---
title: "eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations"
canonical_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-gdpr-identity-data"
source_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-gdpr-identity-data"
author: "Sorena AI"
description: "Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "eIDAS"
  - "GDPR"
  - "identity data"
  - "EUDI Wallet"
  - "trust services"
  - "relying parties"
  - "data minimisation"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations

Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.

*Comparison* *EU*

## eIDAS vs GDPR identity-data obligations

Separate eIDAS duties for electronic identification, trust services, qualified certificates, and EUDI Wallet relying parties from GDPR duties for personal-data processing.

Use this comparison to scope roles, lawful basis, minimisation, relying-party evidence, security controls, breach handling, and user-rights records without treating one regime as a substitute for the other.

eIDAS and GDPR often meet in the same identity journey, but they answer different questions. eIDAS defines the EU framework for electronic identification, EUDI Wallets, trust services, signatures, seals, certificates, attestations, validation, and relying-party recognition. GDPR applies when identity attributes, wallet logs, signatures, certificates, contact details, authentication events, or support records are personal data processed by a controller or processor. The practical result is usually two linked records: one proving the eIDAS role, service, legal effect, or wallet requirement, and one proving the GDPR purpose, lawful basis, minimisation, security, retention, and rights handling for the same data flow.

## eIDAS vs GDPR for identity data

Use these rows to decide which regime answers each operational question in an identity, wallet, or trust-service flow.

- **eIDAS and EUDI Wallet rules**: Use this side to classify the identity means, wallet role, trust service, certificate, attestation, validation result, legal effect, and relying-party registration evidence.
- **GDPR identity-data rules**: Use this side to classify the controller or processor role, purpose, lawful basis, minimisation, transparency, rights, security, breach, retention, and accountability evidence.

| Dimension | eIDAS and EUDI Wallet rules | GDPR identity-data rules | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | eIDAS governs electronic identification schemes, EUDI Wallets, trust service providers, qualified trust services, electronic signatures, seals, timestamps, electronic registered delivery, website-authentication certificates, electronic attestations of attributes, and related legal effects. | GDPR governs processing of personal data, including identity attributes, identifiers, authentication events, wallet connection logs, certificate-holder data, support records, and security records when they relate to an identified or identifiable natural person. | Start every project with two scope labels: the eIDAS role or artifact, and the GDPR processing activity. One does not automatically answer the other. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports the eIDAS scope for electronic identification and trust services.<br>[Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports that eIDAS wallet rules operate without replacing GDPR obligations.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR scope for processing personal data. |
| Covered actors | Key eIDAS actors include Member States, wallet providers, relying parties, trust service providers, qualified trust service providers, issuers of electronic attestations, supervisory bodies, and conformity assessment bodies. | Key GDPR actors are controllers, processors, joint controllers, data protection officers where required, representatives where required, recipients, and supervisory authorities. | A relying party can also be a GDPR controller for its attribute request and retention. A trust-service provider can also be a controller or processor for certificate and validation data. | [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports EUDI Wallet relying-party and wallet-provider role concepts.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports assigning GDPR responsibility by purposes and means, not only by product role. |
| Trigger | eIDAS supplies identity and trust-service legal effects, such as recognition of notified eID schemes, qualified signature and seal effects, certificate validity checks, and wallet relying-party requirements. | GDPR still requires a lawful basis for each personal-data processing purpose, such as consent, contract, legal obligation, public task, vital interests, or legitimate interests where available and not overridden. | Do not cite eIDAS status as the whole privacy justification. Keep a GDPR lawful-basis entry for each identity-data collection, validation, storage, sharing, monitoring, and deletion purpose. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports eIDAS legal-effect and trust-service concepts.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports purpose-by-purpose lawful-basis recording. |
| Core obligations | EUDI Wallet relying parties must register their intended wallet use and indicate the data to be requested; they should not request data beyond that registered indication. Wallet design also supports selective disclosure. | GDPR requires personal data to be adequate, relevant, limited to what is necessary, and protected by design and by default so only necessary personal data is processed for each purpose. | Build the attribute-request review around the stricter practical result: ask only for registered, purpose-linked, necessary attributes, and prefer selective disclosure or a derived proof where it satisfies the use case. | [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports relying-party data-request scoping and selective-disclosure requirements.<br>[EUDI Wallet Architecture and Reference Framework](https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/latest/architecture-and-reference-framework-main.pdf?ref=sorena.io) - Supports using selective disclosure to limit attributes presented to relying parties.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR data minimisation and data protection by design and default. |
| Evidence record | eIDAS evidence includes relying-party registration, intended wallet use, requested data, authentication and identification of the relying party, validation of person identification data or attestations, trusted-list checks, and certificate validity or revocation status. | GDPR evidence includes records of processing activities, notices, lawful-basis records, processor terms, retention rules, rights logs, DPIAs where high-risk processing requires one, and security control records. | Keep validation proof and personal-data proof linked but distinct. A successful wallet or certificate validation does not prove the retained data was necessary, transparent, or stored for an appropriate period. | [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports EUDI Wallet relying-party registration, identification, and validation duties.<br>[Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports trust-service and certificate validation evidence concepts.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping evidence that demonstrates processing compliance. |
| Timing and deadlines | eIDAS focuses on reliability and security of identity means, wallets, trust services, certificates, validation services, and supervised qualified services; wallet breaches can trigger suspension, withdrawal, user and relying-party notifications, and supervisory handling. | GDPR focuses on risk to natural persons from personal-data processing, including appropriate security measures and supervisory-authority notification where a personal-data breach is likely to create risk. | For an identity incident, run both analyses: whether wallet or trust-service reliability is affected, and whether personal data was breached under GDPR. | [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports wallet breach, suspension, withdrawal, and notification concepts.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports documenting breach facts, effects, and remedial action. |
| Enforcement | eIDAS issues go through eIDAS supervisory bodies, wallet supervisory and certification routes, trusted-list and qualified-status mechanisms, and national implementation structures. | GDPR issues go through data-protection supervisory authorities, corrective powers, administrative fines, complaints, compensation, and court remedies. | Route escalation by the failure type. Misleading wallet relying-party registration and unlawful personal-data collection may need both eIDAS and GDPR escalation paths. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports eIDAS supervisory and trusted-list mechanisms for trust services.<br>[Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports separate eIDAS handling for relying-party misuse while preserving GDPR reporting routes.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR supervisory-authority, complaint, remedy, compensation, and fine mechanisms. |
| Overlap and reuse | EUDI Wallet rules include user-facing controls such as selecting, deleting, sharing, presenting, viewing relying-party connections and exchanged data, requesting erasure by a relying party, reporting suspicious data requests, and using data portability features. | GDPR provides the broader rights framework for personal data, including transparency, access, rectification, erasure, restriction, portability, objection, complaint, and judicial remedy routes where applicable. | Design user journeys so wallet controls and GDPR rights requests are routed coherently. A wallet dashboard action may need a GDPR fulfilment workflow behind it. | [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports wallet user controls for sharing, deleting, viewing relying-party connections, erasure requests, and reporting suspicious requests.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports treating user requests as controller obligations when GDPR applies. |
| Practical decision rule | Accept eIDAS evidence for what it proves: identity assurance, trust-service status, wallet role, relying-party registration, certificate validity, signature or seal validation, attestation status, or legal effect. | Accept GDPR evidence for what it proves: purpose, lawful basis, transparency, minimisation, controller or processor accountability, security, retention, rights handling, breach handling, and transfer safeguards where relevant. | A compliant identity journey needs both columns when personal data is involved: eIDAS proof that the identity or trust artifact is valid, and GDPR proof that the processing around it is lawful and limited. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports treating eIDAS evidence as proof of identity and trust-service status or legal effect.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports treating GDPR evidence as proof of lawful, accountable personal-data processing.<br>[Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports the conclusion that EUDI Wallet obligations and GDPR processing obligations must be read together. |

