When the EU’s General Data Protection Regulation came into force on May 25, 2018, the privacy industry had a problem. For years, VPN companies had built their entire brand on a single claim: we don’t keep logs. GDPR didn’t just require them to say that – it required them to prove it, structure their business around it, and face real consequences if they lied.

Eight years later, the enforcement landscape has matured significantly. The cumulative total of GDPR fines has passed €5.88 billion. Supervisory authorities across 27 member states have investigated everything from cookie banners to cross-border data transfers. And VPN providers – companies whose entire value proposition is protecting user data – have found themselves under the same microscope as every other data controller in the EU.

Here’s what GDPR actually requires, why it matters specifically to VPN providers, and what users should look for when they’re choosing a service.

What Is GDPR, in Plain Terms?

GDPR – Regulation (EU) 2016/679 – is the EU’s framework for how personal data must be collected, processed, stored, and protected. It applies to any organization that processes the personal data of people located in the EU, regardless of where the organization is based. A VPN company headquartered in Panama that has users in Germany is subject to GDPR just as much as a German company would be.

The regulation is built around seven core principles (codified in Article 5):

  1. Lawfulness, fairness, and transparency – you must have a valid legal reason to collect data, and you must tell users what you’re doing with it
  2. Purpose limitation – data collected for one reason can’t be repurposed for something else
  3. Data minimisation – collect only what you actually need
  4. Accuracy – keep data up to date
  5. Storage limitation – don’t keep it longer than necessary
  6. Integrity and confidentiality – protect it with appropriate security measures
  7. Accountability – be able to demonstrate compliance, not just claim it

The fines for getting this wrong are substantial: up to €20 million or 4% of global annual turnover for the most serious violations – whichever is higher.

The 9 Key Areas of GDPR Every VPN User Should Know

1. Fair, Lawful, and Transparent Processing

VPN providers must tell users exactly what data they collect, why they collect it, and what legal basis they’re using to collect it. The legitimate legal bases under Article 6 include consent, contract performance, legal obligation, and legitimate interests.

For most VPN providers, the primary basis is contract performance – they need some minimal data to provide the service (an email address to create an account, payment information, etc.). The key question is whether they go beyond that minimum.

What to look for: A privacy policy that clearly lists every category of data collected, the specific legal basis for each, and how long it’s retained. Vague language like “we may collect certain usage data” is a warning sign.

2. Data Subject Rights

Under Articles 15–22, GDPR gives EU residents powerful rights over their personal data:

  • Right of access (Art. 15): You can request a copy of all data a provider holds about you
  • Right to erasure (Art. 17): You can demand your data be deleted – the “right to be forgotten”
  • Right to portability (Art. 20): You can request your data in a machine-readable format
  • Right to object (Art. 21): You can object to certain types of processing

For a VPN provider that genuinely keeps no logs, responding to a subject access request should be straightforward: “We hold your email address, payment method, and account creation date. That’s it.” If a provider can’t clearly articulate what they hold, that itself is a red flag.

3. Limitations of Purpose, Data, and Storage

This is where the “no-logs” claim meets legal accountability. Under data minimisation principles, a VPN provider has no lawful basis to collect browsing history, connection timestamps, assigned IP addresses, or DNS queries unless they can demonstrate a specific, documented legitimate purpose for each.

GDPR’s storage limitation principle also requires providers to define and enforce retention periods. You cannot keep data “just in case.” If a provider collects connection metadata – even aggregated – they must specify exactly how long they keep it and why.

The practical implication: A genuinely compliant no-logs VPN should be able to show you their data retention schedule. If they don’t publish one, ask for it.

4. Consent – Stricter Than You Think

Under Article 7, GDPR consent must be:

  • Freely given – no bundling consent with terms of service
  • Specific – separate consent for each distinct purpose
  • Informed – users must actually understand what they’re consenting to
  • Unambiguous – no pre-ticked boxes or passive acceptance

This matters most for VPN providers who use third-party analytics, send marketing emails, or run affiliate programs that involve passing user data to partners. If you’ve agreed to a VPN’s terms of service but never saw a separate, clear consent request for marketing emails, they may be non-compliant.

5. Personal Data Breaches

Article 33 requires data controllers to notify their supervisory authority within 72 hours of becoming aware of a breach if it poses a risk to individuals’ rights and freedoms. Article 34 requires direct notification to affected users if the risk is high.

For a VPN provider, a breach of their account database – exposing emails, payment data, or account histories – would trigger these obligations. A breach of connection logs would be catastrophic. This creates a structural incentive for genuine no-log architecture: if you don’t collect it, you can’t breach it.

6. Data Protection Impact Assessments (DPIAs)

Article 35 requires organizations to conduct a DPIA before undertaking any processing that’s likely to result in high risk – including large-scale monitoring of users’ activities on the internet.

Any VPN provider processing data for large numbers of users should have conducted a DPIA. If you ask a provider whether they’ve done one, the answer should be yes, and they should be able to describe its scope.

7. International Data Transfers

This is one of the most complex areas of GDPR for global VPN providers. Transferring personal data outside the EU/EEA requires an appropriate safeguard – typically Standard Contractual Clauses (SCCs) or an adequacy decision for the destination country.

