GDPR-Compliant QR Codes: What Businesses Need to Know

GDPR and QR Codes: What You Really Need to Know

QR codes are relevant under data protection law – but less complicated than often feared. This article explains when QR codes fall under GDPR, what you need to document, and how to stay on the right side of the law with a GDPR-compliant tool.

When Do QR Codes Fall Under GDPR?

Static QR Codes Without Tracking

A static QR code that simply links to a URL and collects no data has no GDPR relevance. Technically it's just an image containing a link.

Dynamic QR Codes with Scan Tracking

As soon as a QR code collects scan data – i.e. records when and from where it's scanned – personal data is being processed. This is GDPR-relevant.

What data is collected during a scan?

• IP address of the scanner (personal data!)
• Timestamp
• Device information (browser, operating system)
• Approximate location (derived from IP, usually only country/region)

Even if this data seems anonymous: IP addresses are classified as personal data under GDPR.

What You Need to Do: The Checklist

1. Update Your Privacy Policy

If you use QR codes with tracking, you must mention this in your privacy policy:

Minimum content:

• That QR codes with tracking are used
• What data is collected (IP, timestamp, device, country)
• For what purpose (usage analysis, campaign measurement)
• Who the service provider is (e.g. QR Code Manager, qrcode-manager.org)
• How long data is stored
• On what legal basis (usually Art. 6(1)(f) GDPR – legitimate interest)

2. Choose a Legal Basis

For simple usage tracking, legitimate interest under Art. 6(1)(f) GDPR is generally sufficient. You have a legitimate interest in knowing whether your printed materials are being used.

Consent (cookie banner) is generally not necessary for QR code tracking – unlike web tracking with cookies.

3. Update Your Records of Processing Activities

In the records of processing activities (mandatory for businesses with more than 20 employees or when processing sensitive data), add an entry for "QR Code Analytics."

4. Choose a GDPR-Compliant Provider

The QR code service processes scan data. Choose a provider that:

• Processes data on EU servers
• Operates in a GDPR-compliant manner
• Offers a Data Processing Agreement (DPA)

QR Code Manager meets all these requirements: European servers, GDPR-compliant data processing.

Common Misconceptions

"QR codes don't need a cookie banner"

Correct – QR code scans do not set cookies on the user's device. A cookie banner is therefore generally not required for tracking QR code scans.

"I have to delete all scans in real time"

False – you don't need to implement immediate deletion. An appropriate retention period (e.g. 12 months for usage statistics) is permissible under data protection law.

"Tracking is inherently illegal"

False – tracking based on legitimate interest is legal, as long as it's proportionate and doesn't disproportionately restrict privacy. Anonymous usage statistics meet this requirement.

Special Situations

QR Codes in Food Service

A restaurant QR code pointing to a menu while capturing scan data falls under standard GDPR requirements. A privacy policy on the website is sufficient.

QR Codes on Product Packaging

For products sold internationally: check whether other data protection laws apply alongside GDPR (e.g. UK GDPR post-Brexit).

QR Codes on Advertising Materials

Same requirements as above. Important: the link must lead to the privacy policy on the destination website.

Template Text for Your Privacy Policy

You can use this template as a starting point for your privacy policy (please have it reviewed legally):

QR Code Analysis

On our marketing materials and at our premises we use dynamic QR codes. When these codes are scanned, technical data is collected: IP address, timestamp, device type and country of origin. This data is processed by QR Code Manager (qrcode-manager.org) on European servers and is used exclusively for usage analysis.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Retention period: 12 months.

Frequently Asked Questions

Do I need to inform users before they scan? A general statement in the privacy policy is sufficient. A separate notice at the QR code itself is not mandatory, but recommended: "By scanning you agree to our privacy policy" creates transparency.

What if someone requests that their scan data be deleted? Since QR code scans don't create personal profiles (only IP + device, no identity), attribution to a person is difficult in practice. You can point to anonymized processing.

Is a standard QR code generator without GDPR compliance sufficient? For static codes without tracking: yes. For tracking codes: only if the provider operates in a GDPR-compliant manner and offers a DPA.

Do I need to sign a Data Processing Agreement? If the QR code provider processes personal data on your behalf (scan tracking): yes. QR Code Manager provides a DPA on request.

Further reading: QR Code Analytics – Track Scans · Dynamic QR Codes Guide

Note: This article does not constitute legal advice. For specific legal questions, consult a data protection officer or attorney.