QR Code GDPR Compliance: The Complete Guide for 2026
QR code GDPR compliance explained: when scanning triggers the regulation, what data is collected, consent requirements, and a practical checklist. Get

This article was written by the QR Nova team. We build QR code software, which may inform our perspective.
TL;DR
- Static QR codes: no server contact on scan, no personal data collected, GDPR does not apply to the QR layer.
- Dynamic QR codes: redirect servers log IP addresses, user agents, and timestamps — all personal data under GDPR Art. 4.
- Lawful basis for scan analytics: legitimate interests for aggregate metrics; consent for individual tracking or profiling.
- US-based QR platforms processing EU scan data require Standard Contractual Clauses (SCCs) — most organisations have not done this.
- Data retention: 90–180 days is the practical ceiling most DPAs accept for campaign analytics.
- A DPIA is required before deploying QR codes that systematically track individual behaviour at scale.
What Does GDPR Actually Regulate?
Create your first QR code — free
Get startedStatic vs Dynamic QR Codes: The GDPR-Decisive Difference
The two architectures create completely different legal situations — and the difference is not one of degree.
Static QR Codes: No Server, No Log, No GDPR Trigger
A static QR code encodes the destination URL directly in its pixel pattern. When a phone camera reads it, the device's operating system extracts the URL and opens it — exactly as if the user had typed the address. No intermediate server is contacted. No IP address is logged by the QR system. No analytics event fires. From the perspective of the entity who created the QR code, zero personal data is processed at the moment of scanning. The GDPR obligation (if any) shifts entirely to the destination website — governed by that site's own cookie and analytics policies, which are separate from the QR code itself. This is what the privacy community calls privacy-by-design under GDPR Article 25: the technical architecture makes data collection impossible, not merely unlikely.Dynamic QR Codes: Every Scan Hits a Server First
A dynamic QR code encodes a redirect URL — typically something like `qr.platform.com/abc123`. When scanned, the device contacts the platform's server, which logs the request and then redirects to the actual destination. That server log contains:- IP address — personal data under CJEU case law (Breyer, C-582/14, 2016)
- User agent string — device type, OS version, browser, which can contribute to fingerprinting
- Timestamp — precise scan time
- Referrer data — in some implementations
- Approximate geolocation — derived from IP, offered as a feature by most platforms
When QR Code Tracking Triggers GDPR: The Technical Test
Apply this test to any QR code deployment:- Does scanning the code contact a server before reaching the destination? If yes, personal data is being processed.
- Are EU residents among the potential scanners? GDPR applies regardless of where your organisation is based.
- Does the server log IP addresses, user agents, or timestamps? Almost all dynamic QR redirect servers do this by default — you do not need to have configured it explicitly.
Lawful Basis for QR Code Scan Analytics
GDPR Article 6 requires one of six lawful bases for any data processing. For scan analytics, two are realistic. The others — contract, legal obligation, vital interests, public task — do not fit marketing analytics, and using them has been cited as incorrect in enforcement actions.Article 6(1)(f): Legitimate Interests
Legitimate interests is the most commonly used basis for marketing analytics. To rely on it, you must pass a three-part test: identify a legitimate interest, show the processing is necessary for that interest, and demonstrate your interests are not overridden by the data subject's rights. For QR scan analytics, this holds when:- You are measuring aggregate campaign performance (not individual journeys)
- Data is retained for a defined, short period (90–180 days)
- You provide clear notice at the point of scanning
- You are not sharing data with third parties or building profiles
Article 6(1)(a): Consent
Consent is required for higher-risk uses: individual journey tracking, cross-device attribution, retargeting based on QR scans, or profiling. The architectural problem with QR codes is that consent must be obtained before processing begins — the redirect server cannot log the IP address before consent is confirmed. This requires a consent-gate at the landing page and technical architecture that logs nothing until consent is recorded. Several major QR platforms log data on first contact with the redirect URL, before any consent mechanism appears. That architecture is incompatible with consent as a lawful basis — not a minor gap, a structural incompatibility.Data Subject Rights and Scan Logs
Once you are processing personal data through QR analytics, data subjects have enforceable rights:Right of Access (Art. 15)
A data subject can request all scan data you hold relating to them. With 50,000 scan events in your analytics platform, you need to identify and extract those tied to a specific individual — technically hard when the linkage is an IP address and timestamp that you no longer hold in raw form because you were trying to be privacy-friendly.Right to Erasure (Art. 17)
If a user requests erasure, you must delete their scan records from your platform and instruct your QR vendor (as data processor) to do the same. Most organisations discover their vendor does not support selective deletion of individual scan records. You find this out when a request arrives, not before. That makes your DPA with that vendor legally deficient on its face.Right to Object (Art. 21)
Where processing is based on legitimate interests, data subjects can object. You must then stop processing unless you can demonstrate compelling legitimate grounds that override their interests. "We need this for marketing performance" has not been accepted as a compelling ground by any DPA — and it is unlikely to start being accepted now.Cross-Border Transfers: The US Platform Problem
The majority of QR code platforms — QR Tiger, Bitly, Beaconstac, Flowcode — are US-based companies. When EU residents scan QR codes on these platforms, their IP addresses and device data are transferred to US servers. This is a restricted cross-border transfer under GDPR Chapter V. Most organisations deploying QR codes have not treated it as one.
