priority fixes.

Scan your website free →

Last updated: March 2026

Top comments (0)