GDPR fines have exceeded €6.2 billion since enforcement began in May 2018, with €1.2 billion issued in 2024 alone (DLA Piper GDPR Survey, January 2025). The good news for most businesses using QR codes: the compliance requirements are straightforward, don't require a cookie banner, and can be handled with a short addition to your existing privacy policy.
This guide covers what GDPR actually requires for QR code tracking — and what it doesn't.
Key Takeaways
- Static QR codes with no tracking have no GDPR relevance — they're just images with links
- Dynamic QR codes with scan tracking process personal data (IP address = personal data under GDPR) and require a privacy policy disclosure
- No cookie banner needed — QR scan tracking doesn't place cookies on visitor devices
- Legitimate interest (Art. 6(1)(f) GDPR) is sufficient legal basis for scan analytics — no consent form required
When Do QR Codes Fall Under GDPR?
The answer depends entirely on whether tracking is involved.
Static QR Codes Without Tracking
A static QR code that links to a URL and collects no data has no GDPR relevance. It's technically identical to printing a URL on a flyer. No personal data is processed, no disclosure is required.
Dynamic QR Codes With Scan Tracking
As soon as a QR code logs scan data, personal data is being processed. Under GDPR, IP addresses qualify as personal data — and every scan generates one. The data logged by a typical dynamic QR code includes:
- IP address of the device scanning the code
- Timestamp of the scan
- Device type and operating system
- Country and region (derived from IP — usually not more precise than this)
This data is GDPR-relevant. The processing requires a legal basis and a privacy policy disclosure. It does not require a cookie banner, and it does not require consent in most cases.
What You Actually Need to Do
1. Update Your Privacy Policy
Add a short section covering QR code scan tracking. The minimum content required:
- That dynamic QR codes with tracking are used
- What data is collected (IP address, timestamp, device type, country)
- The purpose (usage analytics, campaign measurement)
- The service provider name and location (QR Code Manager, European servers)
- Data retention period
- Legal basis for processing
2. Establish the Legal Basis
For usage analytics, legitimate interest under Art. 6(1)(f) GDPR is the appropriate legal basis for most businesses. You have a legitimate interest in knowing whether your printed materials are being used and whether your campaigns are effective.
Consent (and therefore a consent banner) is generally not required for QR code scan tracking — unlike web analytics cookies. The distinction matters: a QR scan doesn't place anything on the visitor's device. The redirect server logs the scan server-side, which is a different legal situation than browser-based cookie tracking.
3. Use a GDPR-Compliant Provider
The QR code service processes scan data on your behalf. Choose a provider that:
- Processes data on EU servers
- Operates under GDPR and offers a Data Processing Agreement (DPA)
- Creates no personal profiles beyond the anonymized aggregate data
QR Code Manager meets all three: European server infrastructure, GDPR-compliant processing, and DPA available on request.
4. Update Your Records of Processing Activities
For businesses subject to Art. 30 GDPR (organizations with more than 20 employees, or those processing sensitive data), add an entry for "QR Code Analytics" to your records of processing activities. Name the purpose, data categories, legal basis, and retention period.
Template Privacy Policy Text
You can use this template as a starting point. Have it reviewed by a data protection officer or attorney before publishing — legal requirements vary by jurisdiction and business type.
QR Code Analytics
We use dynamic QR codes on our marketing materials and premises. When these codes are scanned, the following technical data is collected automatically: IP address, timestamp, device type, and country of origin. This data is processed by QR Code Manager (qrcode-manager.org) on European servers and used exclusively for usage analysis and campaign performance measurement.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding whether our marketing materials are effective). Retention period: 12 months.
Common Misconceptions
"I need a cookie banner for QR code tracking." No. QR scan tracking works server-side when the redirect is processed — no cookies are placed on the visitor's device. The GDPR cookie rules apply to browser-side storage, not server-side redirect logging.
"I have to delete scan data immediately on request." Not necessarily. Since QR Code Manager captures anonymized aggregate data (no names, no profiles, no way to reliably link a scan to an individual), attribution to a specific person is not technically feasible. You can point to anonymized processing in response to deletion requests.
"Tracking is inherently illegal without consent." No. Tracking based on legitimate interest is lawful under GDPR when it's proportionate and doesn't disproportionately restrict privacy. Anonymized scan analytics for campaign measurement meet this standard in most cases.
"I need a DPA even for basic QR code use." Only if the provider is processing personal data on your behalf — which they are when scan tracking is active. For static QR codes with no tracking, no DPA is needed.
Special Situations
QR Codes in Food Service
A restaurant QR code linked to a menu with scan tracking falls under standard GDPR requirements. A privacy policy on the restaurant's website covering QR code analytics is sufficient. No special measures needed.
QR Codes on Product Packaging
For products sold internationally, check whether other data protection laws apply alongside GDPR: UK GDPR post-Brexit, Swiss DSG, and California CPRA all have overlapping but distinct requirements. EU GDPR is the baseline for European markets.
QR Codes in B2B Marketing
In B2B contexts, scans may originate from company networks rather than individual devices — the IP belongs to the organization. This doesn't change the GDPR analysis, but it does mean scan data is less individually attributable in practice.
Frequently Asked Questions
Do I need to inform people before they scan? A general statement in your privacy policy is sufficient. A brief notice at the QR code itself — "Scanning logs anonymous usage data. Privacy policy: [link]" — adds transparency and is good practice for high-visibility placements, but it's not legally required under current GDPR guidance.
What if someone requests deletion of their scan data? Since QR Code Manager stores anonymized aggregate data without personal profiles, linking a scan to a specific individual is technically not feasible in most cases. You can explain anonymized processing in response to deletion requests. For precise guidance on your specific setup, consult a data protection officer.
Is a Data Processing Agreement required? Yes, when the QR code provider processes personal data on your behalf and scan tracking is active. QR Code Manager provides a DPA on request.
What if I only use QR codes without tracking — static codes only? No GDPR action required. Static QR codes that simply encode a URL and collect no data have no data protection relevance. They function identically to printing a URL on a printed material.
Does GDPR apply if my business is outside the EU? GDPR applies when you process personal data of individuals located in the EU, regardless of where your business is based. If your QR codes are used in EU markets, GDPR applies.
Note: This article does not constitute legal advice. For specific legal questions, consult a data protection officer or attorney.
Related: QR Code Analytics – What Your Scan Data Shows · Dynamic QR Codes Guide · Setting Up a QR Code Campaign