If you incorporate RFID or NFC labels into the garments you manufacture — or are considering doing so — you are probably already familiar with their advantages: real-time traceability, more precise stock control, anti-counterfeiting, and an improved experience at the point of sale. What may receive less day-to-day attention is the privacy dimension that accompanies these technologies, and the legal obligations they create for companies as data controllers.
This is not about raising alarm. It is about understanding clearly what it means to put a label on a garment, what data that label can generate or transmit along the supply chain, and what European — and global — regulation requires of the companies that use them. According to the latest Eurobarometer survey by the European Parliament, published in January 2026, insufficient data protection concerns 68% of European citizens, placing it among the most widely perceived risks. Your end customers are part of that 68%. Understanding and managing privacy across your labelling chain is not just regulatory compliance: it is also a sound business decision.
What Are We Actually Talking About?
RFID (Radio Frequency Identification) is a technology that enables the automatic identification of objects via labels that transmit data using radio waves. Labels can be passive (activated upon receiving a signal from a reader), semi-passive, or active (with their own battery). In the textile sector, passive labels are the most common: they are used for warehouse stock control, in-store traceability, and anti-theft systems.
NFC (Near Field Communication) is a variant of RFID that operates at 13.56 MHz and at very short distances, generally under 20 centimetres. In fashion, an increasing number of brands are incorporating it for product authentication (verifying that a garment is genuine), to provide information about its origin and materials, or to create in-store customer experiences via mobile phone.
Both technologies share a characteristic that makes them relevant from a privacy standpoint: data transmission occurs automatically, without physical contact, and in many cases without the person carrying the garment being aware of it. As a manufacturer, you are the first in the chain to decide what information that label carries, how it is protected, and what happens to it once the garment leaves your control.
What Privacy Risks Does an RFID or NFC Label Create, and Why Do They Affect You?
Understanding the risks is not merely a technical matter: it is about understanding your legal and reputational responsibility. The following are the main ones in the context of the textile and fashion sector:
Unauthorised reading of the label. The primary privacy risk is the attempted reading of information stored on an RFID device without the knowledge of the person carrying it. If your label contains or provides access to data that identifies or characterises the wearer — a serial number linked to a customer database, or information that reveals purchasing habits — and it is not deactivated at the point of sale, part of the responsibility for having designed such a system falls on you as the manufacturer.
Profile building from active labels. This is the case explicitly cited by the AEPD (Spanish Data Protection Agency): a person wearing a garment whose RFID label is still active can be observed and classified by anyone with a reader. Using data mining techniques, it is possible to build consumption profiles based on the garments a person is wearing. This is particularly relevant if your business model includes reading labels after the point of sale — for example, for after-sales services, product authentication, or loyalty programmes.
Correlation of data across labels. Privacy risks multiply when a person is simultaneously wearing RFID labels from several brands, because anyone with access to readers can combine and correlate the information to build far more detailed profiles than any single company could have anticipated. Even if your company has no such intention, the design of your label may make it easier for third parties to do so.
Technical vulnerabilities in the system. Beyond the label itself, the complete ecosystem — readers in warehouses or shops, databases, communication systems — can be subject to attack: from interference that blocks communication, to spoofing via false information, or label cloning. A poorly designed system can compromise both the security of your logistics operations and the data of your customers.
The Regulatory Framework in Europe: What Textile Manufacturers Must Comply With
The GDPR as a Starting Point
The General Data Protection Regulation (GDPR) is the principal legal framework for the protection of personal data in Europe. Its aim is to safeguard the fundamental rights of natural persons with regard to the processing of their data, establishing principles such as lawfulness, transparency, data minimisation, and accountability. In Spain, it is applied in conjunction with Organic Law 3/2018 (LOPDGDD), under the supervision of the Spanish Data Protection Agency (AEPD).
When does the GDPR come into play for a textile manufacturer using RFID or NFC? Whenever the label, or the system to which it is connected, makes it possible to identify a natural person directly or indirectly. This includes labels linked to customer databases, loyalty programmes, warranty management, or user authentication in which the product can be associated with a specific individual.
If your label contains only an internal serial number with no link to personal data, and no system exists that would allow such a link, the GDPR probably does not apply. But as soon as that possibility of association exists, compliance is mandatory.
The Data Protection Impact Assessment (DPIA): When Is It Mandatory for Your Business?
This is one of the points most frequently overlooked by manufacturing companies. A Data Protection Impact Assessment (DPIA) is a formal, documented analysis that must be carried out before certain data processing activities are launched. And RFID is explicitly on the radar of supervisory authorities: the use of radio-frequency identification labels is expressly recognised as a technology that may be particularly intrusive, and which may therefore require this prior assessment.
The process includes a detailed description of the processing activity, an assessment of its necessity and proportionality, identification of risks, implementation of mitigation measures, and ongoing documentation and review — particularly when changes are made to the system.
As a practical rule for textile manufacturers: if your labelling system involves tracking individuals — for example, reading labels at points of sale or in public spaces linked to customer identities —, large-scale data processing, or could reveal sensitive information about the person wearing the garment, you need to carry out the DPIA before launching the system, not after. If in doubt, the AEPD provides specific methodological guidance that can help you make that determination.
Does the Data Act Apply to Textile Manufacturers?