Since the Court of Justice of the EU invalidated the Privacy Shield framework in July 2020 (Schrems II, C-311/18), transfers of personal data from the EU to the US require one of:
- Standard Contractual Clauses (SCCs) — adopted in updated form by the European Commission in June 2021
- Transfer Impact Assessment (TIA) — a documented analysis of US surveillance law risk for the specific data being transferred
- EU-US Data Privacy Framework (DPF) — the 2023 adequacy decision, though its long-term stability post-Schrems III remains uncertain
The Data Retention Problem Most Platforms Create
GDPR Article 5(1)(e) — the storage limitation principle — requires personal data be kept "no longer than is necessary" for the stated purpose. The default for most major QR analytics platforms is indefinite retention. QR Tiger retains scan data for the lifetime of your account. Bitly's default is account-lifetime with no automatic purge. Neither is GDPR-compliant for EU scan data without explicit justification — and "we forgot to set a retention limit" is not explicit justification. This is the part of QR compliance that nobody talks about at conferences, because it makes the whole category look bad. But it is the part that DPA auditors look at first. Practical guidance from DPAs:- Campaign performance measurement: 90–180 days from campaign end
- Fraud detection / security: up to 12 months with documented justification
- Individual journey analytics: must be justified by purpose, documented in RoPA
When a DPIA Is Required
Article 35 requires a Data Protection Impact Assessment before processing that is "likely to result in a high risk" to individuals. The Article 29 Working Party's guidelines (WP248) identify two relevant criteria for QR deployments:- Systematic monitoring: tracking individuals' publicly accessible behaviour (scanning a QR code in a public place qualifies)
- Large-scale processing: no hard threshold, but 70,000+ monthly scans from identifiable individuals is well inside "large scale" territory
Practical GDPR Compliance Checklist for QR Code Deployments
Step 1: Determine Your QR Type
- Static QR code pointing directly to a URL: no GDPR obligation at the QR layer. Proceed to Step 6 for the landing page assessment.
- Dynamic QR code with redirect server: continue through all steps.
