Certification, blockchain and AI: EDPB adopts new documents at its latest plenary session
In April, the European Data Protection Board (EDPB) issued an opinion on a certification approved by the CNIL and adopted guidelines on blockchain technologies. The EDPB also expressed its readiness to cooperate closely with the European AI Office.
Certification
During its plenary session on April 8, the EDPB issued an opinion on a national certification for which the CNIL is the competent authority.
This is a generalist certification aimed at data controllers, supported by the company Lexing.
This certification must be approved by the CNIL under Article 42 of the GDPR. It is intended to demonstrate that the personal data processing operations implemented by a candidate are carried out in compliance with the GDPR.
The EDPB’s opinion includes 13 recommendations that the CNIL will take into account when approving the criteria for this certification.
Blockchain
Given the challenges that blockchain technologies can pose in terms of personal data protection - particularly regarding the rights to rectification and erasure - the EDPB deemed it important to assist organizations using these technologies in complying with the GDPR. To this end, guidelines have been adopted.
Blockchain is a distributed and consistent database system which can operate without centralized management and may function based on an open or predefined set of participants, according to agreed-upon rules. A blockchain can for instance enable financial transactions without financial intermediaries such as banks, by allowing proof of asset ownership.
In these guidelines, the EDPB explains how blockchains work, assessing the different possible architectures and their implications for personal data processing.
These guidelines are subject to public consultation until June 9, 2025.
Artificial Intelligence
The CNIL and its European counterparts within the EDPB have decided to cooperate closely with the European AI Office in drafting guidelines on the interaction between the European AI Act and European data protection law (GDPR, Law Enforcement Directive, and Regulation on data protection for EU institutions, bodies, and agencies).
In connection with AI, the EDPB also published a report by external experts on the risks of so-called Large Language Models (LLMs) with respect to data protection. This report provides information and tools to help organizations conduct effective risk assessments in the context of LLMs.
Reference texts
- EDPB adopts statement on age assurance, creates a task force on AI enforcement and gives recommendations to WADA - EDPB
- Guidelines 02/2025 on processing of personal data through blockchain technologies - EDPB
- EDPB adopts guidelines on processing personal data through blockchains and is ready to cooperate with AI office on guidelines on AI Act and EU data protection law - EDPB
