Skip to content

Part 5 of our 5-part series of articles

The development of the metaverse raises new data protection issues. A distinction must be made between the processing of users’ personal data by the operator and the data collected by companies that use the metaverse itself.

I. Applicability of the GDPR

1. Territorial scope of application
The GDPR applies geographically to the processing of personal data (Art. 3 I GDPR). If the operator of the metaverse is based in the EU or a metaverse operator addresses EU citizens, the GDPR is directly applicable. The observation of user behaviour also opens up the scope of application of the GDPR as soon as the purpose of the data processing is aimed at observing behaviour. Companies must also comply with the GDPR as soon as they target their services at EU citizens.

2. Material scope of application
From a factual point of view, the application of the GDPR requires that personal data is processed (see Art. 4 No. 1 GDPR). The decisive factor is whether the data can be traced back to a person. The Metaverse operator already receives personal data of the user through registration. In the case of companies, data that analyses the user’s Metaverse presence and is therefore personal can also be considered personal data.

II. Data protection responsibility of the actors involved

The controller is the person who alone or jointly with others decides on the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR). The Metaverse operator is therefore responsible in all cases. Companies may also be responsible if they collect user data themselves. A joint responsibility of the platform operator and the company is obvious if the companies receive overviews of the users’ presence. Finally, agencies may also be responsible if they process personal data of users as part of the provision of their services, as well as hardware providers who can collect all types of user data.

III .Justification of data processing

All personal data processing requires a justification pursuant to Art. 6 I 1 GDPR. A large part (e.g. login data) of the user data falls under Art. 6 I 1 lit. b GDPR. The merging of already known user data with data from the use of the Metaverse generally requires consent. If personal data is used for advertising purposes, this can often be justified under Art. 6 I S. 1 lit. f GDPR. Users often have to consent to the processing if the platform is used free of charge.

IV. Contractual agreements on data protection

Terms of use are agreed between the platform operator and the user when using Metaverse. Data processing that is not necessary for the fulfilment of the contract is not covered by these Terms of Use. If companies process data jointly with the platform operator, an agreement pursuant to Art. 26 GDPR is required, which regulates who fulfils which obligation under the GDPR. In case of doubt, the platform operator is much closer to the data processing. In the event that agencies process user data in the metaverse, an order processing agreement in accordance with GDPR 28 must be concluded.

V. Data protection information and rights of data subjects

The data protection information must contain information about the collection of personal data in the metaverse in accordance with Art. 13 GDPR. This must be done before the data is collected. In the case of joint controllership, both platform operators and companies must provide information about data processing. Care must be taken to ensure that this information is linked separately from the general data protection information. In addition, the rights of data subjects under the General Data Protection Regulation must be guaranteed. Both platform operators and companies must fulfil these requirements within one month (Art. 15 GDPR). The same applies to the deletion of personal data (Art. 17 GDPR).


Click here:

Part 1 in issue 16-17/2023: Overview

Part 2 in issue 18/2023: Copyright law

Part 3 in issue 19/2023: Contract and competition law

Part 4 in issue 20/2023: Data protection