Regulation (EU) 2023/2854, known as the Data Act, came into force on 12 September 2025. Its purpose is to regulate access to, use of, and sharing of data generated by connected products: IoT devices, sensor-equipped machinery, smart vehicles, and the like.
For most textile manufacturers, the Data Act does not apply directly. A standard RFID or NFC label on a garment does not generate data during use of the product — it simply identifies the item when read by a reader. The regulation is designed for products that continuously collect and transmit data during use.
The exception is smart garments incorporating active sensors — monitoring physical activity, body temperature, or other variables — a category that would fall within the scope of the Data Act. If your company is working or planning to work on this type of product, it is worth reviewing the implications in detail.
For the remainder of textile manufacturers, the reference framework remains the GDPR, alongside any applicable sector-specific regulation.
The Digital Omnibus of November 2025: Simplification Under Way
On 19 November 2025, the European Commission published the Digital Omnibus, an initiative to simplify and update the key pillars of the EU’s digital legal framework, including the GDPR and the Data Act. The aim is to reduce the compliance burden for businesses without lowering levels of protection. This package is currently in the legislative process, so it is worth monitoring its progress closely — particularly with regard to potential adjustments to GDPR obligations for small and medium-sized enterprises.
What Happens Outside Europe: A Global Perspective for Exporting Manufacturers
Textile manufacturers operating in international markets should be aware that the regulatory approach to privacy and smart labelling varies by region, although the global trend is towards increasingly demanding regulation.
The United States does not have a unified federal privacy law comparable to the GDPR. Regulation is structured at state level: California leads with the CCPA and its successive updates, and in 2025 several additional states introduced new privacy laws. For European manufacturers exporting to the US who process data from European citizens in the process, the GDPR continues to apply, alongside the EU–US Data Privacy Framework for international data transfers.
China has had the Personal Information Protection Law (PIPL) in place since 2021, with requirements similar to the GDPR for the processing of Chinese citizens’ data. A textile manufacturer producing in China or managing traceability systems with data linked to Chinese customers must take this into account, particularly where such data is transferred outside the country.
Latin America is progressing unevenly: Brazil has had the Lei Geral de Proteção de Dados (LGPD) since 2020, which follows the European model. Mexico, Argentina, and Colombia have their own frameworks at varying stages of development.
Asia-Pacific: Japan, South Korea, Australia, and Singapore all have their own data protection regulations, updated in recent years and largely aligned with international standards.
The practical rule for any globally operating manufacturer is clear: the GDPR applies whenever data from European citizens is processed, regardless of where the company is based. Designing labelling systems with the European standard as the benchmark is, in most cases, the most efficient strategy for operating across international markets.
Best Practice for Fashion Garment Manufacturers: How to Design Responsible Labelling Systems
The key lies in design. The decisions a manufacturer makes during the development phase of a labelling system largely determine the level of privacy risk and the compliance effort required thereafter. The following are the fundamental recommendations:
Data minimisation by design. Store only the information strictly necessary for the intended purpose in the label. In most cases, an internal serial number linked to the item — with no direct connection to personal data — is sufficient for logistics management and represents the lowest-risk approach from a privacy perspective.
Deactivation of labels at the point of sale. If your label has fulfilled its logistical function before the garment reaches the end consumer, deactivate it at the point of sale. This is the explicit recommendation of the AEPD and eliminates at source the primary privacy risk associated with textile labelling. If you need to keep it active after the sale — for authentication, warranty, or after-sales services — ensure the user is aware of this and has given their consent where required.
Clear information to the end user. Making known when, where, and why a label will be read is a legal obligation. As a manufacturer, this means deciding how to communicate that information: on the garment’s label, on the packaging, on the product website, or at the point of sale.
Impact assessment before launch. If your system can identify individuals, track their presence in retail spaces, or cross-reference data from different sources, carry out the DPIA before launch. It is far simpler and more cost-effective to incorporate privacy measures at the design stage than to correct them once the system is already running.
Technical security across the complete system. The label is only one part of the ecosystem. Implement encryption in the communication between labels and readers, control who can access reading systems and associated databases, and establish clear protocols for managing potential security breaches. When a breach occurs that affects personal data, notification to the relevant supervisory authority must be made within a maximum of 72 hours: having that protocol in place in advance makes all the difference.
Review of contracts across the value chain. If you work with distributors, retailers, or technology providers who have access to the data generated by your labels, ensure that your contracts with them reflect the data protection obligations that apply to you as the data controller. The GDPR requires specific contracts with processors.
RFID and NFC labels are highly valuable tools for the fashion industry. But their responsible use requires understanding that, from the moment a label can be associated with a person, specific regulatory obligations come into play — obligations that affect product design, contracts across the distribution chain, and the company’s internal processes.
The European regulatory framework is evolving rapidly: the GDPR remains the backbone, the Data Act redefines rights over data generated by connected products, and the Digital Omnibus promises to adapt and simplify the overall framework. For exporting manufacturers, the complexity multiplies — though designing with the European standard as a benchmark tends to be the most efficient strategy.
The good news is that a responsible approach to labelling system design is entirely compatible with operational efficiency. On the contrary: it reduces regulatory risk, builds trust throughout the commercial chain, and protects brand reputation in the eyes of a consumer who, as the data shows, is paying ever closer attention to how their personal data is handled.
Article prepared by the Indet team. Updated April 2026. This content is intended for informational and educational purposes. For specific advice tailored to your situation, we recommend consulting a data protection specialist.
