Are QR Codes GDPR-Compliant? The Practical Answer for Businesses
4 July 2026 · 7 min read
You've probably had the thought mid-poster-design: hang on, is this QR code even legal? Someone scans it, their phone talks to a server, and now you're wondering whether you've just triggered a GDPR headache without meaning to.
Here's the honest answer: the QR code itself isn't the problem. It's just a pattern of black and white squares — it doesn't collect anything, transmit anything, or spy on anyone. What matters is what happens the instant someone scans it: their device makes a request to whatever the code points to, and that request carries data. That's where GDPR gets involved.
Good news — this is genuinely one of the more straightforward corners of data protection law to get right, once you know what you're looking for.
A QR code is neutral. The link behind it isn't.
Think of a QR code as a signpost, not a camera. It encodes a URL. When a phone scans it, the phone's browser follows that URL — and whatever sits at the other end can log the visit, same as any website would log a normal page view.
That logging is where personal data enters the picture. Under GDPR and the UK Data Protection Act 2018, an IP address counts as personal data, full stop — it doesn't matter that there's no name attached. So does a timestamp tied to that IP. So does device and location information gathered from the request. None of this requires anyone to type in an email address or fill out a form. It happens automatically, the moment someone scans.
What a scan actually reveals
When someone scans your code, a typical backend logs some combination of:
- IP address — personal data under GDPR/UK DPA 2018, regardless of whether a name is attached
- Device and browser information — OS, browser type, sometimes a device fingerprint
- Timestamp — down to the second
- Approximate location — inferred from the IP
- Referrer data — where the scan originated, in some setups
Wanting to know how many people scanned your poster, and roughly when, is completely reasonable business curiosity — that's not the issue. The issue is who's storing that information, how long they're keeping it, and whether they're doing it lawfully.
You're the controller, even though someone else hosts it
This is the bit that catches people out. You use a free QR generator, so surely the data is their problem, not yours?
It isn't. Under GDPR and UK law, your business is the data controller — you decided to run the campaign, you chose the tool, and you're the one accountable for how scan data gets handled. The vendor hosting the redirect is a processor, acting on your behalf. They should have a Data Processing Agreement (DPA) with you, setting out what they do with the data and for how long. But if things go wrong — unlawful logging, an unsafe international transfer, a breach — regulators come to you first, not to some generator you signed up for in thirty seconds.
That's why "which QR tool did I pick?" is actually a compliance question, not just a design one.
The real risk sits with typical free generators
Not all QR services are equal, and this is where most small businesses get exposed without realising it.
Many free, often US-hosted, QR generators log raw IP addresses against every single scan, sometimes keeping that data indefinitely. Some of these tools fund themselves partly through the data — selling "anonymised" scan insights that are less anonymous than they sound once you combine IP, timestamp and device. And because the servers sit outside the EU/UK, every scan potentially triggers an international data transfer, which comes with its own legal requirements (safeguards like adequacy decisions or Standard Contractual Clauses) that most free tools simply don't bother putting in place.
None of this is secret or sinister — it's just rarely advertised, and rarely something a busy business owner thinks to ask about before pasting a QR code onto five hundred flyers.
Your GDPR checklist for QR codes
You don't need a legal team for this. Five things, and you're in solid shape:
1. Pick a provider with EU hosting. Data staying inside the EU/EEA sidesteps the whole international-transfer question and keeps you squarely within European data protection rules.
2. Confirm they don't log raw IP addresses. Ask directly: "do you store individual IP addresses per scan?" A properly built service gives you aggregate analytics — total scans, timing, trends — without keeping a database of who scanned what and when.
3. Get a signed Data Processing Agreement. Non-negotiable. It should spell out what's processed, how long it's kept, and how deletion or access requests are handled. If a provider won't offer one, treat that as a red flag, not a technicality.
4. Add a line to your privacy policy. Nothing dramatic — something like "scanning our QR code records your IP address and timestamp for basic analytics" covers you. Transparency, not an essay.
5. Don't collect more than you need. If all you want is a scan count, don't switch on device fingerprinting or precise geolocation just because the toggle exists. Data minimisation is a core GDPR principle, and it's also just good practice.
Work through that list once per campaign and you're not guessing anymore — you know.
Dynamic codes make ongoing compliance easier
There's a practical wrinkle worth knowing about: static QR codes are baked in forever. Print one on a menu or a banner, and it points to that exact URL for the life of the material. If your data practices change, or you spot a provider problem six months in, you can't retroactively fix thousands of printed codes.
Dynamic QR codes solve this by pointing to a redirect you control, which means you can change the destination — or switch providers entirely — without reprinting anything. That flexibility matters for compliance, not just convenience: if you ever need to update where scan data goes or how it's handled, you can, without a reprint run. It's the same logic behind why plenty of businesses use dynamic codes for things like a QR code menu for restaurants — the code stays put, only the destination changes.
This is also, worth saying plainly, exactly how qrius.io is built: data hosted in Stockholm, Sweden, so it never leaves the EU; no raw IP logging, ever; a DPA included as standard rather than an upsell; and dynamic codes as the default, not an extra feature. You get simple scan analytics — counts, timing — without turning your QR code into a tracking device. You can start free and see it for yourself in a few minutes.
FAQ
Do I need consent just to log a QR scan? Usually not. If you're collecting aggregate, non-invasive analytics — scan counts, rough timing — you can typically rely on legitimate interest as your lawful basis. You still need to be transparent about it in your privacy policy, but a consent pop-up before someone can even see your landing page isn't generally required. If you start layering in per-person tracking or profiling, that changes the picture and you should get proper advice.
Can someone actually be identified from an IP address picked up by a QR scan? Potentially, yes — a residential IP can sometimes be linked to an approximate location, and in combination with other data, to an individual. That's precisely why GDPR treats IP addresses as personal data regardless of whether a name is attached. The fix isn't to panic; it's to use a provider that doesn't log raw IPs in the first place and to keep whatever you do collect to a minimum.
What if I'm already using a US-based QR generator — do I need to switch immediately? If they can't show you a DPA and a lawful basis for any transfer outside the EU, it's worth moving sooner rather than later. Switching is usually painless if you're using dynamic codes — you update the destination behind the code, rather than reprinting anything.
Is a Data Processing Agreement always required? Yes, if a third party is processing personal data on your behalf, which includes basic scan logging tied to your QR codes. It's a standard legal document, not a negotiation, and any provider serious about GDPR should offer one without you having to chase them for it.
Do QR codes need a cookie-style consent banner? No — scanning a code isn't the same as dropping tracking cookies on a browser. The compliance obligations here are about server-side logging and data handling, not cookie consent. That said, if your landing page itself uses cookies or trackers, that's a separate matter you'll need to handle through your normal cookie policy.
The short version: QR codes aren't risky by nature, and GDPR doesn't ask you to avoid them — it asks you to be deliberate about where the data goes. Choose a provider that's honest about hosting, doesn't hoover up raw IPs, and hands you a DPA without a fight, and the compliance question basically answers itself. Add one line to your privacy policy, and you're done.