Sources for Scope boundary - eIDAS and EUDI Wallet rules:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports the eIDAS scope for electronic identification and trust services.
  - Quote: "electronic identification and trust services for electronic transactions"
- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports EUDI Wallet and electronic attestation additions to the eIDAS framework.
  - Quote: "European Digital Identity Framework"

Sources for Scope boundary - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR scope for processing personal data.
  - Quote: "processing of personal data"

Sources for Scope boundary - operational implication:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports that eIDAS wallet rules operate without replacing GDPR obligations.
  - Quote: "without prejudice to Regulation (EU) 2016/679"

Sources for Covered actors - eIDAS and EUDI Wallet rules:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports EUDI Wallet relying-party and wallet-provider role concepts.
  - Quote: "Where a relying party intends to rely upon European Digital Identity Wallets"

Sources for Covered actors - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports controller, processor, and joint-controller responsibility concepts.
  - Quote: "determines the purposes and means"

Sources for Covered actors - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports assigning GDPR responsibility by purposes and means, not only by product role.
  - Quote: "the purposes and means of processing"

Sources for Trigger - eIDAS and EUDI Wallet rules:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports eIDAS legal-effect and trust-service concepts.
  - Quote: "legal framework for electronic signatures"

Sources for Trigger - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports Article 6 lawful-basis categories for processing personal data.
  - Quote: "Processing shall be lawful only if"

Sources for Trigger - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports purpose-by-purpose lawful-basis recording.
  - Quote: "one or more specific purposes"

Sources for Core obligations - eIDAS and EUDI Wallet rules:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports relying-party data-request scoping and selective-disclosure requirements.
  - Quote: "selective disclosure of data is possible"
- [EUDI Wallet Architecture and Reference Framework](https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/latest/architecture-and-reference-framework-main.pdf?ref=sorena.io) - Supports selective disclosure, collection limitation, and user approval in wallet presentations.
  - Quote: "collection limitation"

Sources for Core obligations - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR data minimisation and data protection by design and default.
  - Quote: "only personal data which are necessary"

Sources for Core obligations - operational implication:

- [EUDI Wallet Architecture and Reference Framework](https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/latest/architecture-and-reference-framework-main.pdf?ref=sorena.io) - Supports using selective disclosure to limit attributes presented to relying parties.
  - Quote: "approve or deny the presentation"

Sources for Evidence record - eIDAS and EUDI Wallet rules:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports EUDI Wallet relying-party registration, identification, and validation duties.
  - Quote: "identify themselves to the user"
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports trust-service and certificate validation evidence concepts.
  - Quote: "validity or revocation status"

Sources for Evidence record - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR records of processing, accountability, DPIA, security, and rights evidence.
  - Quote: "maintain a record of processing activities"

Sources for Evidence record - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping evidence that demonstrates processing compliance.
  - Quote: "be able to demonstrate compliance"

Sources for Timing and deadlines - eIDAS and EUDI Wallet rules:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports wallet breach, suspension, withdrawal, and notification concepts.
  - Quote: "breached or partly compromised"

Sources for Timing and deadlines - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR security of processing and personal-data breach notification.
  - Quote: "not later than 72 hours"

Sources for Timing and deadlines - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports documenting breach facts, effects, and remedial action.
  - Quote: "document any personal data breaches"

Sources for Enforcement - eIDAS and EUDI Wallet rules:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports eIDAS supervisory and trusted-list mechanisms for trust services.
  - Quote: "supervisory body"
- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports EUDI Wallet supervisory and relying-party mechanisms.
  - Quote: "suspend or cancel the registration"

Sources for Enforcement - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR supervisory-authority, complaint, remedy, compensation, and fine mechanisms.
  - Quote: "right to lodge a complaint"

Sources for Enforcement - operational implication:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports separate eIDAS handling for relying-party misuse while preserving GDPR reporting routes.
  - Quote: "competent national data protection authority"

Sources for Overlap and reuse - eIDAS and EUDI Wallet rules:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports wallet user controls for sharing, deleting, viewing relying-party connections, erasure requests, and reporting suspicious requests.
  - Quote: "request the erasure by a relying party"

Sources for Overlap and reuse - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports data-subject rights, complaint rights, and remedies under GDPR.
  - Quote: "Right to erasure"

Sources for Overlap and reuse - operational implication:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports treating user requests as controller obligations when GDPR applies.
  - Quote: "The data subject shall have the right"

Sources for Practical decision rule - eIDAS and EUDI Wallet rules:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports treating eIDAS evidence as proof of identity and trust-service status or legal effect.
  - Quote: "trust service providers established in the Union"

Sources for Practical decision rule - GDPR identity-data rules:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports treating GDPR evidence as proof of lawful, accountable personal-data processing.
  - Quote: "lawfully, fairly and in a transparent manner"

Sources for Practical decision rule - operational implication:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports the conclusion that EUDI Wallet obligations and GDPR processing obligations must be read together.
  - Quote: "without prejudice to Regulation (EU) 2016/679"

### How to use this comparison

- Name the eIDAS artifact or role before naming privacy controls: wallet provider, relying party, trust service provider, qualified certificate, attestation, signature, seal, validation service, or trusted-list check.
- For each personal-data field, record the GDPR purpose, lawful basis, controller or processor role, retention rule, security measure, and rights route.
- Reject attribute requests that are not registered for the relying-party use case or not necessary for the GDPR purpose.
- Escalate incidents through both tracks when they affect trust-service or wallet reliability and personal-data confidentiality, integrity, availability, or rights.

Sources for the practical decision rule:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports wallet and relying-party scoping before implementation.
  - Quote: "the intended use of European Digital Identity Wallets"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the parallel GDPR record for personal-data processing.
  - Quote: "the purposes of the processing"

## The core distinction

Use eIDAS first to classify the identity or trust-service function: notified electronic identification scheme, EUDI Wallet, relying party, qualified trust service provider, qualified certificate, electronic signature, seal, timestamp, registered delivery, website authentication certificate, or electronic attestation of attributes.

Use GDPR next to classify the processing of personal data inside that function. The eIDAS text itself says the regulation is without prejudice to GDPR, so a valid eIDAS identity or trust-service flow still needs GDPR records when personal data is collected, stored, validated, shared, logged, or retained.

- eIDAS evidence shows why the identity or trust-service artifact can be relied on.
- GDPR evidence shows why each personal-data processing step is lawful, limited, secure, transparent, and reviewable.
- Do not use a qualified certificate, wallet registration, or trusted-list entry as a blanket lawful basis under GDPR.

Sources for this answer:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports the original eIDAS scope for electronic identification and trust services.
- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports the EUDI Wallet additions to eIDAS, including wallet, relying-party, and user-control concepts.
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR processing principles, controller and processor duties, rights, security, breach notification, and accountability requirements.

## Identity-data decisions to make before launch

For an EUDI Wallet or trust-service integration, the first product decision is not a generic privacy label. It is whether the product is acting as a wallet provider, relying party, trust service provider, certificate validator, issuer of attestations, processor, controller, or joint controller for each step.

The second decision is the exact data request. Under eIDAS wallet rules, relying parties register intended wallet uses and the data they request; under GDPR, controllers must keep personal data adequate, relevant, limited to the purpose, and protected by design and default. Those tests should be reviewed together before adding an attribute request, account-linking field, retention rule, or analytics event.

