Most digital business card platforms are American companies. Their servers are in the US. Their legal entity is in Delaware or California. Their privacy policy is written for US law. For European professionals, that is not a neutral fact – it is a compliance question you need to answer before you start collecting contact details from your network.
This article explains what GDPR actually requires in the context of digital business cards, what to check before choosing a platform, and how ContactLinker approaches data protection for European professionals.
Why GDPR matters for digital business cards
A digital business card is not just a way to share your contact details. If your card includes a contact exchange form – a mechanism for visitors to leave their own name, email, and phone number – then you are collecting personal data. Under GDPR, that triggers specific obligations.
The key rules that apply:
- Lawful basis for processing. You need a documented reason to collect and store a visitor’s personal data. In the context of a contact exchange form, explicit consent – the visitor filling in and submitting the form – is the clearest basis.
- Data storage location. Personal data belonging to EU residents must be stored either in the EU or in a country with an adequate protection decision from the European Commission. Transfers to the US require additional safeguards (Standard Contractual Clauses, a Data Processing Agreement with the platform, etc.).
- Data subject rights. Any contact you collect has the right to request access to their data, to have it corrected, and to request deletion. Your platform must make it possible for you to honour those requests.
- Data Processing Agreement (DPA). If you use a third-party platform to collect and store contact data, that platform is a data processor. GDPR requires a DPA in place between you and the processor.
For platforms built and hosted entirely within the US, none of these mechanisms are guaranteed. Some offer them. Many do not. It is your responsibility as the data controller to verify before you start collecting.
What to check before choosing a digital business card platform
The checklist below covers the five criteria that matter for GDPR compliance. Apply it to any platform before you start collecting contacts from European professionals.
| Criterion | Why it matters | ContactLinker |
|---|---|---|
| EU hosting | Personal data stays within adequate-protection jurisdiction by default | Yes – European servers |
| DPA available | Required under GDPR when using a third-party processor | Yes – available on request |
| Explicit consent form | Establishes lawful basis; visitor actively shares their data | Yes – opt-in exchange form |
| Data export | Right to portability; you must be able to retrieve your collected contacts | Yes – CSV export from dashboard |
| Right to deletion | GDPR Article 17; you must be able to delete a contact on request | Yes – individual deletion from dashboard |
Being factual here matters: some US-based platforms do offer DPAs and can demonstrate adequate transfer mechanisms. « American company » does not automatically mean « non-compliant. » But it means you have more verification work to do, and the default assumption cannot be compliance. With a European platform hosted in Europe, the baseline is already correct.
How ContactLinker handles personal data
ContactLinker was designed for European professionals from the start. The data architecture reflects that.
Exchange form as explicit opt-in. When a visitor opens your ContactLinker space, the exchange button takes them to a short form: name, email, phone number, company. They fill it in and tap send. That submission is the consent event. Nothing is collected passively or without the visitor’s active choice.
You own your collected contacts. Every contact collected via the exchange form belongs to you. They are visible in your dashboard, exportable as a CSV at any time, and portable to any CRM. ContactLinker does not use your collected contacts for its own marketing, analytics, or third-party purposes.
Right to deletion. If a contact asks you to remove their details, you can do so directly from your dashboard. Individual contact deletion takes two clicks. The record is removed from the database.
No third-party data sharing. Contact data submitted through your exchange form does not flow to advertising platforms, analytics vendors, or any third party. The data path is: visitor submits form on your space, data lands in your ContactLinker dashboard, you export it if needed. That is the complete path.
We built ContactLinker in France. GDPR compliance was never an afterthought – it was the starting point. When we designed the exchange form, the first question was not « how do we maximise submissions » but « how do we make consent unambiguous. » The result is a form that a visitor fills in knowingly and submits deliberately. There is no pre-ticked checkbox, no implied consent from opening a page. The form is the consent mechanism. Simple, documented, defensible.
Practical GDPR checklist for your digital business card
- Your platform stores contact data in the EU or in an adequate-protection country
- You have a DPA in place with the platform if it processes data on your behalf
- The exchange form requires explicit action from the visitor (no passive collection)
- You can export your collected contacts at any time
- You can delete individual contacts on request
- Your privacy policy mentions the digital business card tool and the data it collects
FAQ
Is ContactLinker GDPR-compliant?
Yes. ContactLinker is hosted in Europe, processes data on European servers, provides a DPA on request, and collects contacts only through an explicit opt-in form. All collected contacts are owned by the account holder, exportable, and individually deletable.
Where is contact data stored?
On European servers. ContactLinker’s infrastructure is hosted in Europe. Data collected through the exchange form does not leave the EU by default.
Do visitors need to consent before their data is collected?
Yes. The exchange form requires visitors to fill in their details and actively submit the form. Nothing is collected without that explicit action. If your use case requires a formal consent checkbox (for documented audit trails), you can enable one directly in your ContactLinker space settings.
Can I delete a collected contact?
Yes, at any time from your dashboard. Individual contact deletion takes two clicks. If a contact exercises their right to erasure, you can honour that request immediately without involving ContactLinker support.
A digital business card that collects contacts and stays GDPR-compliant by design.
Read also: Contact Exchange feature | About ContactLinker