Step 2: Document Your Processing
Add QR scan analytics to your Records of Processing Activities (RoPA) under Article 30. Document: data categories, purpose, lawful basis, retention period, processor details, and transfer mechanisms.Step 3: Establish Lawful Basis
- Aggregate campaign metrics only, short retention, no profiling → document legitimate interests with a LIA on file
- Individual journey tracking, profiling, retargeting → implement consent mechanism before the redirect fires
Step 4: Execute a Data Processing Agreement
Sign a DPA with your QR platform that meets Article 28 requirements: specifies processing instructions, prohibits sub-processor use without notice, guarantees deletion rights, and commits to assisting with data subject requests.Step 5: Address Cross-Border Transfers (If Applicable)
If your QR platform is US-based:- Confirm the platform offers SCCs in its DPA (2021 version)
- Conduct and document a Transfer Impact Assessment
- Review whether the DPF adequacy decision covers your vendor
Step 6: Update Privacy Notices
Add scan analytics disclosure to your privacy policy. At the point of scanning (on physical materials or near the code), include a short notice: the fact that scanning is tracked, what data is collected, and where to find the full privacy policy.Step 7: Set Retention Limits
Configure your QR platform to auto-delete scan records after your documented retention period. If the platform does not support this feature, it is a compliance gap — document it and establish a manual deletion schedule.Step 8: Assess DPIA Requirement
Answer: Does this deployment systematically track individual behaviour? Is it large-scale? If yes to either, complete a DPIA before deployment.Scale-Based Examples
Small Business: Local Cafe with Menu QR
A static QR code linking to a PDF menu: zero GDPR obligation on the QR layer. If they switch to a dynamic QR to track how many scans the menu gets, they become a data controller for IP addresses and timestamps of every customer who scans. For this use case, the privacy trade-off is almost never worth it — a static QR with a UTM parameter in the destination URL achieves the same campaign attribution through Google Analytics, which the business is presumably already managing.Mid-Market: Retailer with In-Store QR Campaigns
A 50-location retailer running dynamic QR codes on point-of-sale displays, with scan analytics used for campaign attribution. This deployment: requires a DPA with the QR vendor, a LIA for legitimate interests, a privacy notice near each QR display, and a 90-day retention policy. The cross-border transfer question depends on whether the QR platform is EU or US-based. DPIA is likely required if individual scan events are retained longer than aggregate statistics.Enterprise: Events and Conference Badge QR
An enterprise event using QR codes on attendee badges to track session attendance — linking scan events to named individuals. This is high-risk profiling. Lawful basis requires either explicit consent (collected at registration) or a legitimate interest with a documented LIA that can withstand DPA scrutiny. A DPIA is mandatory. The data processor (QR vendor) must support selective deletion. Retention should be limited to the period needed for post-event reporting, typically 30–60 days.What This Guide Won't Fix
This is the limit of what these compliance steps can address. A checklist does not substitute for legal advice specific to your deployment. If your use case involves profiling individuals at scale, get a lawyer who knows GDPR — not a blog post.- If your QR platform does not offer SCCs or DPAs, no amount of internal documentation makes the transfer compliant. You need a different vendor.
- If your use case is individual profiling at scale, legitimate interests will not hold up under DPA scrutiny. Consent architecture is required regardless of how inconvenient it is technically.
- If you operate in a sector with sector-specific rules (healthcare, finance, children's services), GDPR is the floor, not the ceiling. Additional frameworks apply.
- GDPR compliance does not equal ePrivacy compliance. The ePrivacy Directive (soon to be replaced by the ePrivacy Regulation) governs cookies and device fingerprinting separately from GDPR. QR analytics that involves device fingerprinting may require consent under ePrivacy independently of the GDPR lawful basis question.
How QR Nova Approaches GDPR
QR Nova's architecture reflects a deliberate decision about where to sit on the static/dynamic spectrum for privacy. Static QR codes generated on QR Nova encode the destination URL directly in the pattern. No server is contacted at scan time. No IP address, user agent, or timestamp is logged by QR Nova's systems. The privacy notice for a static QR code is: there is nothing to disclose at the QR layer. Dynamic QR codes on QR Nova redirect through our servers. We are transparent about what this means: we log scan timestamps, approximate country-level location derived from IP (we do not store raw IP addresses in scan records), and device category. We provide a Data Processing Agreement to all business-tier subscribers, configured retention periods (default 180 days with manual override), and data portability export for all scan records. We do not sell scan data to third parties or use it for advertising purposes. For organisations where privacy is a hard constraint, our recommendation is simple: use permanent static QR codes for the QR layer, and handle analytics through your existing website analytics stack (where you are presumably already compliant). The destination URL can carry UTM parameters for campaign attribution without any intermediate server processing the scan event. For organisations that need scan-level analytics — offline campaign attribution, multi-location comparison, time-of-day patterns — our dynamic QR codes provide transparent, documented processing with a clear DPA and configurable retention. That is a different proposition from platforms that bury IP collection in "usage data" clauses and offer no deletion controls. If you want to understand the full data collection picture before choosing a QR approach, our guide on how QR code scan tracking works covers the technical mechanics in detail. For the security angle on QR codes more broadly, the QR code safety guide covers what risks are real and which are overstated. Generate a free QR code — static or dynamic, your choice, with full transparency about what each type does and does not collect.Frequently asked questions
Do QR codes need to comply with GDPR?
It depends on the type. Static QR codes encode a URL directly in the pattern and contact no server when scanned, so they collect no personal data and GDPR does not apply. Dynamic QR codes redirect through a server that logs the scanner's IP address, user agent, timestamp, and sometimes approximate location — all of which are personal data under GDPR Article 4. Any organisation using dynamic QR codes for tracking must comply with GDPR requirements including lawful basis, privacy notices, and data retention limits.
Is an IP address personal data under GDPR?
Yes. The Court of Justice of the EU confirmed in Breyer v. Bundesrepublik Deutschland (C-582/14, 2016) that dynamic IP addresses constitute personal data when the data controller can reasonably link them to an individual. Most QR analytics platforms store IP addresses alongside timestamps and device data, making the combination clearly personal data.
What lawful basis covers QR code scan analytics?
Most commercial scan analytics falls under either Article 6(1)(f) legitimate interests or Article 6(1)(a) consent. Legitimate interests applies when the analytics is proportionate and the data subject's rights are not overridden — for example, aggregate campaign performance measurement with short retention. Consent is required when you track individual scan journeys, build profiles, or share data with third parties. Using "contract" or "legal obligation" as the basis for marketing analytics is incorrect and has been cited in enforcement actions.
How long can QR scan data be kept?
GDPR Article 5(1)(e) requires data be kept no longer than necessary for the purpose. For campaign performance measurement, most DPAs consider 90–180 days reasonable. For fraud detection or security, up to 12 months may be justified with documentation. Indefinite retention of scan logs — which several major QR platforms do by default — requires explicit justification and is frequently cited in DPA audits.
Do QR codes need a privacy notice?
If the QR code directs users to a landing page that collects personal data, or if the redirect server itself logs personal data, yes — a privacy notice is required under GDPR Article 13. The notice must be provided at the time of scanning, which in practice means including a brief notice near the QR code itself (e.g., "Scan tracking enabled. See our privacy policy at example.com/privacy") or on the immediate landing page before any data is logged.
When does QR tracking require a Data Protection Impact Assessment (DPIA)?
A DPIA under GDPR Article 35 is required when processing is "likely to result in a high risk" to individuals. The Article 29 Working Party's guidelines identify systematic tracking of individuals' behaviour as a high-risk category. If your QR deployment tracks individual scan journeys across multiple touchpoints, profiles users based on scanning behaviour, or operates at scale (tens of thousands of scans per month), a DPIA is required before deployment.
Does using a US-based QR analytics platform create GDPR problems?
Yes, if EU residents scan the codes. Transferring personal data (including IP addresses and device data) to a US-based processor is a restricted transfer under GDPR Chapter V. Since the invalidation of Privacy Shield in 2020 (Schrems II), organisations must rely on Standard Contractual Clauses (SCCs) and conduct a Transfer Impact Assessment. Many organisations using US QR platforms are not doing this, creating material compliance risk.
What is the difference between static and dynamic QR codes for GDPR?
Static QR codes encode the destination URL directly in the QR pattern. When scanned, the user's device opens the URL with no intermediate server — no IP address is logged by the QR system, no analytics data is collected. Dynamic QR codes point to a redirect URL on the platform's server; every scan hits that server first, logging data before the redirect. From a GDPR perspective, static codes create no processing obligation on the QR creator's side, while dynamic codes trigger the full GDPR compliance framework.
Related articles
QR Code Accessibility: WCAG 2.2 & ADA Guide (2026)
QR code accessibility WCAG 2.2 & ADA: alt text, contrast ratios, alternative paths, and screen reader fixes. Practical guide for developers.
QR Code HIPAA Compliance for Healthcare: The Technical Guide
QR code HIPAA compliance for healthcare: PHI rules, BAA requirements, audit logs, encryption, and a vendor checklist. Get compliant today.
EU Digital Product Passport QR Code: Manufacturer Guide
EU Digital Product Passport requires a GS1 Digital Link QR code on every product sold in the EU. Deadlines, data requirements, and what to get right now.
Create your first QR code — free
Get started