If a VPN provider is headquartered in, say, the British Virgin Islands, and their servers process EU user connection requests, they need to have transfer mechanisms in place. Many providers don’t clearly document this, which is itself a compliance gap.

8. Data Protection Officer (DPO)

Article 37 requires organizations to appoint a DPO if they engage in large-scale, systematic monitoring of individuals – which a VPN provider technically does, even if they don’t log the content of that monitoring.

The DPO must have genuine expertise in data protection law and practice, must be independent, and must have direct access to senior management. Appointing the CTO as “also the DPO” doesn’t meet the independence requirement.

9. Awareness and Training

Article 39 requires that staff handling personal data are trained and that awareness of GDPR obligations is maintained across the organization. This is often overlooked by smaller VPN providers.

Before GDPR, “no-logs” was marketing copy. Providers could make the claim without any obligation to prove it, document it, or face consequences if it turned out to be false.

GDPR changed the incentive structure in three important ways:

1. Accountability creates paper trails. A provider claiming no-logs under GDPR must also demonstrate compliance. That means documenting their data architecture, having contracts with sub-processors, and being able to show a supervisory authority exactly why they process each piece of data they do (and no more). This accountability documentation is harder to fake than a marketing claim.

2. Data minimisation gives “no-logs” legal weight. If a provider has no lawful basis to collect logs, collecting them would itself be a GDPR violation – separate from any disclosure. This means a properly GDPR-compliant VPN has a legal obligation to not keep logs, not just a brand promise.

3. Audits became the new currency of trust. Because GDPR requires accountability, the industry shifted toward independent third-party audits as the standard way to demonstrate compliance. Providers like ProtonVPN, Mullvad, and ExpressVPN now publish annual audit results. In 2025, ProtonVPN received 59 legally binding data requests across all jurisdictions – and fulfilled zero of them, because there was no data to provide.

How GDPR Has Affected VPN Providers in Practice

The Geo-Blocking Side Effect

One underreported consequence of GDPR: many non-EU websites began geo-blocking EU visitors entirely rather than investing in compliance. This was most visible in 2018, when hundreds of US news sites went dark for EU users after the regulation came into force. The compliance cost was genuinely high for small publishers, and blocking EU IP addresses was the path of least resistance.

This created an ironic situation: the regulation designed to protect EU citizens ended up restricting their access to content. VPN providers benefited indirectly – European users began using VPNs to access blocked US content by appearing to come from a US IP address.

The Provider Accountability Shift

The most significant change has been the shift from claim-based to evidence-based trust. The standard for evaluating a VPN’s privacy claims now includes:

CriterionPre-GDPR StandardPost-GDPR Standard
No-logs claimSelf-reportedAudited, documented, legally accountable
Privacy policyMarketing documentLegal document with specific basis for each processing activity
Data breach responseNo formal obligation72-hour DPA notification, user notification if high risk
Staff access to user dataUnspecifiedDocumented access controls, DPO oversight
Third-party sharingVague or undisclosedSpecific list of sub-processors with DPAs

What Good Looks Like in 2026

The leading privacy-focused VPN providers have converged on a set of practices that go beyond GDPR’s minimum requirements:

  • Jurisdiction: Headquartered outside the 14 Eyes intelligence-sharing alliances, in countries with strong privacy law and no mandatory data retention requirements (Switzerland, Iceland, Panama, British Virgin Islands)
  • Architecture: RAM-only servers that can’t retain data between sessions (used by ExpressVPN’s TrustedServer, Mullvad’s servers)
  • Annual audits: Third-party security and no-logs audits by firms like Cure53, KPMG, or Deloitte – with results published publicly
  • Transparency reports: Regular disclosure of legal requests received and how they were handled
  • Warrant canaries: Regular attestations that no secret court orders have been received
  • Anonymous payments: Support for cash, Monero, or other anonymous payment methods to reduce the PII they hold at the account level

What This Means for You as a User

If you use a VPN and care about privacy, GDPR gives you rights you may not be exercising. You can:

  1. Submit a Subject Access Request – email the provider’s privacy team (or DPO if appointed) requesting all data held about you. They have one month to respond.
  2. Demand deletion – once you close your account, you can formally request erasure of all your data under Article 17.
  3. File a complaint – if a provider is operating in the EU or has EU users, you can file a complaint with the relevant supervisory authority. The DPC in Ireland handles Meta, WhatsApp, and many tech companies. The ICO handles UK-based providers.

GDPR didn’t make VPNs perfect. But it raised the floor significantly. The providers who are genuinely compliant have built architectures that align their legal obligations with their privacy promises – which means their interests and yours are, for once, pointing in the same direction.

Final Word

GDPR was never specifically designed with VPNs in mind. But the regulation’s core logic – minimise data collection, enforce accountability, give individuals real rights – aligns almost perfectly with what a privacy-first VPN should be doing anyway.

The providers who embraced GDPR as a framework, rather than treating it as a compliance burden to minimise, have emerged as the most trustworthy options in the market. And users who understand the regulation’s requirements are better equipped to ask the right questions before they hand over their network traffic to a provider promising to keep it safe.

Because “trust us” was never enough. GDPR just made sure of it.

Sources and further reading: