This is general guidance, not legal advice — when in doubt, talk to a data-protection professional.
Does the GDPR apply to QR codes?
A QR code is just an encoded link or piece of text. On its own, it collects nothing. The GDPR enters the picture in two ways:
Tracking the scan. A dynamic QR code routes each scan through a redirect server before sending the visitor on. That server can log information about the device that scanned it — and some of that information is personal data under EU law.
What you ask for after the scan. If the code leads to a sign-up form, a lead-capture page, or anything that collects names, emails, or phone numbers, you're processing personal data the moment someone fills it in.
So the question isn't really "are QR codes GDPR-compliant?" It's "is my scan-tracking and my landing page compliant?"
What data does a QR code scan actually collect?
When a dynamic code is scanned, a tracking platform can typically see:
IP address — used to estimate location. A full IP address is considered personal data under the GDPR, because it can be tied back to an individual.
Approximate location — usually city/country level, derived from the IP.
Device and browser — operating system, device type, browser (from the user-agent string).
Timestamp — the date and local time of the scan.
What a standard scan cannot see: your name, phone number, email, contacts, or precise GPS location. Those are only collected if the visitor voluntarily enters them on a page, or explicitly grants location permission in their browser.
The key line for compliance: a full IP address is personal data; aggregated, anonymised statistics are not. Knowing that "200 people in Lisbon scanned this on Tuesday, mostly on iPhones" tells you nothing about any individual — and that's exactly the kind of data you're allowed to work with freely.
The four things that make QR tracking compliant
European data-protection authorities and the GDPR's own principles point to the same handful of practices:
1. Data minimisation. Collect only what you need. If you're counting scans on a poster, you don't need to retain raw IP addresses — anonymised, aggregate counts are enough for almost every marketing decision. Platforms that anonymise or hash the IP before storing it (so it can't be tied to a person) keep you on the right side of this by default.
2. No non-essential cookies without consent. This is where most businesses trip up. If your dynamic code passes the scan to Google Analytics, a Meta pixel, or any third-party tracker, those set cookies on the visitor's device — and under the GDPR and the ePrivacy rules, non-essential cookies require explicit, opt-in consent (a real banner, not a pre-ticked box). If your tracking is server-side and anonymised, you may not need a banner for the scan itself.
3. Transparency. If the page after the scan collects any personal data, you need a clear, linked privacy policy explaining what you gather, why, and for how long. The disclosure should be obvious — ideally near the code or on the landing page.
4. The right to be forgotten. People can ask you to delete their data. You (and your QR platform, acting as a data processor) need to be able to honour that. A paid QR platform should also provide a Data Processing Agreement (DPA) — your proof that your provider handles data compliantly.
The part nobody mentions: where your data lives
Here's a question worth asking your current QR tool: on which continent is my scan data stored? Many of the best-known platforms — Bitly, QR Tiger, Uniqode, Flowcode — run on US infrastructure. That doesn't make them illegal, but it does add international-data-transfer questions you have to document, and for some privacy-conscious organisations it's a non-starter.
Keeping the data in the EU removes that entire category of questions before it's asked. Combined with the tracking practices above, EU hosting + anonymised, cookie-free analytics is about as clean a compliance posture as QR tracking gets.
A simple compliance checklist
Before you print a single code:
✅ Use a platform that anonymises/hashes IPs and doesn't store raw ones.
✅ Avoid third-party trackers in the redirect path — or show a proper consent banner if you use them.
✅ If the landing page collects personal data, link a clear privacy policy and collect only what you need.
✅ Make sure you can delete a person's data on request.
✅ Get a DPA from your provider (you should be able to download one automatically on a paid plan).
✅ Bonus: choose EU-hosted infrastructure to sidestep data-transfer questions.
The easy way
You can audit your current tool against that checklist — or use one that's built to pass it by default. EUQR hosts your data in Amsterdam, never stores raw IP addresses, sets no third-party tracking cookies, computes analytics from privacy-preserving daily-rotated hashes, and provides a DPA on every paid account. You get the insight — scans, rough location, device — without ever holding data that can identify a person.