- Record the relying-party purpose and requested attributes before requesting wallet data.
- Map each identity attribute to a GDPR purpose and lawful basis; do not bundle unrelated purposes into the same request.
- Keep separate records for certificate validity checks, signature validation, wallet-presented attributes, support logs, and fraud/security monitoring.
- Test whether pseudonyms, selective disclosure, or proof of a fact can satisfy the use case without collecting the full attribute set.

Sources for this answer:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports relying-party registration, requested-data scoping, user control, and EUDI Wallet role requirements.
- [EUDI Wallet Architecture and Reference Framework](https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/latest/architecture-and-reference-framework-main.pdf?ref=sorena.io) - Supports implementation detail for selective disclosure, relying-party registration certificates, user approval, and linkability risks.
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR minimisation, lawful basis, privacy by design and default, and accountability obligations.

## Evidence that should not be merged

A single audit folder can hold both regimes, but the proof points should remain labelled. eIDAS evidence is about identity assurance, wallet registration, trusted-list status, certificate status, qualified service status, validation outputs, conformity assessment, and trust-service supervision. GDPR evidence is about processing purpose, lawful basis, controller or processor role, notices, records of processing activities, rights handling, security measures, breach assessment, and retention.

This separation matters when a relying party keeps wallet transaction data. The eIDAS-side record may show that the relying party registered the intended wallet use and identified itself to the user. The GDPR-side record must still explain why the stored attributes or logs are needed, who controls them, how long they are retained, who receives them, and how rights requests are handled.

- Label each evidence item with the legal question it answers: eIDAS status, wallet role, trust-service validity, GDPR lawful basis, GDPR rights, or GDPR security.
- Store certificate and attestation validation results separately from raw identity attributes where possible.
- Keep a change log for new wallet attributes, relying-party registrations, processor terms, retention rules, and security controls.
- Use data-protection review when eIDAS evidence contains personal data or creates persistent linkability risk.

Sources for this answer:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports EUDI Wallet relying-party registration, identification, validation, and user-facing data exchange requirements.
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports records of processing activities, controller accountability, security, and rights handling for identity-data processing.

## Security and rights overlap

Security duties overlap but are not identical. eIDAS focuses on the reliability of electronic identification means, EUDI Wallets, trust services, certificates, validation, and supervised qualified services. GDPR focuses on the risks to people from personal-data processing and requires appropriate technical and organisational measures for controllers and processors.

Rights handling also overlaps. The EUDI Wallet framework includes user-facing wallet capabilities such as viewing relying-party connections and requesting erasure from relying parties. GDPR supplies the broader rights framework, including access, rectification, erasure, restriction, portability, objection, and complaint routes where the processing falls within GDPR.

- Treat a wallet or trust-service security incident as both a service-reliability question and a personal-data breach question when personal data is affected.
- Give users a route to understand what identity data was requested, by whom, for what purpose, and how to exercise GDPR rights.
- Use the EUDI Wallet ARF privacy guidance to test attribute minimisation, relying-party linkability, and whether fixed identifiers can be discarded after validation.
- Escalate separately to the eIDAS supervisory path and the data-protection authority path when both regimes are implicated.

Sources for this answer:

- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports wallet functions for transaction logs, erasure requests, reporting suspicious relying-party data requests, and breach handling.
- [EUDI Wallet Architecture and Reference Framework](https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/latest/architecture-and-reference-framework-main.pdf?ref=sorena.io) - Supports the privacy risk discussion for selective disclosure, collection limitation, relying-party registration, and linkability.
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR security, breach-notification, data-subject-rights, and supervisory-authority obligations.

*Recommended next step*

*Placement: before sources*

## Review wallet, relying-party, trust-service, and GDPR records together

Sorena can help teams keep eIDAS role evidence and GDPR processing evidence aligned without merging distinct legal duties.

