Under the Law on Personal Data Protection (“LPDP”), data controllers are required to clearly, simply, and transparently inform data subjects about the processing of their personal data. As technology advances, QR codes are becoming a popular way to provide information to users quickly and conveniently. However, the question arises whether providing information on personal data processing through a QR code complies with the legal standards of clarity and accessibility.

Legal Framework

According to LPDP, information on personal data processing must be provided in a concise, transparent, understandable, and easily accessible manner, using clear and simple language. Such information may be provided in written or other form, including electronic form, where appropriate.

In this light, the key issue is whether the QR code is truly easily accessible in a given situation—considering location, internet access, and availability of devices. In the absence of publicly available opinions of the Commissioner, the answer remains fact-dependent and varies depending on the specific case.

Analysis of Comparative Practice

LPDP follows the standards set by the General Data Protection Regulation (“GDPR”). Accordingly, the positions of data protection authorities in the European Union and the United Kingdom of Great Britain and Northern Ireland (which was a member of the EU at the time of the GDPR’s adoption) have significant interpretative value for understanding the standards of transparency and accessibility.

French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés – “CNIL”) recently published an opinion in which it considered the use of QR codes to inform users, particularly in the case of internet-connected devices without screens (e.g., smart toys, household appliances). CNIL concluded that a QR code may be accepted as an additional channel for informing data subjects, but that the basic information on data processing must be immediately visible next to the product or at the point of use.

A similar position was taken by the UK’s Information Commissioner’s Office (“ICO”): a QR code may be part of a “layered notice” model, but it cannot be the only means of providing information. The ICO emphasizes that the solution must not exclude users who cannot or do not know how to scan a code (e.g., those without smartphones or with limited internet access), and recommends providing alternatives such as a short summary on the device/product, a printed extract, or a readable URL.

The common conclusion of comparative practice is that a QR code can be a useful supplement for providing information on data processing, while the standard of “easy access” requires that the basic information be immediately available without scanning.

Practical Solutions: Between Transparency and Easy Accessibility

Considering the core principles of the LPDP, as well as examples from comparative practice, practical solutions require striking a balance between fully relying on QR codes and completely abandoning digital formats:

• Layered Notice Principle: Basic information (identity of the controller, purposes of processing, key rights, and contact details) should be clearly visible on the product, device, or at the point of sale, while the QR code can be used for more detailed information on processing.
• Availability and Accessibility: A QR code must not be the sole channel for providing information on processing. Where there is a real risk that a data subject may not be able to scan the code (no phone, no internet, etc.), an alternative should be provided (short printed notice, label/sticker with a summary, readable link in text form).
• Context of Use: The more dynamic the situation and the shorter the interaction in which the information is provided (e.g., checkout in retail), the greater the portion of basic information that should be immediately visible without scanning.
• Record-Keeping and Demonstrability: Documenting the choice of the notification model (assessment of suitability and accessibility) helps in demonstrating compliance.

A QR code can serve as an effective and lawful tool for transparency—particularly as part of a layered, user-oriented model of providing information. However, due to the requirement of easy accessibility, there must always be an adequate alternative for individuals who cannot scan the code. This is the most reliable way to meet the standards of the LPDP and the expectations of good practice.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.