Are digital business cards GDPR-compliant?
Short answer, then the details you can act on — updated for 2026.
Yes — a digital business card can be fully GDPR (DSGVO) compliant. The card format is neutral; compliance depends on the provider. Check four things: the data is hosted in the EU, a data processing agreement (AV-Vertrag) is available, only the data you enter is collected (data minimisation), and sharing relies on your own consent, not the recipient's address book.
Why the format alone doesn't decide compliance
The GDPR governs how personal data is processed — names, phone numbers, emails, job titles. A business card, paper or digital, contains exactly that. What matters for compliance is not whether the card is printed or lives in a wallet, but who processes the data, where it is stored, and on what legal basis.
With a digital card you enter your own details and choose to share them. That is the cleanest possible legal basis: you are the data subject and the controller of your own information. The questions below are about how a provider handles that data on your behalf.
The four-point checklist
- EU data hosting. Personal data should be stored on servers inside the EU, or transferred only under an adequate mechanism. Ask the provider where their database and file storage physically sit. Karteo hosts in Frankfurt, Germany.
- A data processing agreement (AV-Vertrag). If you use the card for business and the provider stores data for you, Article 28 GDPR requires an Auftragsverarbeitungsvertrag. A compliant provider offers one without friction.
- Data minimisation. The service should collect only the fields you fill in — not your contacts, your location history, or your device address book. Fewer data points, less risk.
- Transparency & deletion. There should be a clear privacy policy, a named controller (a real company with an Impressum), and a way to delete your data on request.
Paper vs. NFC app vs. wallet card
| Approach | Data footprint | GDPR consideration |
|---|---|---|
| Paper card | Physical only | Neutral to hand out; the GDPR applies once someone types your details into a system. |
| NFC / scanner app | Often reads the scanner's contacts or requires an app account | Higher scrutiny — apps that sync address books process third-party data. |
| Wallet card (Karteo) | Only the fields you enter | You share your own data by choice; the recipient just opens a link. No app, no address-book access. |
This guide is general information, not legal advice. For your specific obligations, consult your data protection officer or a qualified adviser.
How Karteo is set up
Karteo is a German company (Karteo GmbH, Berlin). Data is hosted in Frankfurt, inside the EU, built to German privacy standards. A data processing agreement (AV-Vertrag) is available on request, and a Karteo card collects only the details you type — nothing from the person who scans your QR code. Sharing happens by QR, link, or AirDrop, and the card lives in Apple Wallet or Google Wallet with no app to install.
Frequently asked questions
Are digital business cards GDPR-compliant?
They can be. Compliance depends on the provider processing data on a lawful basis, storing it in the EU, offering a data processing agreement, and minimising the data collected. The card format itself is neutral.
Do I need an AV-Vertrag for a digital business card?
If you use it for business and the provider stores personal data on your behalf, Article 28 GDPR requires one. Karteo provides an AV-Vertrag on request.
Is scanning a QR business card GDPR-relevant?
Scanning a QR that opens a public web card is just visiting a URL — no data is collected from the scanner unless they choose to save the contact. That is typically less intrusive than NFC apps that read an address book.
Is a paper business card covered by the GDPR?
The card itself sits outside automated processing, but the moment you type a received contact into a CRM or phone, the GDPR applies to that record. A digital card changes the format, not your duties for other people's data.