- [Open Research Copilot for eIDAS](/solutions/research-copilot.md): Ask source-linked questions about eIDAS, EUDI Wallet roles, relying-party data requests, trust services, and GDPR identity-data overlap using the cited sources on this page.
- [Talk through implementation](/contact.md): Review your wallet, trust-service, or identity-data workflow against eIDAS and GDPR evidence requirements.

## Primary sources

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A32014R0910&ref=sorena.io) - Supports treating eIDAS evidence as proof of identity and trust-service status or legal effect.
  - Quote: "trust service providers established in the Union"
- [Regulation (EU) 2024/1183 establishing the European Digital Identity Framework](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Supports wallet and relying-party scoping before implementation.
  - Quote: "the intended use of European Digital Identity Wallets"
- [EUDI Wallet Architecture and Reference Framework](https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/latest/architecture-and-reference-framework-main.pdf?ref=sorena.io) - Supports using selective disclosure to limit attributes presented to relying parties.
  - Quote: "approve or deny the presentation"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the parallel GDPR record for personal-data processing.
  - Quote: "the purposes of the processing"

## Related Topic Guides

- [eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services](/artifacts/eu/electronic-identification-and-trust-services-regulation/deadlines-and-compliance-calendar.md): Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
- [eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas2-vs-eidas.md): Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
- [eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/certificates-and-authentication.md): Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
- [eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist-and-evidence.md): Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
- [eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/compliance.md): Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
- [eIDAS electronic signatures: SES, AES, QES legal effect and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-signatures-and-legal-effect.md): A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
- [eIDAS penalties and fines for trust service providers](/artifacts/eu/electronic-identification-and-trust-services-regulation/penalties-and-fines.md): Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
- [eIDAS QES validation checks for relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/qes-validation.md): How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
- [eIDAS Qualified Trust Services: QTSP Selection](/artifacts/eu/electronic-identification-and-trust-services-regulation/qualified-trust-services-and-qtsp-selection.md): How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
- [eIDAS remote signature and cloud HSM controls for QTSPs](/artifacts/eu/electronic-identification-and-trust-services-regulation/remote-signature-and-cloud-hsm-controls.md): Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
- [eIDAS signature legal effect selector: SES, AES, AES-QC, or QES](/artifacts/eu/electronic-identification-and-trust-services-regulation/signature-legal-effect-selector-workflow.md): Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
- [eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-service-role-scoping-workflow.md): Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
- [eIDAS trusted list validation: LOTL, QTSP status, and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-list-validation.md): How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
- [eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-esign-and-ueta.md): Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
- [eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-etsi-en-319-401.md): Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
- [eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-nis2-trust-services.md): Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
- [Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-attestations-of-attributes.md): Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
- [EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/applicability-test.md): A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
- [EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/attribute-attestations.md): What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
- [EU eIDAS checklist for signatures, trust services, and wallets](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist.md): Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
- [EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq.md): FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
- [EU eIDAS QTSP authorization and supervision guide](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-authorization-and-supervision.md): How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
- [EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-due-diligence-workflow.md): Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
- [EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/requirements.md): Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
- [EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/trusted-lists.md): How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
- [EUDI Wallet readiness for service providers under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-readiness.md): Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
- [EUDI Wallet Relying Parties under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/eudi-wallet-relying-party.md): What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
- [EUDI Wallet Relying Party Onboarding Workflow under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/wallet-onboarding-workflow.md): A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
- [EUDI Wallet Relying Party Registration Under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-relying-party-registration.md): What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
- [EUDI Wallet Technical Architecture Guide under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-technical-architecture-guide.md): Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
- [QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qes-vs-ades.md): Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
- [QWACs under eIDAS: website authentication certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/qwacs.md): A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
- [What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs](/artifacts/eu/electronic-identification-and-trust-services-regulation/what-eidas-covers.md): A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
- [What is a qualified trust service provider under eIDAS?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qualified-trust-service-provider.md): How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
- [What is a QWAC under the EU eIDAS Regulation?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qwac.md): Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-gdpr-identity-data